Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
Python Ruby HTML Shell CSS JavaScript Other
branch: develop

Forbid sudo in 0.3 upgrade script

This commit cherry picks *both* commits from #1020 into one commit due
to difficulty in rebasing #1020 on develop.
latest commit 6e82f77367
@garrettr garrettr authored
Failed to load latest commit information.
build Remove obsolete reference to securedrop-grsec package
docs Forbid sudo in 0.3 upgrade script
install_files Make 0.3pre upgrade script idempotent for Ansible
migration_scripts Forbid sudo in 0.3 upgrade script
securedrop Merge pull request #1010 from freedomofpress/check-migration-scripts-…
spec_tests fixes gpg check for ossec server key
tails_files Rename tails_files/upgrade.sh to migration_scripts/0.3/upgrade.sh
.gitignore updates gitignore with spectests gems dir
.ruby-gemset Initial config for install specs using serverspec
.ruby-version Initial config for install specs using serverspec
.travis.yml removed the authd tag from the travis script since it does not exist …
LICENSE Update license from GPL2 to AGPL
README.md Remove trailing period for consistent appearance
Vagrantfile makes digitalocean plugin optional
ansible.cfg for use with vagrant will need to disable host_key_checking. Producti…
changelog.md Version 0.3.2
pip_update.sh Use $VENV consistently throughout
setup.cfg add a pytest-pep8 configuration that currently does not produce pep8 …
snap.rb added snap.rb file which will contain the digital ocean api token for…
update_version.sh Rearrange code related to `dch` for clarity

README.md

SecureDrop

Build Status

SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It was originally created by the late Aaron Swartz and is currently managed by Freedom of the Press Foundation.

Technical Summary

SecureDrop is a tool for sources to communicate securely with journalists. The SecureDrop application environment consists of three dedicated computers:

  • Secure Viewing Station: An air-gapped laptop running the Tails operating system from a USB stick that journalists use to decrypt and view submitted documents.
  • Application Server: Ubuntu server running two segmented Tor hidden services. The source connects to the Source Interface, a public-facing Tor hidden service, to send messages and documents to the journalist. The journalist connects to the Document Interface, an authenticated Tor hidden service, to download encrypted documents and respond to sources.
  • Monitor server: Ubuntu server that monitors the Application Server with OSSEC and sends email alerts.

In addition to these dedicated computers, the journalist will also use his or her normal workstation computer:

  • Journalist Workstation: The every-day laptop that the journalist uses for his or her work. The journalist will use this computer to connect to the Application Server to download encrypted documents that he or she will transfer to the Secure Viewing Station. The Journalist Workstation is also used to respond to sources via the Document Interface.

Depending on the news organizations's threat model, it is recommended that journalists always use the Tails operating system on their Journalist Workstation when connecting to the Application Server. Alternatively, this can also be its own dedicated computer.

These computers should all physically be in your organization's office.

How to Install SecureDrop

See the Installation Guide.

How to Use SecureDrop

How to Contribute to SecureDrop

See the Development Guide.

License

SecureDrop is open source and released under the GNU Affero General Public License v3.

The wordlist we use to generate source passphrases comes from Diceware, and is licensed under Creative Commons Attribution 3.0 Unported thanks to A G Reinhold.

Something went wrong with that request. Please try again.