[$ xmrhost] _

$ man 7 host-securedrop

[$ ] Hosting SecureDrop affordably — offshore VPS deployment guide

// NAME

host-securedrop-affordably — practical guide for small newsrooms and independent journalists deploying SecureDrop on an offshore VPS. Hardware + jurisdiction requirements, the three-machine topology, hardened deployment, cost reality.

// SYNOPSIS 

# single-VPS deployment (small newsroom)
plan      tor-2 (xmrhost.io)
region    iceland (recommended) or romania
cost      ~$42/mo hosting + editorial time
software  SecureDrop (Freedom of the Press Foundation)
target    1-3 active journalists, <100 source-messages/week

// CONTEXT

$ man 7 securedrop

SecureDrop is the source-protection intake system maintained by the Freedom of the Press Foundation (FPF). Originally developed by Aaron Swartz and Kevin Poulsen as DeadDrop (2013) and re-architected by FPF since 2014. Deployed at the New York Times, the Washington Post, the Guardian, Le Monde, Süddeutsche Zeitung, and ~80+ other publications. The codebase is open-source, community-audited, and free to deploy.

The high SaaS-like pricing some pages quote is misleading — SecureDrop itself is free software; the cost is the hosting infrastructure + the operational discipline a newsroom commits to running it. This guide walks the hosting side honestly. On offshore infrastructure with strict jurisdictional protections, a single newsroom can run SecureDrop for ~$50-80/month.

// THE THREE-MACHINE TOPOLOGY

$ man 7 securedrop-topology

FPF's reference architecture for SecureDrop:

  • Source server. Internet-facing (via Tor hidden service). Runs the SecureDrop application that accepts source messages + uploads. Hardened OS, no clearnet listeners, no general-purpose user accounts. This is what you host at xmrhost.io.
  • Journalist workstation. Physically on the newsroom premises. Tails-OS USB stick on a dedicated laptop. Air-gapped from the public internet; the journalist transfers files via the SecureDrop journalist interface. You do NOT host this at xmrhost.io.
  • Monitor server. Watches the source server's state, runs OSSEC IDS, alerts on anomalies. For small deployments can co-locate on the source server (with FPF's documented trade-offs).

Hosted infrastructure spec for the source server, per FPF's 2026 recommended-minimum: 4 vCPU, 8 GB RAM, 100 GB SSD, offshore jurisdiction, hardened-by-default OS, Tor hidden service capable. xmrhost.io's tor-2 plan ($42/mo, 2 vCPU / 4 GB) fits small newsrooms; tor-4 ($85/mo, 4 vCPU / 8 GB) is the right pick for active intake (50+ source messages/week).

// JURISDICTION CHOICE

$ compare --region

For SecureDrop specifically the jurisdictional question is about source-protection statutes + court-process latency. Both xmrhost.io regions work; ranked preference for newsroom deployment:

  1. Iceland. Höfundalög nr. 73/1972 + IMMI (Icelandic Modern Media Initiative, 2010) codify source-protection statutes that explicitly apply to journalistic intake. EEA member but not EU — one less layer of EU-treaty exposure. Civil-court timeline 12-18 months first-instance (slow = good for source protection, since frivolous complaints rarely materialise into actual proceedings).
  2. Romania. Legea 8/1996 + EU GDPR Article 6 (legitimate interest for journalism). EU member, faster civil-court timeline (8-14 months), lower bandwidth pricing. Suitable when EU-internal latency matters (e.g. a European- audience publication).

Long-form region comparison: /vs/iceland-vs-romania-offshore-jurisdiction.

// DEPLOYMENT OUTLINE

$ man 7 deploy-securedrop

  1. Order a tor-2 plan at /node/tor-hidden-service/tor-2. Pay in Monero (recommended — chain-analytics surface matters for source-protection deployments). See /guide/buy-vps-with-monero.
  2. Receive provisioning notification with SSH credentials + initial .onion address for management.
  3. Install Ubuntu 22.04 LTS (SecureDrop's current supported base). The xmrhost.io image ships Debian 12 by default; flip via the management portal to Ubuntu 22.04 if you want to follow FPF's reference installer verbatim, or apply the SecureDrop ansible playbooks against Debian (community-supported but not officially blessed).
  4. Run FPF's installer. git clone https://github.com/freedomofpress/securedrop && cd securedrop && ./securedrop-admin setup. The playbook handles the bulk of the configuration.
  5. Configure the journalist workstation on newsroom premises. Tails USB stick + the second .onion address from the installer.
  6. Publish the source .onion address via the newsroom's regular channels (the website's "Submit a tip" page, signed Mastodon post, PGP-verified contact channels).
  7. Establish the editorial discipline for handling submissions: who reads them, on what schedule, how attribution and verification are handled. SecureDrop gives you the technical primitive; the discipline is on you.

// the installer takes 30-60 minutes on a clean machine. FPF maintains official documentation at docs.securedrop.org; this guide is the hosting-side context they don't cover.

// MONTHLY COST REALITY

$ man 7 budget

// component // monthly // notes
SecureDrop hosting (tor-2 plan) $42 small-to-medium newsroom
SecureDrop hosting (tor-4 plan) $85 active intake (50+/wk)
Journalist workstation laptop ~$15 amortised amortise a $500 laptop over 3 years
Tails USB sticks (rotate) ~$2 2-3 USBs/year, ~$10 each
PGP-key custody hardware (optional) ~$3 amortise a YubiKey over 3 years
Total infrastructure ~$62-105 depending on plan + workstation choices

// SecureDrop software itself is free. Editorial time dominates the total cost-per-tip but is not infrastructure. Newsrooms running SecureDrop at this budget include Le Monde-style midsize national outlets and independent investigative-journalism nonprofits.

// ALTERNATIVE — HUSH LINE

$ man 7 hush-line

For newsrooms without dedicated technical staff, FPF's newer Hush Line project is the simpler alternative. Single-server deployment, Matrix-based delivery to the journalist, no air- gap workstation requirement. Trade-off: weaker source-protection guarantees (the journalist receives messages on a non-airgap workstation), simpler ops.

Hosting fits on a tor-1 plan ($20/mo). Total infrastructure cost: ~$25-30/mo. Right choice for solo journalists or small newsrooms that cannot commit to the SecureDrop operational discipline. hushline.app for the project's documentation.

// FAQ

$ faq host-securedrop

Q. Can a small newsroom afford to host SecureDrop?

A. Yes. Stripped of the SaaS-marketing pricing, SecureDrop on a single offshore VPS runs ~$50-80/month all-in for the hosting (tor-2 plan, $42/mo, plus a separate small VPS for the journalist-air-gap workstation if not run on-prem). The dominant cost is editorial time on the source-handling side, not infrastructure. Freedom of the Press Foundation maintains the SecureDrop software for free.

Q. What's the difference between SecureDrop and Hush Line?

A. SecureDrop is the established system: three-machine topology (source, journalist, monitor), full air-gap workflow, Tor hidden service intake, OSSEC monitoring. Heavier deployment, stronger guarantees. Hush Line is a newer FPF project: simpler single-server deployment, Matrix-based delivery, lower operational burden, weaker air-gap guarantees. For newsrooms with technical capacity: SecureDrop. For newsrooms without: Hush Line.

Q. Why host SecureDrop offshore?

A. Source protection is the load-bearing property. An offshore-jurisdiction host with no DMCA-§512-equivalent, no general data-retention regime, and an operator that does not log identity-mapping data adds a layer of defense against the most common deanonymisation chain: subpoena to the host. Iceland (Höfundalög + IMMI source-protection statute) and Romania (Legea 8/1996, EU GDPR Article 6 protections) are both viable. See /vs/iceland-vs-romania-offshore-jurisdiction.

Q. Can I run SecureDrop on a single VPS or do I need three machines?

A. Strictly, the SecureDrop spec calls for three machines: the source-facing server, the journalist workstation (air-gapped), the monitor. The journalist workstation is on the newsroom premises, not the VPS. On the hosting side, you need one server for the SecureDrop daemon + Tor hidden service. The monitor can co-locate on the same machine for small deployments (with caveats — FPF documents this).

Q. What Tor configuration does SecureDrop need?

A. SecureDrop ships its own tor.conf with hardened defaults: v3 onion service, no clearnet bridge, no exit policy (this is not a relay). xmrhost.io's tor-2 plan ships a baseline tor.conf that aligns with SecureDrop's expectations; the deployment script lays its own config on top. The onion-auth feature (per-source authentication) is optional but recommended for vetted-source workflows.

Q. Does the SecureDrop hidden service expose the offshore host's IP?

A. No, in the normal operating state. The Tor circuit terminates at three Tor relays inside the network; the host's IP is never broadcast through Tor. The IP is visible to the host's network upstream (the carrier) and to any monitoring that has access to the host. Defenses: hardened sshd via separate onion, no logging at the application layer, full-disk encryption.

Q. What's the operational cost beyond the VPS?

A. (1) Source-message handling: editorial time, typically 30-90 min/week for an active intake. (2) Air-gap workstation upkeep: occasional Tails USB rotation, peripheral check. (3) Monthly hosting: ~$42/mo for tor-2 (sufficient for a typical newsroom intake). (4) Optional: PGP-key custody hardware. Total hosting + minimal monitoring is ~$50-80/month; editorial time dominates the total cost.

// SEE ALSO

$ ls /usr/share/doc/xmrhost/guide