Setting Up the Development Environment


SecureDrop maintains two versions of documentation: stable and latest. stable is the default used by our Read the Docs site, and is built from our latest signed git tag. latest is built from the head of the develop git branch. In almost all cases involving development work, you’ll want to make sure you have the latest version selected by using the menu in the bottom left corner of the Read the Docs site.


SecureDrop is a multi-machine design. To make development and testing easy, we provide a set of virtual environments, each tailored for a specific type of development task. We use Vagrant, VirtualBox, and Docker and our Ansible playbooks can provision these environments on either virtual machines or physical hardware.


SecureDrop is written in Python 2. We plan to migrate to Python 3 in a future release. Please use a Python 3 virtualenv for development, while ensuring that your changes are compatible with both Python 3 and Python 2, to ensure they work in production and CI, both of which use Python 2.7.

Quick Start

The Docker based environment is suitable for developing the web application and updating the documentation.

Ubuntu or Debian GNU/Linux

sudo apt-get update
sudo apt-get install -y make git

We recommend using the stable version of Docker CE (Community Edition) which can be installed via the official documentation links:

Make sure to follow the Post-installation steps for Linux, as well.


Install Docker.


Create a StandaloneVM based on Debian 9, called sd-dev. You can use the Q menu to configure a new VM, or run the following in dom0:

qvm-clone --class StandaloneVM debian-9 sd-dev
qvm-start sd-dev
qvm-sync-appmenus sd-dev

The commands above will created a new StandaloneVM, boot it, then update the Qubes menus with applications within that VM. Open a terminal in sd-dev, and proceed with installing Docker CE for Debian.

Fork & Clone the Repository

Now you are ready to get your own copy of the source code. Visit our repository fork it and clone it on you local machine:

git clone<your_github_username>/securedrop.git

Using the Docker Environment

The Docker based helpers are intended for rapid development on the SecureDrop web application and documentation. They use Docker images that contain all the dependencies required to run the tests, a demo server etc.


When run for the first time, building Docker images will take a few minutes, even one hour when your Internet connection is not fast. If you are unsure about what happens, you can get a more verbose output by setting the environment variable export DOCKER_BUILD_VERBOSE=true.

The SecureDrop repository is bind mounted into the container and files modified in the container are also modified in the repository. This container has no security hardening or monitoring.

To get started, you can try the following:

cd securedrop/securedrop
make dev                                    # run development servers
make test                                   # run tests
bin/dev-shell bin/run-test tests/functional # functional tests only
bin/dev-shell bash                          # shell inside the container

To specify the version of Python you want to use, set the PYTHON_VERSION environmental variable, like so:

PYTHON_VERSION=3 make test    # Run tests on Python 3
PYTHON_VERSION=2 make test    # Run tests on Python 2
PYTHON_VERSION=3 make dev     # Run dev container on Python 3
PYTHON_VERSION=2 make dev     # Run dev container on Python 2


The interactive shell in the container does not run redis, Xvfb etc. However you can import shell helper functions with source bin/dev-deps and call run_xvfb, maybe_create_config_py etc.

SecureDrop consists of two separate web applications (the Source Interface and the Journalist Interface) that run concurrently. In the development environment they are configured to detect code changes and automatically reload whenever a file is saved. They are made available on your host machine by forwarding the following ports:

You should use Tor Browser to test web application changes, see here for instructions.

A test administrator (journalist) and non-admin user (dellsberg) are created by default when running make dev. In addition, sources and submissions are present. The test users have the following credentials. Note that the password and TOTP secret are the same for both accounts for convenience during development.

  • Username: journalist or dellsberg
  • Password: correct horse battery staple profanity oil chewy
  • TOTP secret: JHCO GO7V CER3 EJ4L

If you need to generate the six digit token, use the TOTP secret in combination with an authenticator application that implements RFC 6238, such as FreeOTP (Android and iOS) or oathtool (command line tool, multiple platforms). Instead of typing the TOTP code, you can simply scan the following QR code:


You can also generate the 2FA code using the Python interpreter:

>>> import pyotp
>>> pyotp.TOTP('JHCOGO7VCER3EJ4L').now()

Setting Up a Multi-Machine Environment


You do not need this step if you only plan to work on the web application or the documentation.

To get started, you will need to install Vagrant, VirtualBox, Docker, and Ansible on your development workstation.

Ubuntu or Debian GNU/Linux


Tested on: Ubuntu 16.04 and Debian GNU/Linux stretch

sudo apt-get update
sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev \
    dpkg-dev git linux-headers-$(uname -r) virtualbox

We recommend using the latest stable version of Vagrant, 1.8.5 at the time of this writing, which might be newer than what is in your distro’s package repositories. Older versions of Vagrant has been known to cause problems (GitHub #932, GitHub #1381). If apt-cache policy vagrant says your candidate version is not at least 1.8.5, you should download the current version from the Vagrant Downloads page and then install it.

# If your OS vagrant is recent enough
sudo apt-get install vagrant
# OR this, if you downloaded the deb package.
sudo dpkg -i vagrant.deb


We do not recommend installing vagrant-cachier. It destroys apt’s state unless the VMs are always shut down/rebooted with Vagrant, which conflicts with the tasks in the Ansible playbooks. The instructions in Vagrantfile that would enable vagrant-cachier are currently commented out.

VirtualBox should be at least version 5.x. See GitHub #1381 for documentation of incompatibility with the older VirtualBox 4.x release series.

Finally, install Ansible so it can be used with Vagrant to automatically provision VMs. We recommend installing Ansible from PyPi with pip to ensure you have the latest stable version.

sudo apt-get install python-pip

The version of Ansible recommended to provision SecureDrop VMs may not be the same as the version in your distro’s repos, or may at some point flux out of sync. For this reason, and also just as a good general development practice, we recommend using a Python virtual environment to install Ansible and other development-related tooling. Using virtualenvwrapper:

sudo apt-get install virtualenvwrapper
source /usr/share/virtualenvwrapper/
mkvirtualenv -p /usr/bin/python3 securedrop


You’ll want to add the command to source to your ~/.bashrc (or whatever your default shell configuration file is) so that the command-line utilities virtualenvwrapper provides are automatically available in the future.


Install the dependencies for the development environment:

  1. Vagrant
  2. VirtualBox
  3. Ansible
  4. rsync >= 3.1.0

If you use homebrew-cask to manage macOS apps, you can install Vagrant and VirtualBox that way. As for Ansible, we strongly recommend installing it in a virtual environment using virtualenvwrapper and pip, so as not to install the older version we use system-wide. The following commands assume your default Python is the Python 2 that ships with macOS. If you are using a different version, the path to will differ. Running pip show virtualenvwrapper should help you find it.

sudo easy_install pip # if you don't already have pip
sudo -H pip install -U virtualenvwrapper --ignore-installed six
source /usr/local/bin/
mkvirtualenv -p python securedrop


You’ll want to add the command to source to your ~/.bashrc (or whatever your default shell configuration file is) so that the command-line utilities virtualenvwrapper provides are automatically available in the future.

The version of rsync installed by default on macOS is extremely out-of-date, as is Apple’s custom. We recommend using Homebrew to install a modern version (3.1.0 or greater): brew install rsync.

Fork & Clone the Repository

Now you are ready to get your own copy of the source code. Visit our repository fork it and clone it on you local machine:

git clone<your_github_username>/securedrop.git

Install Python Requirements

SecureDrop uses many third-party open source packages from the python community. Ensure your virtualenv is activated and install the packages.

pip install -r securedrop/requirements/python3/develop-requirements.txt


You will need to run this everytime new packages are added.