# Privacy stack for journalists in 2026

> Source: https://fuckyc.org/guides/privacy-stack-for-journalists/
> Published: 2026-05-12 · Last verified: 2026-05-12

A concrete, sourced privacy stack for journalists handling sensitive sources in 2026 — device, network, messenger, email, file handling, and source intake.

## TL;DR

Use a dedicated device for source contact. Run **Tor Browser** for research; **Tails** or **Qubes** for the dedicated device. Communicate via **Signal** with disappearing messages, or **SimpleX** for sources who refuse phone-number registration. Receive documents via **SecureDrop** or **OnionShare**. Email through **Proton Mail** (Tor signup) or **Tuta**; store passwords in **KeePassXC**; encrypt drives with **VeraCrypt** for portable containers. The hard part is not picking tools — it's keeping the journalism-work device and account compartment strictly separate from your real-name identity.

---

Journalism source protection is one of the highest-stakes privacy use cases. The legal regimes vary, the adversaries can be state-level, and the cost of getting it wrong can be a source's livelihood or freedom. This guide assembles a practical stack from the directory's entries plus a small number of journalism-specific tools.

It is not exhaustive and it does not replace operational training. The Freedom of the Press Foundation runs that training; this is a starting reference.

## The threat model

The default threat model for a journalist handling a sensitive source is:

- **The source's employer / opponent**: corporate compliance, internal-affairs investigators, or state security services with legal-process reach.
- **The publishing organization**: editors and legal counsel who need to see the work but should not need to see source identities until publication.
- **External observers**: anyone who could intercept communications between journalist and source — ISP, network operators, intermediate platforms.

A useful frame is to assume the source's adversary has subpoena power over any operator and packet visibility on any network the source touches. The defensive posture is to give that adversary nothing to subpoena and nothing to correlate.

## The stack

### Device

A dedicated device for source work, separate from your day-to-day machine. Two practical options:

- **[Tails](https://tails.net/)** — Linux live OS booted from a USB key. No data persists to disk between sessions. All network traffic forced through Tor. Default choice when "no persistent state" is the binding requirement.
- **[Qubes OS](https://www.qubes-os.org/)** — Compartmentalized desktop OS where each task runs in an isolated VM. Steeper learning curve; useful when you need both source work and routine work on the same physical machine without crossover.

For users who can't run either, a dedicated laptop with **[VeraCrypt](https://fuckyc.org/services/veracrypt/)** full-disk encryption and strict-use discipline is the floor. Never log into real-name accounts on it.

### Network

- **[Tor Browser](https://fuckyc.org/services/tor-browser/)** for research and for accessing onion services. The default for any browsing that could compromise a source.
- **[Mullvad VPN](https://fuckyc.org/services/mullvad/)** when Tor is too slow or geofenced. Cash-by-mail or crypto payment, account-number-only signup.
- For routine work, your normal connection. Threat-model the leg, not every leg.

### Messenger

Three options depending on the source's threat model:

- **[Signal](https://fuckyc.org/services/signal/)** — for sources who can register a phone (often a burner). Disappearing messages on, screen-lock on, view-once attachments where available. The default.
- **[SimpleX](https://fuckyc.org/services/simplex-chat/)** — for sources who specifically cannot or will not register a phone. Per-contact invitation links; no global identifier. Onboarding is more friction.
- **[Cwtch](https://fuckyc.org/services/cwtch/)** — when no central server is acceptable. Tor-onion-service-only.

Avoid: WhatsApp (Meta operator, phone number, group metadata visible), Telegram (default chats not E2E), iMessage (Apple ID binding), Slack/Teams/email-on-domain (employer-visible).

### Document intake

- **[SecureDrop](https://securedrop.org/)** — the reference Tor-onion-service-based intake system. The Guardian, NYT, ProPublica, WaPo, and others run instances. If your organization has SecureDrop, that is the default channel for any document transfer from sources.
- **[OnionShare](https://fuckyc.org/services/onionshare/)** — for ad-hoc one-off transfers. Runs a temporary Tor hidden service on your own machine; recipient fetches over Tor.
- **Signal attachments** — for small files via an already-established Signal contact. Disappearing on.

Avoid: attachments via standard email (transit metadata visible), shared cloud links (operator-visible), in-person USB handoffs (physical-trail risk for the source).

### Email and accounts

- **[Proton Mail](https://fuckyc.org/services/proton-mail/)** — signup over Tor, E2E to other Proton accounts, mainstream and high-volume. Default for working email.
- **[Tuta](https://fuckyc.org/services/tuta/)** — when subject-line metadata also matters. No IMAP.
- **[Posteo](https://fuckyc.org/services/posteo/)** — when cash-payment de-binding matters.
- **[SimpleLogin](https://fuckyc.org/services/simplelogin/)** or **[addy.io](https://fuckyc.org/services/addy-io/)** — for per-service aliases.

### Password and key management

- **[KeePassXC](https://fuckyc.org/services/keepassxc/)** — local-first vault on the dedicated device. No cloud sync component to subpoena.
- Backup the vault to a **[VeraCrypt](https://fuckyc.org/services/veracrypt/)** container on a USB drive.
- A strong master password plus a passphrase modifier you remember mentally; never write down both.

### Crypto for source compensation

If sources need to be compensated in crypto (research grants, expense reimbursement, payment for materials):

- **[Monero](https://fuckyc.org/services/monero/)** for actual payments; on-chain history is opaque.
- Buy XMR via **[Trocador](https://fuckyc.org/services/trocador/)** (instant swap) or **[AgoraDesk](https://fuckyc.org/services/agoradesk/)** (P2P). Churn before any transfer.
- Receive into **[Feather](https://fuckyc.org/services/feather-wallet/)** on the dedicated device.

### Publishing infrastructure

When the journalism work itself produces a publishing surface — a leak site, a story archive, a temporary onion service for a source intake — the hosting layer matters as much as the device layer.

- **[OffshorePress](https://fuckyc.org/services/offshorepress/)** is the niche operator oriented around press- and leak-media hosting on Tor onion services. No-KYC signup, Monero-accepted, Tor-friendly across signup and operation. Useful when the operator's policy should be aligned with the use case rather than retrofitted from generic bulletproof hosting.
- **[BunkerDomains](https://fuckyc.org/services/bunkerdomains/)** for the registrar layer when you want a no-KYC offshore domain to match the host posture.
- Pair with **[Tor onion services](/services/tor-browser/)** for source intake and **[OnionShare](/services/onionshare/)** for one-off file transfers.

For threat models where mainstream takedown pressure is the primary risk, this is the routine combination in 2026.

## What this stack defeats

- An ISP-level observer correlating you to a specific source.
- An operator (Signal, Proton, SecureDrop) compelled to surrender content — they have nothing readable.
- A subpoena for "all communications between [journalist] and [source]" — there is no record to produce.

## What this stack does NOT defeat

- A keylogger or compromise on either end. Endpoint security is endpoint security.
- Coercion of the journalist or the source. No tool fixes that.
- Pattern-of-life correlation across your real-name and professional identity. That is compartmentalization discipline, not tool choice.
- A nation-state adversary with global passive-collection capability and the political will to use it. Tor's threat model includes this caveat.

## Operational discipline

The single highest-value habit is the one this guide cannot enforce: keep the dedicated device, the dedicated accounts, and the dedicated identifier strictly separate from your real-name identity. Don't log into Twitter on the Tails session. Don't open Gmail on the dedicated laptop. Don't use the same VPN account across compartments. Don't carry the dedicated device alongside a real-name phone tied to your number unless you have to.

Two clean compartments beats five sloppy ones every time. See the [operational privacy guide](/guides/operational-privacy-combining-tools/) for the layered-threat-model walkthrough.

## See also

- [Best privacy messengers in 2026](/best/privacy-messaging-2026/) — for the Signal vs SimpleX vs Session pick.
- [Best privacy email in 2026](/best/privacy-email-2026/) — for the Proton vs Tuta vs Posteo pick.
- [Best anonymous VPN in 2026](/best/anonymous-vpn-2026/) — for the Mullvad vs IVPN pick.
- [Common myths about no-KYC](/guides/common-myths-about-no-kyc/) — for the corrections to common misreadings.


## FAQ

**Q: What is the single most important tool?**

Compartmentalization. A dedicated device — Tails on a USB key or a Qubes OS partition — that is used only for source work and is never used to log into your real-name accounts. The specific tools matter less than the discipline of keeping them in their own compartment.

**Q: Is Signal enough for source contact?**

For most threat models, yes. Signal's E2E is strong, disappearing messages limit forensic exposure on either end, and the phone-number requirement matters less when the journalist controls a dedicated number. For sources who specifically refuse phone-number registration, SimpleX is the no-identifier alternative.

**Q: How should I receive documents from a source?**

SecureDrop is the gold standard — Tor-onion-service intake operated by The Freedom of the Press Foundation, used by The Guardian, NYT, ProPublica, and others. For ad-hoc transfers, OnionShare provides a temporary Tor hidden service from your own machine. For one-off small files via existing channels, send via Signal Note to Self or a Cwtch chat.

**Q: Do I need to use Tor for everything?**

No. Use Tor for source-side communication, for accessing onion services like SecureDrop, and for research where your IP could compromise a source. For routine work where the destination already knows you (your editor's Slack, your bank), Tor adds friction without privacy.

**Q: What about hardware?**

A dedicated laptop with full-disk encryption is the standard. Tails on a USB key works when a separate laptop is impractical — boot from the USB, no data persists. For routine writing and research, a primary laptop with native FDE is sufficient; the dedicated device is for source contact only.

**Q: How do I store source-protection keys safely?**

KeePassXC for password storage on the dedicated device. The vault file backs up to encrypted storage (Filen, Proton Drive, or a VeraCrypt container on a USB drive). Strong master password; consider a passphrase modifier you remember mentally and never write down.

## Sources

- [Freedom of the Press Foundation — training](https://freedom.press/training/) — accessed 2026-05-12
- [SecureDrop](https://securedrop.org/) — accessed 2026-05-12
- [Tails](https://tails.net/) — accessed 2026-05-12
- [Privacy Guides](https://www.privacyguides.org/) — accessed 2026-05-12