Last reviewed: Next review due:
When basic precautions are not enough
Signal and a VPN are sufficient for most journalists, most of the time. But sources facing criminal prosecution, whistleblowers in regulated industries, and people in countries with aggressive surveillance capabilities need a more robust approach. Advanced source-protection techniques reduce the risk of technical exposure even when legal protections fail.
For legal protections, see Source Protection Law in the UK (Detailed). For a comparison of everyday tools, see Digital Tools Comparison.
Air-gapped devices
An air-gapped machine has no network connectivity — no Wi-Fi card, no Bluetooth, no Ethernet. It cannot be reached by remote malware or surveillance tools. Use one for: opening untrusted attachments, analysing potentially malicious documents, and storing the most sensitive source material offline.
- ›Buy a dedicated cheap laptop and permanently disable Wi-Fi (physical removal or BIOS-level).
- ›Use a write-once DVD or a verified, clean USB drive to transfer files — never a USB that has touched a networked machine.
- ›Never connect the air-gapped device to power via USB hubs shared with networked devices.
- ›The FPF recommends Tails OS on air-gapped devices for document review.
Hardware security keys (YubiKey)
Hardware security keys implement the FIDO2/WebAuthn standard — you physically touch the key to complete authentication, which cannot be replicated by a remote phishing attack. They are supported by Google, Microsoft, Twitter/X, GitHub, and many other services journalists rely on.
Why hardware keys beat SMS 2FA
SIM-swap attacks can intercept SMS codes. Hardware keys require physical possession — an attacker must steal the device from you.
Which key to buy
YubiKey 5 series covers USB-A, USB-C, and NFC. Buy two: one primary, one backup. Register both with every critical service.
Which accounts to protect first
Email, cloud storage, Twitter/X, Signal registration number, password manager (if supported), and any publications management system.
NCSC guidance
The NCSC recommends hardware security keys as the strongest available 2FA method for accounts holding sensitive information.
Tails OS for source communications
Tails is a live operating system distributed by the Tails Project and recommended by both the Freedom of the Press Foundation and the EFF. Boot it from a USB drive; it routes all traffic through Tor and wipes memory on shutdown. The host machine's storage is never touched.
- 1Download from tails.boum.org only and verify the OpenPGP signature before installation.
- 2Use Tails on a dedicated USB drive (minimum 8GB) — do not use it on the same USB as other files.
- 3When receiving source material, boot Tails on an air-gapped machine and open the files there.
- 4Use the Tails Persistent Storage feature to save your GPG keys — never store keys on a networked machine.
- 5Never suspend (sleep) Tails — shut down fully so memory is wiped.
SecureDrop
SecureDrop is the most widely used whistleblower submission system in newsrooms. Developed by the Freedom of the Press Foundation, it is used by The Guardian, The Times, BBC, Financial Times, and other major UK publishers.
- ›Sources access the .onion address via Tor Browser — ideally from Tails OS on a public network not linked to them.
- ›The newsroom receives submissions on a dedicated, air-gapped server.
- ›Sources receive a unique random codename to check back for journalist responses.
- ›No IP addresses or tracking metadata are logged by SecureDrop.
- ›Newsrooms: contact the FPF for implementation guidance. SecureDrop requires dedicated server infrastructure and security maintenance.
OnionShare
OnionShare is a lighter alternative to SecureDrop for one-off secure file transfers. A journalist runs it on their own machine to generate a temporary .onion address; the source uploads files via Tor Browser. No server infrastructure is required.
Use it for
- ✓One-off document transfers from a known source
- ✓Sharing files with a source without email metadata
- ✓Hosting a simple anonymous chat room
Do not use it for
- ✓Volume whistleblower submissions (use SecureDrop)
- ✓Sources who need to check back repeatedly
- ✓Situations where you cannot run the server on a trusted device
Frequently asked questions
What is an air-gapped device and when do journalists need one?
How does SecureDrop work?
What is OnionShare and how is it different from SecureDrop?
Do I need a hardware security key (YubiKey) as a journalist?
What UK law governs source protection?
Related guides
Primary sources
- FPF — Journalist Guide to Secure Communication— Freedom of the Press Foundation
- SecureDrop — Whistleblower Submission System— Freedom of the Press Foundation
- OnionShare — Secure File Sharing over Tor— OnionShare
- Tails — The Amnesic Incognito Live System— Tails Project
- Tor Project — Anonymity Network— Tor Project
- NCSC — Multi-Factor Authentication— National Cyber Security Centre