Use SSL. Use it properly, talk to someone (or just google) HSTS and HPKP, and manage the certificates and keys properly. Rotate keys and certificates. Check your site(s) with ssllabs.com. This will probably be the hardest to manage if you want to post the form on big name news sites, as they probably have their own SSL workflow.
You're trusting keybase.io. Be aware of this, it's part of your trust model. Look at how they do security. Will you check on them from time to time? Will end users/whistleblowers be able to trust them easily? What security precautions do they use?
So, when people use this product our servers will never even see the message. The encryption happens right in the browser so there's no chance that anyone but the intended recipient (who controls the private key) can read the message.
Sure, the message is encrypted, but worry about metadata. Will it be easy to see who sent the message? Who received it? When it was sent? When it was read?
The most we will ever do is fetch your public key from your keybase profile.
Is "you" a journalist here, or a whistleblower? From a crypto point of view, if journalists have uploaded their public keys to keybase, then all a whistleblower has to do is use the journalists public key to encrypt. The whistleblower shouldn't need an actual profile.
Metadata retention probably stores which servers a user visits, including DNS names. If it is known which journalist received a leak, metadata might make it easier to track the leaker by looking at people who visited both "journalists private site" and keybase.io.
Solution: Keep the forms on sites that would host forms for many journalists, making it harder to link "website access" to a specific journalist. Even better, try to make the site useful for other things as well.
I've thrown a few of these into issues over at https://github.com/abcnews/editorslab-2017/issues.
There are a few which I'll answer here, just for reference.