Tails is an operating system based on Debian/Linux. Itâs a live OS, meaning you donât install it to a hard drive like Windows, but rather run it from DVD or USB stick. It is optimized for privacy and anonymity.
This guide duplicates many topics that are already brilliantly covered by the Tails documentation. https://tails.boum.org/doc/index.en.html. I urge you to read that! In fact, my guide is not supposed to be a surrogate for the Tails documentation. Itâs also not a pure walk-through. Itâs rather an explanatory article, showing you what Tails can do for you and how.
This guide provides a complete solution for anyone trying to be as secure as possible for their Tor adventures. That includes a secure operating system and encrypted storage for your files. This section was created for versions .12 - .14. Things might be different and functionality might have changed since then.
- 1 Tailâs concept
- 2 How to choose strong passphrases
- 3 Requirements for Tails
- 4 First steps
- 5 Encryption of an external drive
- 6 Secure deletion of a drive or partition
- 7 Using the persistent volume
- 8 Installing software: The basics
- 9 File and folder handling in Terminal
- 10 General advice
Tails is explicitly built for people who need strong anonymity. Thus, it provides the following features out-of-the-box:
- Tor setup: You donât need to configure Tor yourself. Tails enforces any connections to go through the Tor network and/or blocks connections outside of Tor. This is a major security advantage for the user - DNS leaks arenât possible and unmasking attacks become much harder, especially if compared to a vanilla Windows system using TorBrowser. Tails also makes it easier to use other programs via Tor - Claws for Mail and Pidgin for IM are already installed.
- Amnesic live system: Tails boots from DVD or USB stick. It is designed to exclusively run in RAM: No traces are left on hard drives (i.e., caches, logs, etc.). By design, nothing is written on a hard drive - unless you explicitly tell it to do so (for instance, saving a file to your encrypted external drive). The combination of the two facts above enables you to take your secure Tor environment with you - You can safely boot from your Tails stick on a foreign PC (only risks being surveillance cameras or hardware keyloggers). Also, you can safely give away your PC for repairs: Unplug your USB stick (and the eventual, encrypted external drive), and thereâs nothing left connecting your PC to your Tor activities. This is one of the big reasons why to never mix regular Windows usage (encrypted or not!) with your Tor activities. More on that in chapter 1.d.
- Emergency exit: When push comes to shove, you just canât worry about deleting traces of your running system. Tails makes it easy: Press the shutdown button and it will initialize RAM-wipe, which only takes about 10-20 seconds. You can even rip out the Tails USB stick from a running system, which should trigger RAM-wipe as well. Wiping RAM is better than instantly removing power from the PC - RAM can hold information without electricity for some seconds, up to some minutes. Granted, retrieving information from âcoldâ RAM is not the most probable attack vector, but thatâs the reason for Tailsâ RAM wiping process.
- Based on Free Open Source Software: Tails only includes software after reviewing its source code. This is important for guaranteeing a secure OS. It also means for you that installing additional software can break Tailsâ secure setup. More on that in chapters 7 through 9.
- Included encryption tools: You donât need to install any encryption software yourself. Tails provides:
Why canât I use another OS / Windows in a VM?
Sure, you are free to do so. But, there are always people asking questions of the kind: is it safe to use program X with Tor and how do I disable/delete Windowsâ caches and traces? Especially if you donât have a good understanding of how things work, you will struggle with your setup and always worry about its security - rightfully so.
Tails on the other hand is already optimized for anonymous internet access and overall security. Yes, you could achieve comparable security by other means, but Tails is the most fail-safe option. Especially if you donât exactly know what youâre doing, attempts to create a secure Windows environment will fail at some point or another.
How to choose strong passphrases
There are several occasions that require you to choose a safe passphrase, especially for encryption. Keep in mind that short, simple passphrases will be cracked in a short time. I recommend a combination of those two approaches:
- DiceWare method: http://world.std.com/%7Ereinhold/diceware.html
- Mnemonic approach: http://youtube.com/watch?v=VYzguTdOmmU
Remember that you are not only trying to defeat brute-force attacks. A passphrase like: supercalifragilisticexpialidocious might be 34 characters long, but will be easily cracked with a simple dictionary attack. That doesnât at all mean you shouldnât use dictionary words - but you have to combine at least 5 random words, e.g. with the DiceWare method mentioned above, creating passphrases looking like this: zen stunk ashley tipoff sudan gouda
This kind of passphrase is easy to type, easy to remember, yet, hard to crack. For explanatory details, read the DiceWare FAQ: http://world.std.com/%7Ereinhold/dicewarefaq.html
Requirements for Tails
- PC with (at least!) 1GB of RAM
- DVD drive
- USB stick with (at least!) 2GB
- Ability to boot from USB (depends on motherboard. Any problems, just google motherboard-name boot from USB)
- External hard drive for encrypted file storage
Note: I have heard about problems booting from Tails USB sticks on Mac laptops. You might need a boot manager like rEFIt. http://refit.sourceforge.net.
- Download the Tails disk image: https://tails.boum.org/download/index.en.html
- Burn it to DVD. If you donât know how to burn a disk image, hereâs a how-to for every OS: https://help.ubuntu.com/community/BurningIsoHowto
- Boot from DVD
Now you should think about how you want to use Tails. There are two optionsâ¦
Using Tails as a completely amnesic system
If you never intend to permanently save any files and just want to browse in Tor land, this is the way to go. Out-of-the-box, Tails will not utilize your hard-drives. It completely stays in RAM. Open your amnesiaâs Home folder on the Desktop: Anything saved in there will be wiped on shutdown
You can still make changes to Tails, like installing DownThemAll (Firefox-integrated download manager), adding software packages through apt-get, but everything will be lost after shutdown
If you use Tails this way, the big advantage is: No evidence at all. If youâve decided that even well-encrypted files are too much of a risk for you, this is the way to go. Thereâs no recoverable evidence of your activities, no clean-up tools needed. You can look at pictures, even download files to your amnesiaâs Home folder - they will irrecoverably be gone on shutdown. Using Tails for this kind of surfing is way more fail-safe and easier than cleaning up a Windows machine every day
Using Tails with a persistent volume
If you want to do more with your Tails setup, you will need a USB-stick to put a persistent volume on it. Installing Tails on a USB stick is best done within Tails, read the instructions here: https://tails.boum.org/doc/firststeps/usbinstallation/index.en.html
Being able to boot from USB depends on your PCâs motherboard - most can do it. You might need to change BIOS settings, you will find that information on the web. Now that you have booted from your Tails USB-stick, you can create a persistent volume on its remaining space. Instructions: https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html
Read closely which files or features can be made persistent. Especially the GNOME keyring and the saved APT Packages / APT lists can be very useful. I recommend enabling the Personal data option, which means that you can permanently store files on the encrypted portion of the stick. It will be represented by the folder called Persistent. You might not want to use it for your main storage due to the size of your USB stick - read on how to setup an encrypted external drive.
Encryption of an external drive
I guess many of you use TrueCrypt. You can continue to use TrueCrypt on Tails - but not in the long run. Right now, youâd have to enable TrueCrypt in the boot options: https://tails.boum.org/doc/encryptionandprivacy/truecrypt/index.en.html
In future versions of Tails, TrueCrypt support will be dropped entirely (reasons being: License issues and concerns about TCâs somewhat closed development). Instead, you should use LUKS, the Linux standard for disk encryption. It is easily configured through the GNOME Disk Utility. Youâll find the instructions here.
Make sure you choose a strong passphrase, as described in chapter 2. Note that Disk Utility allows you to change the volumeâs passphrase at any time without re-encrypting the whole drive. Thatâs possible because of the two-layer encryption structure: Thereâs a master key that encrypts your drive. Your passphrase encrypts the master key. Should you change your passphrase, only the master key will be re-encrypted.
How to mount a LUKS-encrypted volume in Windows
Although itâs a Linux file system, there is a way to access it in Windows. If you ever feel the need to access your drive in a Windows environment, use http://www.freeotfe.org. Not recommended for various security reasons, but possible
Secure deletion of a drive or partition
If youâve decided to ditch your old Windows environment, itâs important to destroy potential evidence. Donât keep old drives that you used for downloading, viewing, or storing of anything illegal or incriminating. Overwriting such a drive once is sufficient. Donât waste your time with 35-pass methods. Read here why.
How to do it in Tails:
- Identify the ID of your drive or partition
- Open GNOME Disk Utility from the menu bar: Applications > System Tools > Disk Utility
- Click on the drive you plan to wipe. It should look like this: click here
- You find the ID in the line Device. In the case shown in the screenshot, it would be /dev/sdb/. A driveâs ID always looks like: /dev/sdX/. A partitionâs ID always looks like: /dev/sdXY/
Use shred command in Terminal: shred is shipped with Tails, it does not have a GUI (Graphical User Interface). You control it via the command line, which is called Terminal in Tails. In the menu bar, click on the black item representing a command line prompt to launch Terminal. The command: shred -vf -n 1 /dev/sdX/ will overwrite the drive /dev/sdX/ once with random data (n -1), output progress info (-v), and operate as a force-overwrite (-f).The operation will take some hours (500GB took me about 4-5 hours). - BE CAREFUL. Make sure you identified the right drive. Once overwritten, data is lost.
Using the persistent volume
If youâve installed Tails on a USB stick, going to Applications - Tails - Configure persistent volume will walk you through an installation wizard for the persistent volume. Make sure you choose a strong password - read chapter 2
Despite the Persistence feature, Tails will never work like an installed OS that you are probably used to. It will remain a live OS that can preserve some resources, but for the sake of security and integrity, it canât be as comfortable as an installed OS. Go to Applications - Tails - Configure persistent volume to take a look at the available options. You can sort the Persistence options into four categories:
- Persistent file storage (Personal Data)
- Persistent configuration files for some Tails apps (e.g. Pidgin, GNOME Keyring, SSH client)
- Persistent software lists and software downloads (APT lists and APT Packages, read chapter 8!)
- Persistent directories (for instance, paths to configuration files for additionally installed software - advanced!)
Items will be made persistent after a reboot. Any time you enable a Persistence feature, reboot before using it.
Storing files on the persistent volume
This is the most basic option. It enables a persistent a persistent folder found in /amnesia/Persistent/. Keep in mind, all other directories, for instance the Desktop, are still not persistent. Due to USB sticksâ limited capacities I donât recommend the Persistent folder as your main storage. Itâs as secure as your password is, so you can use it for sensitive files though. I, for one, only keep the following items in the Persistent folder:
- Backups of password keyrings and other important files
- Some notes and text files; stuff I want to have with me on the go
Thatâs just an example; use the folder however you like. Just choose a strong password as described in chapter 2.
Firefox bookmark management
You may have already noticed that a Persistence preset for the Firefox/Iceweasel browser is missing. Main reason being, Tails wants to discourage you from changing anything browser-related, for security reasons. That makes sense, but also means that we have to find sync bookmarks manually.
Theoretically, you could make the bookmarks.html file persistent, in which the browser stores all bookmarks. For technical reasons, this is harder than it looks, because the profileâs directory changes on each launch of Firefox. Unless someone finds a better solution for this, we are left with two options for the bookmarks problem:
- Use Firefox/Iceweaselâs integrated Import and Backup feature:
- create your bookmarks in Firefox/Iceweasel
- go to Bookmarks - Show all bookmarks - Import and Backup - Backup
- save this backup file in your Persistent folder
- via the same menu, import this file the next time you boot Tails
- Keep the links in a plain text file (.txt), stored in Persistent folder
- this might look a bit puritan, but itâs easier to handle.
===The password manager - Passwords and Encryption Keys
The tool is found in System > Preferences > Passwords and Encryption Keys. It allows you to:
- store passwords or logins in an encrypted keyring
- create an OpenPGP key for encrypting mails
I want to focus on the first feature. You may be registered on several Tor sites. Itâs a hassle to choose passwords that are both easy to remember and secure. Thatâs why it might be a good idea to use a password manager. Thus you can choose cryptic, ridiculously long logins, but only have to remember the master password of your password manager. First, enable Persistence for the GNOME Keyring. As always, this is done in Applications > Tails > Configure persistent volume. Donât forget to reboot after making that change. Now, you can create persistent password keyrings.
To create a keyring:
- Open the manager from System > Preferences > Passwords and Encryption Keys
- Click File > New > Password Keyring, choose a name and password
To add a password to this keyring:
- Open the manager from System > Preferences > Passwords and Encryption Keys
- Click File > New > Stored password
- Select your previously created keyring
- For a description, e.g. use the siteâs URL or your accountâs name
- Type or paste the password
To access a password:
- Open the manager from System > Preferences > Passwords and Encryption Keys
- Right-click on the keyring, Unlock
- Double-click the password entry
- Expand the password field and click Show Password
Creating a backup of the keyring: In case you lose your USB stick, it might be handy to have a backup of your passwords. Keyrings are small files that you can store on some other encrypted volume (for instance, your encrypted external drive, chapter 5.a). In case you need to recover the backup, just put the files back into their original location.
- Open a file browser window. Click Go > Location ...
- In the address field, insert: /home/amnesia/.gnome2/keyrings and press Enter
- Youâll see your keyring(s) with the file extension .keyring
- Copy those files to another (encrypted!) volume
Recovering a keyring backup:
- Close the program Passwords and Encryption keys if itâs open
- Go to your backup location, copy the .keyring file(s)
- In the file browser, click Go - Location ...
- In the address field, input: /home/amnesia/.gnome2/keyrings and press Enter
- Paste your .keyring files into this folder
- Restart Password and Encryption keys
- Your keyring are back in place
Pidgin for IM/Chat/IRC
Pidgin is pre-configured for chatting through Tor. Many chat protocols are supported. If you want your account settings to be permanent, enable the Persistence option Pidgin in Applications > Tails > Configure persistent volume and reboot
Whatâs not safe to do:
- For anonymous chatting, donât ever log into any services that could be traced back to you. That includes:
- services that may have personal information about you (name, address, phone, email, real-life friends, etc)
- services you previously logged into without Tor (always assume services log IP addresses!)
Whatâs safe to do:
- Using any of the supported chat protocols with accounts you created with Tor and without giving personal information. The TorChat plugin:
- Good news: The developer of TorChat has also created a TorChat Pidgin plugin
- Bad news: it doesnât work on Tails. Same problem as with standalone TorChat, read about that issue in chapter 8.d
Installing software: The basics
Keep in mind you should modify Tails only when necessary and to the minimum. The whole point of Tails is to provide a safely configured system. Donât tamper with it. Read the warnings [[https:/tails.boum.org/doc/first_steps/persistence/warnings/index.en.html here]. Yet, you sometimes need something thatâs not included in Tails.
- Tails is Linux/Debian based. You can install software thatâs provided in Debian repositories (or manually download a .deb file)
- Youâll need admin privileges for any installation. That requires to enable More options when booting, after which you can set an admin password. You donât need an insanely strong password here, because itâs not for encryption
- Installation is either done via: Synaptic Package Manager (System > Administration > Synaptic Package Manager), Terminal command: sudo apt-get install, or manually install a downloaded .deb file (Terminal: sudo dpkg -i /path/to/file.deb). The last part is only necessary for applications that are not included in the usual Debian repositories
It is recommended to enable the following Persistence options (Applications > System tools > Configure persistent volume):
- APT lists
- APT packages
APT lists are information about software, its versions and their availability. Once you trigger an update of that list via sudo apt-get update, the list will be kept. APT packages are the applications you download via sudo apt-get install or Synaptic Package Manager. Important: ONLY the packages are kept. Not the actual applicationâs installation or the applicationâs configuration. This means that you have to install your applications again, on every boot. This might feel cumbersome, but actually it is not.
Save a .txt file with the commands you need to run on every boot and paste them into Terminal. You donât need to include sudo apt-get update, just append every application you wish to install to sudo apt-get install. It could look like this: sudo apt-get install app1 app2 && sudo dpkg -i â/PATH/app3.debâ && app1. This line would do the following:
- install app1
- install app2
- install app3 from local file
- launch/initialize app1
Take a look at the syntax: with &&, you chain different commands, so you can put multiple commands in one line. Obviously, all of the above is meant for advanced computer users. Especially if you try and install a .deb file manually, so-called dependencies will come into play. That means, to install the application, some other packages need to be installed to make it work. This is also the case if you install via apt-get or Synaptic Package Manager, but in those cases, dependencies are handled automatically
Recommended software additions
- DownThemAll (via Firefox/Iceweasel)
- Gnome-screensaver (via apt-get)
DownThemAll: Tails strongly advises against installing browser plugins. You should run a vanilla Iceweasel for three reasons:
- Donât change the browserâs footprint. You want to look like every other TorBrowser out there
- The plugin could contain malicious or buggy code
- Donât risk messing up the browserâs safe setup. You donât want anything to interfere with TorButton or proxy settings, for instance
On the other hand, without download managers, youâd lose the ability to resume unstable downloads. Adding a download manager is on Tailsâ agenda, letâs hope they do it soon. In the meantime, Iâve chosen DownThemAll for the following reasons:
- It is Free Open Source software
- It completely runs within Iceweasel/Firefox (does not have own proxy/network settings)
How to install DownThemAll
- Download the xpi-file from the developer http://www.downthemall.net/main/install-it/downthemall-2-0-13/
- Save it in your Persistent folder, so you donât need to download it for subsequent installations
- Drag it onto a running Iceweasel window, which will need to restart
Note: The fact youâre saving a copy of DTA to your disk also means you should manually check for updates once in a while.
How to install gnome-screensaver (via apt-get)
For some reason, Tails does not bring its own screen lock. You should always lock the screen, even if youâre just opening the door or feeding the dog. Primal download and installation of gnome-screensaver:
- Open a Terminal
- Run: sudo apt-get update && sudo apt-get install gnome-screensaver && gnome-screensaver
- To lock the screen, press CTRL+ALT+L or click Lock Screen in the menu barâs System tab
Subsequent installations of gnome-screensaver:
- Save the following command to a .txt file in your Persistent folder, so you can easily paste it into a Terminal window: sudo apt-get install gnome-screensaver && gnome-screensaver
- Note the difference to the primal installation: We donât update the package list again (apt-get update) and also, the package gnome-screensaver will not be downloaded again, if youâve enabled the Persistence options for APT-Lists and APT-Packages. If you need to chain multiple installations together I wrote a syntax example in chapter 7.1
I2P / iMule (not recommended)
If you donât know anything about I2P, donât use it. You are most likely better off with Tor, so just stick with that. iMule is an eMule clone based on the anonymous darknet I2P. Although Tails is focused on Tor, it also ships with an I2P console. The following steps are just an orientation for advanced users only.
- You can start I2P from the menu bar: Internet > i2p
- Youâll need to enable the SAM bridge for iMule: I2P Console > I2P Services > Clients > SAM application bridge
- Restart the console
- iMule depends on libcrypto++8 and python / wxgtk, install it
- Install iMule (download here and take the i386 squeeze Package)
- Bootstrap with a nodes.dat; I took this
- You should be up and running, wait for discovery of more clients.
- iMule is slow anyway
TorChat (not working)
Itâs a pity, but TorChat is not being shipped with Tails (Tailsâ developers disagree with TorChatâs implementation). It is not impossible to get TorChat working with Tails. I got as far as:
- installing TorChat
- making the hidden service directory persistent
The major problem is the following: TorChat uses its own Tor instance - not the one thatâs already running on the system. This conflicts with Tailâs setup. It could be resolved by putting TorChat in client mode, which forces it to use the systemâs Tor instance. That requires making changes to Tailâs torrc (Tor config), which I am not able to (safely) do. If somebody finds a safe way, tell us. Remember, you actually donât want to make persistent changes to Tailâs system, especially the Tor setup.
File and folder handling in Terminal
For the most part, you can stick with the graphical File Browser. Some tasks though require the Terminal, for example joining a split file. Here are some the more basic commands.
- cd - change directory. A Terminal window always starts at /home/amnesia/. For example, the command cd /home/amnesia/Persistent takes you to your Persistent folder. cd .. takes you one level up in the directory hierarchy - in this case, back to the /amesia/ home folder. You can also type cd and, before pressing Enter, drag a folder from File Browser onto the Terminal window to add its full path! Works with individual files as well.
- Ls list all files and folders in current directory. ls -a includes hidden files and folders.
- Cat is a utility to join files. Example: You download a split video, with parts named Video 1.avi.001, Video 1.avi.002, as so on. Steps to join the video:
- Put all the parts of your video in one folder
- Open a Terminal window and jump to your video folderâs path with: cd /path/to/folder/
- Remember, you can drag the folder onto Terminal to add its path
- Run cat âVideo 1.aviâ * > âVideo 1.aviâ in Terminal
Take a close look at catâs syntax to understand what it does: cat âVideo 1.aviâ * > âVideo 1.aviâ This command means that cat will look at all files that begin with âVideo 1.aviâ and put them all together in a single file called âVideo 1.aviâ. The asterisk works as a wildcard, just as in a file search. The quotes are necessary because the Terminal doesnât like spaces in file names. Before you delete the split parts, make sure that the joined file was created correctly. cat doesnât give feedback and if a part were missing, it wonât tell you.
That little file-joining operation should just serve as a tiny example of the command lineâs capabilities. If you spend some time exploring it and search on the internet for Debian/Linux-related tips, youâll get good use out of it, for example creating split .rar archives, encoding video clips and much more.
- Donât lose your paranoia (donât feel totally safe with Tails). Paranoia keeps you thinking and aware
- Using Tails does not magically make you safe for all eternity
- Updating Tails whenever a new version comes out is crucial for maintaining a secure state
- Donât screw with Tails
- Donât make system paths persistent - that will prevent Tails from being properly updated
- If you can avoid it, donât install additional software
- Donât install browser plugins. At most, DownThemAll
- Donâtâ try and make Iceweasel/Firefox persistent. The potential ill effects outweigh the discomfort of adding DTA or bookmarks every time
- Never leave incriminating files unencrypted on any drive. That includes your old Windows system, if you ever downloaded, stored or viewed incriminating files with it
- So, please erase all drives that could still keep unencrypted incriminating files or traces. Read chapter 6 for a how-to. Better be safe than sorry
- READ the Tails documentation. Browse in Tailsâ [https:/tails.boum.org/forum forum] to see how other people resolve their problems.
- Unsure about something? Ask questions!
Taken and Wikified from source: http://xzu2i6kiyhysfn4s.onion.market/Tails.html