File Encryption for Journalists: Protecting Sources & Securing Investigations

Q: How can I encrypt files for a source who isn't tech-savvy?

Use a browser-based tool like Sekura.app. It requires no installation or key generation. You can simply send the source a link, and they can drag, drop, and encrypt files locally in their browser.

Q: Is a password on a Word document the same as encryption?

No. Microsoft Office passwords are not true encryption and can be cracked in minutes. Never rely on them for sensitive source material.

Q: Can I store encrypted files on Google Drive without Google seeing them?

Yes. If you encrypt the file locally on your computer first (client-side encryption), you are uploading a locked vault. The cloud provider can see the file exists, but cannot read the contents.

Q: What happens if border control demands I unlock my laptop?

This is a complex legal area. However, storing encrypted files in the cloud (and deleting them from the local machine before travel) or using hidden volumes is generally safer than carrying sensitive data on a physical drive across borders.

Q: How do I remove metadata from photos?

Use a dedicated scrubbing tool like ExifTool or a 'sanitizer' before encryption to remove GPS coordinates and device details.

In 2024, at least 124 journalists were killed globally—the deadliest year on record for the press (Freedom of the Press Foundation / CNTI). While physical vests and helmets are standard in conflict zones, the modern battlefield has shifted. Today, a journalist’s most vulnerable point isn’t always their location; it’s their data.

For investigative reporters, freelancers, and whistleblowers, digital trails can lead to physical danger. Journalism has migrated from physical notebooks to digital files, meaning a lost USB drive or a compromised cloud account isn’t just an inconvenience. It is a life-or-death risk for the sources who trust you.

File encryption for journalists is no longer an optional technical skill—it is digital PPE (Personal Protective Equipment).

The problem is that most encryption tools are too complex for a fast-paced newsroom or require administrative rights to install—impossible if you’re working from a library computer or an internet cafe. This is where sekura.app bridges the gap. It provides secure, military-grade encryption directly in your browser, works offline, and requires no installation, allowing you to protect your source material on any device, anywhere.

The “Downstream” Danger: Why Encryption Matters

When we talk about digital security, we often focus on the journalist’s reputation. But the real stakes lie with the people who trust us with their stories. According to the Center for News, Technology & Innovation (CNTI), 64% of journalists report their sources face high risks.

If your laptop is seized or your cloud account is breached, you might lose a story. Your source might lose their freedom or their life.

Scenario 1: The Border Crossing

Consider Elena, a freelance investigative journalist. She carries a USB drive containing audio interviews with cartel whistleblowers. While crossing a border checkpoint, her equipment is seized for a “routine inspection.”

Elena had password-protected her files using standard office software. The authorities bypassed this weak protection in minutes, accessed the audio, and identified the voices. The result wasn’t just a confiscated drive; it was the immediate disappearance of her primary source. Had those files been encrypted with a dedicated tool, the drive would have appeared as nothing more than digital noise.

Scenario 2: The Cloud Breach

Marcus, a political reporter in D.C., stores drafts of an exposé on campaign finance on the cloud. He relies on the cloud provider’s security. However, a state-sponsored phishing attack compromises his credentials.

Because Marcus uploaded standard Word documents, the attackers downloaded the unreleased drafts. They leaked them to a rival outlet with altered information to discredit the story before it ran.

The Cost of Negligence

The average data breach now costs organizations $4.88 million (IBM, 2024). But for a media organization or a freelancer, the cost is incalculable. It is the total loss of trust. If you cannot guarantee the anonymity of your source, you cannot function as an investigative journalist.

Read more about the basics of encryption here or learn about the specific risks of cloud storage.

Common Security Mistakes in Newsrooms

Many journalists believe they are taking adequate precautions when, in reality, they are relying on “security theater.” Here are the most common misconceptions that leave newsrooms vulnerable.

Myth 1: “Microsoft Word Password Protection is Enough”

This is the most dangerous myth. The “Encrypt with Password” feature in Microsoft Office is not designed to withstand a dedicated attack. Tools available for free online can crack these passwords in seconds. It provides a false sense of security that can be fatal in a high-stakes investigation.

Myth 2: “I Use Signal, So I’m Safe”

Signal is excellent for protecting data in transit (while it is moving). But what happens when you download that attachment to your laptop? It sits on your hard drive unencrypted. If your device is stolen or seized, Signal cannot protect the file anymore. You need file encryption for journalists that protects data at rest.

Myth 3: “Google Drive is Secure”

Google encrypts data on their servers, but they hold the keys. If Google is served a subpoena by a government agency, they can—and legally must—decrypt and hand over your files. To truly protect your sources, you must use client-side encryption (encrypting the file on your device) before you upload it to the cloud.

The Complexity Trap

On the other end of the spectrum, many security guides recommend tools like PGP (GnuPG). While secure, PGP is notoriously difficult to set up and use correctly. In a breaking news environment, complex tools get skipped. Security that is too hard to use is no security at all.

Step-by-Step: How to Encrypt Investigative Files

You don’t need a degree in computer science to secure your work. Modern tools like sekura.app allow you to apply military-grade security in seconds.

Step 1: Preparation (The “Clean Room”)

Before working with highly sensitive leaks (like the Panama Papers or Snowden-level documents), disconnect your computer from the internet. This is called “air-gapping.” It prevents malware from “phoning home” while you are decrypting or viewing sensitive files.

Step 2: Encrypting with Sekura.app

Open sekura.app. Since it runs in the browser but processes data locally, you can load the page and then disconnect from the internet if you wish.
Drag and Drop. Pull your audio files, transcripts, or photos into the interface. You can encrypt individual files or batch-process entire folders.
Set a Strong Passphrase. Do not use “Password123.” We recommend the Diceware method: string together 4-5 random words (e.g., correct-horse-battery-staple). This creates a password that is mathematically impossible to crack but easy to remember.
Click Encrypt. Your browser uses AES-256 encryption to lock the files. Crucially, your files and password never leave your computer. The encryption happens on your machine, not on a server.

Step 3: Safe Storage

Once you click encrypt, you will download a .skr file (or a standard encrypted file). You can now safely store this file anywhere:

Google Drive/Dropbox: Even if Google is subpoenaed, they only have a scrambled file. They do not have your password.
USB Drives: If the drive is lost or stolen at a border crossing, the data remains inaccessible.

If you need to send this file to an editor or a source:

Send the encrypted file via email or Signal.
Do not send the password in the same message.
Use an “out-of-band” channel for the password. If you emailed the file, send the password via Signal. If you used Signal for the file, tell them the password in person or via a secure video call.

For more details on generating passphrases, read our guide on how to create a strong password. If you are working in a zone without internet, check our offline encryption guide.

Critical Protocols: Metadata and Borders

Encryption hides the content of a file, but it doesn’t always hide the context. Two critical areas require special attention: metadata and physical searches.

The Metadata Trap

Sarah, a conflict correspondent, learned this the hard way. After returning from a conflict zone, her hotel room was raided. She had encrypted her laptop’s hard drive, but she had copied raw photos to an external drive that wasn’t fully secured.

The intruders didn’t need to see the photos to do damage. They accessed the metadata—the hidden data inside image files that records GPS coordinates, camera models, and timestamps. Using the GPS logs from her raw files, they located the safe house where she had interviewed victims.

The Protocol: Before encrypting sensitive photos, you must scrub the metadata. Tools like ExifTool can do this, or you can use encryption tools that strip metadata automatically. Always assume a file tells a story beyond its visible content.

Border Crossings & Physical Searches

“What if I’m forced to unlock my laptop?”

This is a legal grey area that varies by country. This is why you need a layered approach:

Full Disk Encryption (BitLocker/FileVault): This protects the entire machine if it is stolen.
File Encryption (Sekura): This protects specific archives inside the machine.

Plausible Deniability: One of the biggest risks at a border is having visible encryption software installed, which signals you have something to hide. Because sekura.app works in the browser and requires no installation, it leaves no footprint on your machine. You can encrypt your files, delete the history, and cross the border without “suspicious” software appearing on your desktop.

As the Northwest Capital Journalism Guide advises: “Journalists should utilize aliases for their own identities… [and] it’s crucial to remove all metadata from documents before sharing or publishing.”

Tool Comparison: Finding the Middle Ground

Journalists often struggle to find a tool that balances security with usability. Here is how the options stack up.

7-Zip / WinRAR

Pros: Familiar and already installed on many PCs.
Cons: Often defaults to older, weaker encryption standards. Can leave temporary unencrypted files in hidden system folders.
Verdict: Okay for low-risk admin, unsafe for source protection.

Veracrypt

Pros: The gold standard for creating hidden encrypted volumes.
Cons: Very complex. Requires administrative rights to install (cannot be used on borrowed computers). High risk of user error.
Verdict: Excellent for tech-savvy users on their own hardware, but impractical for quick field work.

Sekura.app

Pros: The “Middle Ground.” Military-grade AES-256 encryption with no installation required. Works on Chromebooks, library PCs, and borrowed laptops.
Cons: Requires manual file handling (you must encrypt specific files rather than the whole drive).
Verdict: The best balance of security and portability for journalists in the field.

FAQ: Digital Safety for Reporters

How can I encrypt files for a source who isn’t tech-savvy? This is a common hurdle. Direct them to sekura.app because it requires no account and no installation. If they can drag and drop a file, they can encrypt it. You can then provide the password securely.

Is a password on a Word document the same as encryption? No. Password protection on Office documents is a “lock” that is easily picked. Encryption is a mathematical scrambling of the data that makes it unreadable without the key.

Can I store encrypted files on Google Drive without Google seeing them? Yes. If you encrypt the file before uploading it (client-side encryption), Google only sees a scrambled mess of data. They cannot unlock it, even if compelled by law enforcement.

What happens if border control demands I unlock my laptop? If you have sensitive data, consider storing it in an encrypted volume in the cloud rather than on the device you are carrying across the border. If you must carry it, ensure the files are encrypted individually, not just the laptop login.

How do I remove metadata from photos? You can use tools like ExifTool or simple metadata scrubbers. Some operating systems allow you to right-click a photo and select “Remove Properties and Personal Information,” though dedicated tools are safer for high-risk data.

Conclusion: Protect the Story by Protecting the Data

In a digital landscape where data breaches have increased by 312% in the last year alone (ITRC, 2025), reliance on luck is not a strategy. A journalist’s credibility is built on their ability to protect their sources.

As the privacy experts at Tuta note: “If journalists want to protect their sources… they must adopt platforms that provide end-to-end encryption by default - not as an optional extra.”

Don’t wait for a threat to materialize. Secure your current investigation files now. With sekura.app, it takes seconds to encrypt your data, but that simple act could save your reputation—and your source’s life.

Start Encrypting Your Files Now - No Install Required