Once SecureDrop is installed on a news organization’s servers, it’s important for the administrator to configure it in a way that provides the greatest protection for sources and journalists, given the unique needs and constraints of the organization.
The deployment section here covers a variety of tasks an administrator might need to perform to successfully deploy SecureDrop, depending on organizational needs and requirements.
Certain topics, such as creating a landing page and onboarding journalists, are universal to all SecureDrop instances. Other topics are optional, and are only needed if they fit in with the organization’s security policies and newsroom workflows.
The deployment tasks generally only need to be performed once. For tasks related to the upkeep and troubleshooting of your SecureDrop instance, we recommend reviewing the maintenance documentation.
Protecting the Security of the System
SecureDrop is only as secure as the environment that surrounds it. To keep sources safe, the news organization’s website, physical space, and dedicated SecureDrop hardware must employ a set of basic security best practices or risk losing any source protection provided by SecureDrop.
Freedom of the Press Foundation eventually plans to list all of those SecureDrop onion URLs that meet the minimum requirements for deployment best practices as “verified” on its website. If your organization cannot follow the minimum guidelines, we cannot recommend your SecureDrop instance as safe to use.
In addition to implementing the following best practices, we strongly recommend that you have a reputable security firm perform a review of your organization’s public website prior to launching an instance of SecureDrop. Upon request, we can help put you in touch with a few security firms if you need more assistance.