SecureDrop Hidden Service Setup for Secure Whistleblower Communications

SecureDrop consists of three components: a submission server that hosts the source interface as a hidden service, an admin server that manages the system and hosts the journalist interface as a separate hidden service, and an air-gapped admin workstation used by journalists to access decrypted submissions. The submission and admin servers can run on the same physical machine or on separate VPS instances for additional isolation.

All communication between sources and the system occurs through hidden service addresses. Sources use a Tor Browser to visit the submission hidden service, submit documents and messages, and can return later to check for replies using a codename. Journalists access the admin hidden service only from an air-gapped admin workstation running the Tails operating system, preventing journalist device compromise from affecting the confidentiality of sources or submissions.

AnubizHost offshore VPS in Iceland or Romania is appropriate for hosting the server components. Both jurisdictions have strong data protection environments and no mandatory data retention requirements that would force logging of onion service access patterns. The hosting provider sees an anonymously provisioned VPS but cannot access the encrypted submissions stored on it.

SecureDrop has specific hardware and software requirements from Freedom of the Press Foundation, who maintains the project. The recommended configuration for a production deployment requires two physical servers or two VPS instances: one for the application server and one for the monitor server. For small organizations, a single VPS can host both functions, though this reduces isolation between components.

Minimum VPS specifications: 2 vCPU, 4 GB RAM, 40 GB NVMe storage on Ubuntu 22.04 LTS. SecureDrop's installation script handles all dependency installation, Tor configuration, nginx setup, and GPG keyring management automatically. The manual configuration steps in this guide are for understanding the architecture, not for direct execution - use the official SecureDrop installation documentation for production deployments.

The monitor server runs OSSEC intrusion detection and sends alerts about suspicious system events. Configure a SecureDrop-specific email or Jabber address for alerts that is checked regularly by the admin. Alert delivery uses the admin hidden service, not clearnet, so no clearnet email address is required for the monitoring system.

SecureDrop installation follows the official Freedom of the Press Foundation documentation at docs.securedrop.org. The process uses an Ansible-based installation script that configures both the application and monitor servers from a dedicated admin workstation running Tails. Do not attempt to install SecureDrop through an SSH session from your regular computer; the security model requires the Tails-based admin workstation from the beginning.

Key installation steps: provision two VPS instances with Ubuntu 22.04, configure network access between them, set up the Tails admin workstation with the SecureDrop workstation configuration, run the install-securedrop.sh script from the Tails workstation, and verify all components are functioning before publishing the source hidden service address.

After installation, SecureDrop generates two hidden service addresses: one for the source interface that is published to potential sources, and one for the journalist interface that is kept strictly private. The journalist interface address is never published publicly. Only the admin workstation operator knows it.

The most common SecureDrop operational security failures involve the admin workstation, not the server infrastructure. Always access SecureDrop journalist and admin interfaces exclusively from the dedicated Tails admin workstation. Never access these hidden services from a regular computer, a mobile device, or through any browser other than Tor Browser running on Tails.

Store the admin workstation Tails USB drive in a physically secure location. If the USB drive is lost or compromised, an attacker with the journalist interface onion address and the GPG encryption keys stored on it could potentially access submissions. Maintain an encrypted backup of the admin workstation configuration and keys in a separate secure location controlled by a different person.

Rotate the SecureDrop hidden service keys annually using the official rotation procedure. This changes the onion address, which requires updating all published source submission links. Annual rotation limits the exposure window if keys are quietly compromised without detection. Coordinate key rotation with a press release or announcement to guide sources to the new address.