Deploying GlobaLeaks
Introduction
GlobaLeaks is a free and open-source whistleblowing platform that enables organizations to easily set up and maintain secure reporting systems. Recognized by the Digital Public Good Alliance as a Digital Public Good, GlobaLeaks provides optimal technical anonymity for whistleblowers while ensuring secure handling of sensitive submissions.
Built with security and privacy at its core, GlobaLeaks offers a comprehensive solution for organizations needing to implement whistleblowing channels, whether for compliance with regulations, corporate ethics programs, or journalistic investigations.
Key highlights of GlobaLeaks:
- End-to-End Encryption: All submissions are encrypted to protect whistleblower identity and sensitive information
- Tor Integration: Native support for Tor hidden services for maximum anonymity
- Multi-Language Support: Available in 40+ languages for global deployments
- Customizable Workflows: Configure questionnaires, recipients, and notification rules
- File Attachments: Secure handling of documents and media files
- Multi-Tenant Support: Host multiple independent whistleblowing initiatives on a single instance
- GDPR Compliant: Built with privacy regulations in mind
- No Registration Required: Whistleblowers can submit reports without creating accounts
- 100% Open Source: Fully transparent codebase licensed under AGPL-3.0
This guide walks through deploying GlobaLeaks on Klutch.sh using Docker, configuring persistent storage, and setting up the platform for production use.
Why Deploy GlobaLeaks on Klutch.sh
Deploying GlobaLeaks on Klutch.sh provides several advantages for running a secure whistleblowing platform:
Simplified Deployment: Klutch.sh automatically detects your Dockerfile and builds GlobaLeaks without complex orchestration. Push to GitHub and your whistleblowing platform deploys automatically.
Persistent Storage: Attach persistent volumes for your database and uploaded files. Submissions and configurations survive container restarts without data loss.
HTTPS by Default: Klutch.sh provides automatic SSL certificates, ensuring encrypted connections to your platform without manual certificate management.
GitHub Integration: Connect your configuration repository directly from GitHub. Updates to your Dockerfile trigger automatic redeployments.
Scalable Resources: Allocate CPU and memory based on expected submission volume and file storage needs.
Environment Variable Management: Securely store sensitive configuration through Klutch.sh’s environment variable system without exposing credentials in your repository.
Custom Domains: Assign a custom domain for a professional, trustworthy appearance that encourages whistleblower confidence.
Always-On Availability: Your whistleblowing platform remains accessible 24/7 for anonymous submissions.
Prerequisites
Before deploying GlobaLeaks on Klutch.sh, ensure you have:
- A Klutch.sh account
- A GitHub account with a repository for your GlobaLeaks configuration
- Basic familiarity with Docker and containerization concepts
- An understanding of your organization’s whistleblowing requirements
- (Optional) A custom domain for your GlobaLeaks instance
Understanding GlobaLeaks Architecture
GlobaLeaks is built on a security-focused architecture designed for whistleblower protection:
Python Backend: The core application runs on Python with the Twisted framework, providing asynchronous request handling and robust security features.
SQLite Database: GlobaLeaks uses SQLite for data persistence, storing encrypted submissions, user accounts, and configuration data.
Tor Integration: Optional Tor hidden service support provides additional anonymity layers for whistleblowers.
Web Interface: A modern, responsive web interface allows whistleblowers to submit reports and recipients to securely access submissions.
File Handling: Secure file upload and storage with encryption at rest for all attachments.
Preparing Your Repository
To deploy GlobaLeaks on Klutch.sh, create a GitHub repository containing your Dockerfile and configuration.
Repository Structure
globaleaks-deploy/├── Dockerfile├── README.md└── .dockerignoreCreating the Dockerfile
Create a Dockerfile in the root of your repository:
FROM globaleaks/globaleaks:latest
# Set environment variablesENV GLOBALEAKS_HOSTNAME=${GLOBALEAKS_HOSTNAME:-localhost}
# Expose the web interface portEXPOSE 8443
# The base image includes the default entrypointAdvanced Dockerfile with Custom Configuration
For more control over your deployment:
FROM globaleaks/globaleaks:latest
# Configure hostname for the instanceENV GLOBALEAKS_HOSTNAME=${GLOBALEAKS_HOSTNAME:-localhost}
# Set timezoneENV TZ=${TZ:-UTC}
# Create necessary directoriesRUN mkdir -p /var/globaleaks
# Health check to verify application is runningHEALTHCHECK --interval=60s --timeout=10s --start-period=120s --retries=3 \ CMD curl -f http://localhost:8443/ || exit 1
# Expose the application portEXPOSE 8443Creating the .dockerignore File
Create a .dockerignore file to exclude unnecessary files:
.git.github*.mdREADME.mdLICENSE.gitignore*.log.DS_Store.env.env.localEnvironment Variables Reference
| Variable | Required | Default | Description |
|---|---|---|---|
GLOBALEAKS_HOSTNAME | Yes | localhost | The hostname for your GlobaLeaks instance |
TZ | No | UTC | Timezone for the application |
Deploying GlobaLeaks on Klutch.sh
Once your repository is prepared, follow these steps to deploy GlobaLeaks:
- Select HTTP as the traffic type
- Set the internal port to 8443 (GlobaLeaks default port)
- Detect your Dockerfile automatically
- Build the container image
- Attach the persistent volumes
- Start the GlobaLeaks container
- Provision an HTTPS certificate
Push Your Repository to GitHub
Initialize your repository and push to GitHub:
git initgit add Dockerfile .dockerignore README.mdgit commit -m "Initial GlobaLeaks deployment configuration"git remote add origin https://github.com/yourusername/globaleaks-deploy.gitgit push -u origin mainCreate a New Project on Klutch.sh
Navigate to the Klutch.sh dashboard and create a new project. Give it a descriptive name like “globaleaks” or “whistleblowing-platform”.
Create a New App
Within your project, create a new app. Connect your GitHub account if you haven’t already, then select the repository containing your GlobaLeaks Dockerfile.
Configure HTTP Traffic
GlobaLeaks serves its web interface over HTTPS. In the deployment settings:
Set Environment Variables
In the environment variables section, add:
| Variable | Value |
|---|---|
GLOBALEAKS_HOSTNAME | your-app-name.klutch.sh |
TZ | Your preferred timezone (e.g., America/New_York) |
Attach Persistent Volumes
Persistent storage is essential for GlobaLeaks. Add the following volume:
| Mount Path | Recommended Size | Purpose |
|---|---|---|
/var/globaleaks | 50 GB | Database, submissions, uploaded files, and configuration |
Deploy Your Application
Click Deploy to start the build process. Klutch.sh will:
Access GlobaLeaks
Once deployment completes, access your GlobaLeaks instance at https://your-app-name.klutch.sh. The first-time setup wizard will guide you through initial configuration.
Initial Setup and Configuration
First-Time Setup Wizard
When you first access your GlobaLeaks instance, the setup wizard guides you through:
- Language Selection: Choose your preferred administration language
- Profile Configuration: Set up the basic profile for your whistleblowing initiative
- Admin Account: Create the administrator account with a strong password
- Questionnaire Setup: Configure the questions whistleblowers will answer
- Recipients: Add the people who will receive and handle submissions
Configuring Recipients
Recipients are the users who receive and process whistleblower submissions:
- Navigate to Settings in the admin panel
- Go to Recipients section
- Click Add Recipient
- Enter recipient details and contact information
- Configure notification preferences
- Assign recipients to specific questionnaire contexts
Customizing the Platform
Personalize your GlobaLeaks instance:
- Branding: Upload your organization’s logo and customize colors
- Content: Edit welcome messages, submission guidelines, and legal notices
- Languages: Enable multiple languages for international whistleblowers
- Privacy Policy: Configure data retention and privacy settings
Security Best Practices
Operational Security
- Use Tor: Encourage whistleblowers to access the platform via Tor Browser for additional anonymity
- Regular Updates: Keep your GlobaLeaks instance updated with security patches
- Strong Passwords: Enforce strong passwords for all recipient accounts
- Two-Factor Authentication: Enable 2FA for administrator and recipient accounts
- Audit Logs: Regularly review access logs for suspicious activity
Data Protection
- Encryption: All data is encrypted at rest; ensure your persistent volume is secure
- Data Retention: Configure appropriate retention periods for submissions
- Secure Deletion: Use secure deletion for sensitive data when retention periods expire
- Backup Security: Encrypt all backups and store them securely
Monitoring and Maintenance
Accessing Logs
View application logs through multiple methods:
- Admin Interface: Access logs in the administration panel
- Klutch.sh Dashboard: View build and runtime logs in your app’s dashboard
Regular Maintenance Tasks
- Review and process submissions regularly
- Update recipient contact information as needed
- Check for software updates and security patches
- Review and update questionnaires based on feedback
- Monitor storage usage and adjust volume size if needed
Troubleshooting Common Issues
Application Won’t Start
Symptoms: Container exits immediately or fails health checks.
Solutions:
- Verify all required environment variables are set
- Check that the persistent volume is mounted correctly
- Review startup logs for specific error messages
- Ensure port 8443 is correctly configured
Cannot Access Web Interface
Symptoms: Browser cannot connect to GlobaLeaks.
Solutions:
- Verify the deployment is running in the Klutch.sh dashboard
- Confirm HTTP traffic type is selected with port 8443
- Check that
GLOBALEAKS_HOSTNAMEmatches your deployment URL - Clear browser cache and try incognito mode
Submission Issues
Symptoms: Whistleblowers cannot submit reports.
Solutions:
- Verify questionnaires are properly configured and published
- Check that at least one recipient is assigned to the context
- Review file upload size limits if attachments fail
- Ensure sufficient storage space on the persistent volume
Updating GlobaLeaks
To update to a newer version:
- Back Up Data: Ensure you have a current backup of
/var/globaleaks - Update Dockerfile: Change the image tag if pinning to a specific version
- Push Changes: Commit and push to trigger redeployment
- Verify: Test the updated instance and check for migration messages
Additional Resources
- Official GlobaLeaks Website
- GlobaLeaks Documentation
- GlobaLeaks GitHub Repository
- Klutch.sh Persistent Volumes
- Klutch.sh Deployments
Conclusion
Deploying GlobaLeaks on Klutch.sh gives you a powerful, secure whistleblowing platform with automatic builds, persistent storage, and HTTPS encryption. The combination of GlobaLeaks’ security-focused design and Klutch.sh’s deployment simplicity means you can focus on managing your whistleblowing program rather than infrastructure.
With end-to-end encryption, Tor support, and privacy-first design, GlobaLeaks provides the technical foundation for building trust with whistleblowers. Whether you’re implementing compliance requirements, supporting investigative journalism, or establishing corporate ethics channels, GlobaLeaks on Klutch.sh delivers a reliable, always-available platform for secure anonymous reporting.