In the upcoming SecureDrop 2.7.0 release, we’ve made a technical change that will be invisible to users but improve reliability and robustness — and provide better security going forward.SecureDrop relies on the OpenPGP standard for encrypting all data and messages that pass through the server. Historically, we have used GnuPG, or GPG for this; we are now switching to the newer Sequoia-PGP library implemented in Rust.In this blog post, we’ll give an overview of the encryption in SecureDrop, and explain why and how we switched to Sequoia. Read More

Going forward, new features for SecureDrop will be focused on the Qubes OS-based SecureDrop Workstation. We are also developing a next-generation SecureDrop messaging and encryption protocol. This post discusses the motivations behind these new directions and explains what they mean for SecureDrop users and contributors. Read More

Help us design the next generation of SecureDrop! We are inviting our users to participate in remote interviews. Read More

Want to help us improve SecureDrop? Join us November 12-13 at the Aaron Swartz Day and Hackathon, in person in San Francisco, or remotely! The SecureDrop team will be be ready to support new and returning contributors. Read More

SecureDrop 2.3.0 introduced a new preference to prevent initial submissions that consist only of a source’s seven word codename. Due to an implementation error, when this feature is active, initial messages containing Unicode characters will result in a server error.We will issue a bugfix release later this month.This preference is … Read More

We are pleased to announce that we are now accepting community translations for the SecureDrop Client, the graphical application at the heart of the (beta) SecureDrop Workstation, through which journalists can more conveniently and efficiently communicate with sources and securely view their submissions. Read More

SecureDrop releases are digitally signed using a release key. This allows anyone to verify the integrity of a SecureDrop release, to mitigate the risk of tampering by third parties. After nearly 5 years in use, as a purely precautionary measure, we are rotating the release key. Read More

We are pleased to announce that Trail of Bits has completed the second independent audit of the SecureDrop Workstation, directly funded by The New York Times. This audit, which took place in December 2020 and January 2021, is the result of a two-engineer, six person-weeks effort. The SecureDrop Workstation, based on Qubes OS, is our next-generation platform which allows journalists to safely retrieve, decrypt, open and export anonymous submissions. It is currently being used in a limited pilot, and the first audit of the SecureDrop Workstation was completed in late 2018. Read More