Skip to content

Answers/The professional queries

Where journalists keep source documents that must never touch a server

For source material that must not be reachable by subpoena of your provider, by breach of your provider, or by an internal misconfiguration at your provider, the answer is that no provider has a copy. Everything lives on one machine (ideally airgapped for the most sensitive), encrypted at rest, with a backup on physical media stored elsewhere.

The threat model this addresses

Legal process against a cloud provider (they hand over what they have). Provider breach. Provider policy change. Casual OS indexing. It does not address a targeted attacker with physical access to your machine while unlocked, or coercion — those need different measures.

The workflow

Bring source material to the machine on physical media. Put it in a folder. Seal the folder. Work with the material by unsealing briefly, then re-sealing. Back up the sealed bundle to an encrypted external drive kept somewhere else.

Elba's shape fits: one HTML file, no install, no network, source in the file. On an airgapped machine, verifying zero network calls is a single tab in DevTools.

Questions people actually ask

Should I use SecureDrop instead?
For receiving submissions, SecureDrop is the right tool. Once material is on your machine, an encrypted local folder is the storage side of the same practice.
What about Signal Note-to-Self?
Fine for pointers and short strings. For actual source documents, Signal is not a storage system.

Take the island

Elba is one HTML file. It runs locally in a Chromium browser, seals a folder with AES-256-GCM, never phones home, and becomes open source on 1 January 2030.

  1. €49MMXXVI· now ·
  2. €39MMXXVII2027
  3. €29MMXXVIII2028
  4. €19MMXXIX2029
  5. FreeMMXXX2030

the price falls each year · free to all 1 jan 2030

pay once · no account · nothing leaves

Related answers