Digital Security Checklist for Journalists

Published March 2026 · Last updated March 2026

Every journalist needs baseline digital security: a password manager, two-factor authentication, Signal, an encrypted laptop, and an ad blocker. Journalists handling sensitive sources or investigating powerful institutions need more. This checklist is organized by threat level so you can match your security to your actual risk.

Baseline: Every journalist

These five steps block the most common attacks — credential theft, account takeover, network snooping, and malvertising. Set aside one hour.

1

Password manager with unique passwords everywhere

1Password (free for journalists) or Bitwarden (open-source, free tier). Generate a unique password for every account. Start with email. Full guide.

2

Two-factor authentication on every account

Use your password manager's built-in TOTP or a YubiKey hardware key. Avoid SMS-based 2FA — it's vulnerable to SIM-swapping. Prioritize email, cloud storage, and social media accounts.

3

Signal for sensitive conversations

Signal is end-to-end encrypted, open-source, and independently audited. Enable disappearing messages for source conversations. Use it instead of text messages, WhatsApp, or Telegram for anything sensitive. Full guide.

4

Full-disk encryption on your laptop

macOS: FileVault (System Settings → Privacy & Security). Windows: BitLocker (Pro) or VeraCrypt (Home). Linux: LUKS (usually enabled at install). This protects your data if your laptop is lost, stolen, or seized.

5

uBlock Origin in your browser

Ad networks are a common malware vector. uBlock Origin blocks malicious ads, tracking scripts, and known malware domains. Install it in Firefox or Chrome. It's free, open-source, and doesn't sell data.

Sensitive: Investigative work and confidential sources

If you're working with confidential sources, investigating corporations or governments, or handling leaked documents, add these layers.

6

Proton Mail for sensitive email

Proton Mail is end-to-end encrypted and based in Switzerland. Use it for source communication that can't go through Signal. Don't use your newsroom Gmail for confidential correspondence.

7

VPN on untrusted networks and for research

Mullvad VPN keeps no logs, accepts anonymous payment, and has been independently audited. Use it on public Wi-Fi and when researching sensitive topics. Full guide.

8

Tor Browser for anonymous research

Tor Browser routes traffic through multiple relays so the destination site can't identify you. Use it when researching subjects who might monitor their own web traffic logs. Slower than a VPN, but provides actual anonymity.

9

Dangerzone for document sanitization

Dangerzone converts PDFs, Office files, and images into sanitized PDFs inside a sandboxed container. Strips hidden metadata, embedded trackers, and potential malware. Use it on every document you receive from sources.

10

Encrypted cloud storage

Proton Drive or Tresorit for storing sensitive files. Standard cloud providers (Google Drive, Dropbox) can access your files and comply with government requests.

High-risk: State-level threats and whistleblowers

If you're receiving classified documents, communicating with whistleblowers, or working in countries with state surveillance, these tools address advanced threats.

11

Tails OS for compartmentalized work

Tails is a live operating system that runs from a USB drive, routes all traffic through Tor, and leaves no trace on the computer. Boot it when handling the most sensitive materials, then shut down — nothing persists.

12

SecureDrop for receiving anonymous tips

SecureDrop lets sources submit documents and messages without revealing their identity. It's operated by your newsroom on dedicated hardware. Major outlets (The New York Times, The Washington Post, The Guardian) run SecureDrop instances.

13

Briar for metadata-resistant messaging

Briar connects peer-to-peer via Tor, Wi-Fi, or Bluetooth — no central server, no phone number required. Messages sync only when both devices are online. Designed for activists and journalists under surveillance.

14

VeraCrypt for encrypted volumes

VeraCrypt creates encrypted containers or encrypts entire drives. It supports hidden volumes — a plausibly deniable encrypted partition inside another encrypted partition. Useful when crossing borders.

15

Air-gapped machines for the most sensitive work

An air-gapped computer has never connected to the internet. Transfer files via USB drives scanned with Dangerzone. This is how newsrooms handled the Snowden documents. Extreme but effective when the stakes are highest.

Ongoing habits

Tools only work if you use them consistently. Build these habits:

  • Update everything. Operating system, browser, apps, password manager. Security patches close known vulnerabilities. Enable automatic updates.
  • Lock your screen whenever you step away. macOS: Ctrl+Cmd+Q. Windows: Win+L.
  • Review account access quarterly. Remove old OAuth connections, revoke app passwords, check for unfamiliar login sessions.
  • Separate identities. Don't use the same accounts for personal life and investigative work. Different browsers, different email addresses, different phone numbers when possible.
  • Plan for device seizure. Know what's on your phone and laptop. If border agents or police took your device right now, what would they find? Minimize that surface area.

Frequently asked questions

What's the minimum security every journalist should have?

At minimum: a password manager with unique passwords on every account, two-factor authentication on email and social media, Signal for sensitive conversations, full-disk encryption enabled on your laptop, and an ad blocker like uBlock Origin. This takes about an hour to set up and blocks the most common attack vectors.

Is Signal enough for protecting sources?

Signal is the best default for encrypted messaging, but it's not a complete solution. It requires a phone number (which can identify you), messages exist on both devices (your source's phone is a risk too), and it doesn't protect metadata if your phone is seized. For high-risk sources, consider SecureDrop for initial contact and Briar for situations where even metadata is dangerous.

Do I need a VPN as a journalist?

A VPN prevents your ISP and network operator from seeing which sites you visit. You need one on public Wi-Fi, when researching sensitive topics from identifiable networks, or when working in countries with internet surveillance. Mullvad is our recommendation — it accepts cash payment and keeps no logs. But a VPN does not make you anonymous. For anonymity, use Tor.

Should I use my personal phone for work?

Ideally, no. A separate work phone limits what's exposed if the device is seized or compromised. If you must use one phone, use separate profiles or containers. At minimum, don't store source contacts under real names and enable disappearing messages in Signal.

How do I sanitize documents before sharing them?

Documents contain hidden metadata: author names, edit history, GPS coordinates in photos, printer tracking dots. Use Dangerzone to convert documents to sanitized PDFs before sharing. For photos, use ExifTool to strip metadata. Never share original files received from sources — always sanitize first.

Is my newsroom's IT department enough?

Newsroom IT handles organizational security — network firewalls, email filtering, device management. But they typically don't cover journalist-specific threats like source protection, secure communication with whistleblowers, or operational security during investigations. You need both organizational IT security and personal operational security practices.