A Working Journalist's Guide to File Encryption Without Specialized Software

Source protection is foundational to journalism. The Reporters Committee for Freedom of the Press recommends encrypting any file containing identifying source information, draft material relating to ongoing investigations, or sensitive notes. The standard recommendation is GPG — which is excellent if you can install it, configure it, and learn its command-line workflow. Most working reporters cannot, especially when filing from the field on a hotel laptop or borrowed device.

This guide walks through a browser-based alternative using free file password protector. It uses the same AES-256 cryptography as professional tools, runs entirely in your browser, and works on any device with a modern browser including phones, tablets, and locked-down newsroom machines.

The Threat Model

Encryption is only useful if you understand what you are protecting against. For most journalists, the realistic threats are:

• Lost or stolen device. A laptop forgotten in a taxi. A phone snatched on the street. A USB drive misplaced.
• Border searches. Customs officers in many countries can compel you to unlock your device. Encrypted files are different from an unlocked device — they require a separate password the officer cannot derive from your fingerprint.
• Compelled disclosure of cloud accounts. Subpoenas served on Google, Apple, or Dropbox can produce all your stored files. Encrypted files in those services produce only ciphertext.
• Nation-state surveillance during a sensitive investigation. The hardest threat. Browser encryption helps but is not sufficient on its own — air-gapped devices and physical security become important.

For the first three (which cover 95% of working reporters), browser-based file encryption is a meaningful and practical defense.

A Field-Ready Workflow

Before the trip: Bookmark the encryption page on every device you will carry. Pre-generate a password manager entry for each potential matter so you are not inventing passwords in the field.

In the field: Take notes locally. As soon as a file (notes, photo, recording, document scan) contains anything sensitive, encrypt it. Use a unique password per file or per matter. Store the encrypted file on the device and delete the unencrypted original.

Filing: When sending the encrypted file to your editor or to a secure drop, use a different channel for the password than the file. Email file, text password. Or text file, voice-call password.

After the story runs: Decide whether to retain or destroy. Encrypted files retained on device are protected if the device is later seized. Files you genuinely no longer need should be securely deleted.

Sell Custom Apparel — We Handle Printing & Free Shipping

Why Browser-Based Beats Cloud Tools

Several "secure file sharing" services aimed at journalists (SecureDrop, OnionShare, Tresorit) are excellent. But they have setup overhead — you need accounts, sometimes Tor, sometimes specific clients. In a field situation where you need to encrypt one file in two minutes before walking into an interview, the browser tool is the fastest option.

Browser encryption complements those tools rather than replacing them. The pattern that works in practice: encrypt with the browser tool to lock the file immediately, then transfer using whatever secure channel (SecureDrop, Signal, encrypted email) is appropriate for that source.

Crossing Borders With Encrypted Files

This is jurisdictional and varies by country. In the United States, courts have given mixed rulings on whether border officials can compel decryption of files (the law is unsettled). In the UK, RIPA gives police authority to demand decryption keys. In some authoritarian states, refusing to decrypt is itself a criminal offense.

What encryption gives you in all these scenarios is the option to choose. Without encryption, the contents of your device are immediately readable by any officer who has it. With encryption, the data remains private until you actively decide to provide the password — which lets you consult counsel, alert your editor, or comply only after a formal legal process.

This is not legal advice. If you are crossing borders with sensitive material, consult your news organization's legal team and the Committee to Protect Journalists guidance.

Password Management for Reporters

Reusing the same password across files is the most common mistake. If one file is compromised (a source disclosed your password under pressure, a colleague accidentally shared one), every other file using the same password is also exposed.

Use a password manager — Bitwarden is free, open source, and works in any browser without an install. Generate a unique 20+ character random password for each encrypted file. Store the password in the manager with a clear label so you can find it months later when the editor asks for the source material.

For very high-stakes investigations, consider air-gapping the password manager from the device you carry: keep the master vault on a device that never connects to the internet, sync only specific entries to your work device.

Frequently Asked Questions

Is browser encryption strong enough for source protection?

For most working journalists, yes. AES-256-GCM with a strong password is computationally infeasible to brute force with current technology. The weak link is almost always the password, the device security, or the human chain — not the algorithm.

What about Signal for file transfer?

Signal is excellent for transmission and is the standard for encrypted messaging. Browser-based file encryption is for files you are storing on disk, in cloud services, or sending through channels other than Signal. The two are complementary.

Can my editor decrypt the file?

Yes, using the same browser tool with the password you share by a separate channel. This is one of the main advantages over GPG, where you need to share a public key and trust the key exchange — which is impractical for most newsroom workflows.