raspberry Pi 4b
The Raspberry Pi 4b

Onions and raspberries and file sharing

A secure file drop for journalists to to get the goods from their sources

This site's contact page now includes a link to a secured way for sources to send me files or text messages privately, securely, and anonymously (if they choose). It's built on software called Onionshare, and hosted on a Raspberry Pi. Once you've sent the message or files, there's no trace of you having done so on the internet. And the files are locally stored on a device I have, not kept or copied somewhere on the cloud. A contact can only access this web form by using the Tor Browser, a privacy-first web browser that helps keep its user's site visits from being tracked or blocked. But with it, you can securely send me something here:

In this post, I'm going to share with you the links and walk-through tutorials to make your own, and a few notes on what I did to set up my own kit along the way. This post is part of a little series on a proof-of-concept, secure workstation for freelance or independent investigative journalists. In the last post, we looked at how to create an unblockable and hidden version of your own website using EOTK, and why you might want to do that for potential sources wanting to reach you.  Now here's more secure and confidential a way for people to send you things.

Some background on all of this...

If you just want to get to the tech, skip this and scroll down to "The Goods" below.

So, I really don't like running web forms. They're clunky to set up, introduce security holes in websites, still need to send data some place you have to regularly check, and there's a good chance that you're just turning on a hose of toxic sludge and pointing at yourself. But what's even worse than those are email accounts. Sharing an email address on a website is basically like ringing the dinner bell for spammers and scams. And I'm not even going to get into the logistics of sharing a contact number. At least you can filter spam and skim junk mail. I've tended to direct any of the unwashed public who may want to ping me for some reason towards reasonably secure end-to-end encrypted apps that look like they're not requiring much user data to run.

As a journalist, you need reliable, secure, and checkable avenues for sources to reach you. Maybe they're sources you know and just need direction, but you need some access points for cold-callers. Attracting a journalistic source is a bit like phishing, though with less sociopathy. A bit less.

Freelancers — particularly those investigating organised crime, state violence,  and corporate or government malfeasance — don't often have it as easy as staff journalists at some of the large news outlets, even if these are the same media organisations to whom freelancers are pitching their work. And yet often it's these journalists with the deeper background and expertise to better leverage high-value information on a given topic.

The New York Times or the Guardian have the resources to run their own SecureDrop. Anti-corruption and whistle blower groups could invest in setting up a GlobaLeaks. But as an independent operator, it's likely you don't have your own full time system administrator to set up, monitor and manage these kinds of things, and you probably didn't get into journalism to be one of those yourself. This is where something small, relatively simple and portable comes in, so today we're going to look at Onionshare, and how to set it up.

The Goods

Okay, let's make stuff. Nothing is new or unique in today's recipe. All the ingredients are easily found, and the directions are also already online. We're not inventing anything new.  You don't need to become a full-blown sysadmin. You will need to become a mini sysadmin.

The recipe:
Onionshare is our main ingredient. It's developed and maintained by Micah Lee, the Director of Information Security at The Intercept. You could run Onionshare on your own computer if you want. It works on Windows, Mac and Linux machines. But I'm assuming your writing device might be kind of precious to you. You may not want to leave it open to every random file you receive from a stranger over the internet. We want to compartmentalise our file-obtaining on its own small, isolated and much less expensive device.

So for these goals, we're following Micah's guide, "Running an OnionShare anonymous dropbox on a Raspberry Pi." I've deviated from it in a couple of small ways (which I'll describe below), but it's a good step-by-step tour. Just follow it.

The ingredients:
Find the shopping list at the bottom of this post. You don't need the latest one, but to host my Onionshare I got the Raspberry Pi 4 B, with 8gb ram. Also, I wanted more storage space, so for this I got a 1TB USB stick. I recommend going with a fairly good sized SD card to run the software. I used a Sandisk card with 64gb. There are also little things you will need to make sure you have: all the cables, an SD card reader, an internet-connected router (if that isn't obvious.

The walk-through shows you how to do everything from your computer, without typing directly into the Raspberry Pi, but I wanted to set my own password and username and see that things were working before connecting it to the internet router. So if you want to do that, you'll need a monitor, keyboard, mouse and the right cables for your Pi device.

Changing the username as well as the password:
After you set up the SD card with the Ubuntu software, you may not want your username to be "ubuntu." To change this you need to go into your now-formatted SD card, and edit the user-data file on the system-boot partition.

Adding more storage space:
There's a good chance someone could send you more things than your Raspberry Pi's internal space can hold. And while you can SFTP from a remote computer to get files, you may want to actually physically transport them. So I wanted to make Onionshare store files to a USB stick. 

Using the Pi device directly, I used these steps to mount my USB stick and map it to a directory that Onionshare will be able to find to save any files it gets. By default, my USB stick was already formatted as exfat, not vfat, and I didn't want to reformat it. If that's your problem too, here's how to solve it. You should end up with something kind of like the following:

sudo mount -t exfat /dev/sda1 /media/USB -o uid=1000

I also added a small file called "hello.txt" to my USB stick. This is useful because when you map it to its directory on the Pi, you can go there and quickly see if you've done things right or not. If you have, you'll find the little hello.txt waiting for you.

Using Onionshare optional instructions:
Because I added a different location to receive files, I couldn't just use the default command to start the software. Also, I wanted to give mine it's own name to personalise it. Before you launch your Onionshare for use, look at all the options with onionshare-cli -h

So my command ended up looking similar to this:

onionshare-cli --receive --persistent ~/anon-dropbox.session --public --title treacherous.tech --data-dir ../../path_to/media_folder

You can now test your Onionshare by visiting it on the Tor Browser. Send it a file, check you see it when you connect to it via SFTP or SSH, etc.

So,  now that you have a way of getting files, what you will need are some methods and tools for securely checking and handling them. The next post I'll add on this blog will cover that.

Further optimising:

I customised my Onionshare to better show my ownership of it on the page. You can find the files that make your Onionsshare site in your Pi user's home folder. Depending on how you installed the software on yours, you can find the Onionshare images along a similar path:

Screenshot of the Onionshare page. It's a stunner.
My Onionshare page

To do: I'd list to incorporate some of the other Onionshare tools such as a static website maker and chat board to create a little mini-site that all links together and back to my public site.

Shopping list:

Getting started with a Raspberry Pi isn't quite as simple as it's marketed to be. Some of us have drawers of cables and adaptors and old monitors laying around. Here are all the elements that actually went into this:

  • Laptop (I used a Macbook)
  • Raspberry Pi 4 B, with 8gb ram
  • USB-C power supply
  • Sandisk SD card with 64gb
  • USB SD card card reader to format the SD card on the laptop
  • Ethernet cable
  • Internet router
  • Peripherals for the Raspberry Pi (because I did some things like install python, check for updates, customise the username and password, etc. on the Pi)
    • Monitor (with HDMI connectivity);
    • Micro HDMI cable (if monitor doesn't have one)
    • HDMI adaptors (if your monitor predates HDMI, like mine)
    • USB connecting keyboard
    • USB connecting mouse
  • Optional but recommended: Raspberry pi case (I used the "Official Raspberry Pi 4 Case")
  • Password manager (KeePassXC works well for these things, open source, secure, local)
  • Raspberry Pi imager software (Windows, Mac, Linux optiions)
  • The Tor Browser (for testing)

This article was updated on 26 April 2022