Tails Guide

From The Uncensored Hidden Wiki
Jump to: navigation, search

Tails is an operating system based on Debian/Linux. It’s a live OS, meaning you don’t install it to a hard drive like Windows, but rather run it from DVD or USB stick. It is optimized for privacy and anonymity.

This guide duplicates many topics that are already brilliantly covered by the Tails documentation. https://tails.boum.org/doc/index.en.html. I urge you to read that! In fact, my guide is not supposed to be a surrogate for the Tails documentation. It’s also not a pure walk-through. It’s rather an explanatory article, showing you what Tails can do for you and how.

This guide provides a complete solution for anyone trying to be as secure as possible for their Tor adventures. That includes a secure operating system and encrypted storage for your files. This section was created for versions .12 - .14. Things might be different and functionality might have changed since then.

Tail’s concept

Tails is explicitly built for people who need strong anonymity. Thus, it provides the following features out-of-the-box:

  1. Tor setup: You don’t need to configure Tor yourself. Tails enforces any connections to go through the Tor network and/or blocks connections outside of Tor. This is a major security advantage for the user - DNS leaks aren’t possible and unmasking attacks become much harder, especially if compared to a vanilla Windows system using TorBrowser. Tails also makes it easier to use other programs via Tor - Claws for Mail and Pidgin for IM are already installed.
  2. Amnesic live system: Tails boots from DVD or USB stick. It is designed to exclusively run in RAM: No traces are left on hard drives (i.e., caches, logs, etc.). By design, nothing is written on a hard drive - unless you explicitly tell it to do so (for instance, saving a file to your encrypted external drive). The combination of the two facts above enables you to take your secure Tor environment with you - You can safely boot from your Tails stick on a foreign PC (only risks being surveillance cameras or hardware keyloggers). Also, you can safely give away your PC for repairs: Unplug your USB stick (and the eventual, encrypted external drive), and there’s nothing left connecting your PC to your Tor activities. This is one of the big reasons why to never mix regular Windows usage (encrypted or not!) with your Tor activities. More on that in chapter 1.d.
  3. Emergency exit: When push comes to shove, you just can’t worry about deleting traces of your running system. Tails makes it easy: Press the shutdown button and it will initialize RAM-wipe, which only takes about 10-20 seconds. You can even rip out the Tails USB stick from a running system, which should trigger RAM-wipe as well. Wiping RAM is better than instantly removing power from the PC - RAM can hold information without electricity for some seconds, up to some minutes. Granted, retrieving information from “cold” RAM is not the most probable attack vector, but that’s the reason for Tails’ RAM wiping process.
  4. Based on Free Open Source Software: Tails only includes software after reviewing its source code. This is important for guaranteeing a secure OS. It also means for you that installing additional software can break Tails’ secure setup. More on that in chapters 7 through 9.
  5. Included encryption tools: You don’t need to install any encryption software yourself. Tails provides:

Why can’t I use another OS / Windows in a VM?

Sure, you are free to do so. But, there are always people asking questions of the kind: is it safe to use program X with Tor and how do I disable/delete Windows’ caches and traces? Especially if you don’t have a good understanding of how things work, you will struggle with your setup and always worry about its security - rightfully so.

Tails on the other hand is already optimized for anonymous internet access and overall security. Yes, you could achieve comparable security by other means, but Tails is the most fail-safe option. Especially if you don’t exactly know what you’re doing, attempts to create a secure Windows environment will fail at some point or another.

How to choose strong passphrases

There are several occasions that require you to choose a safe passphrase, especially for encryption. Keep in mind that short, simple passphrases will be cracked in a short time. I recommend a combination of those two approaches:

Remember that you are not only trying to defeat brute-force attacks. A passphrase like: supercalifragilisticexpialidocious might be 34 characters long, but will be easily cracked with a simple dictionary attack. That doesn’t at all mean you shouldn’t use dictionary words - but you have to combine at least 5 random words, e.g. with the DiceWare method mentioned above, creating passphrases looking like this: zen stunk ashley tipoff sudan gouda

This kind of passphrase is easy to type, easy to remember, yet, hard to crack. For explanatory details, read the DiceWare FAQ: http://world.std.com/%7Ereinhold/dicewarefaq.html

Requirements for Tails

  • Basic:
    • PC with (at least!) 1GB of RAM
    • DVD drive
  • Advanced:
    • USB stick with (at least!) 2GB
    • Ability to boot from USB (depends on motherboard. Any problems, just google motherboard-name boot from USB)
    • External hard drive for encrypted file storage

Note: I have heard about problems booting from Tails USB sticks on Mac laptops. You might need a boot manager like rEFIt. http://refit.sourceforge.net.

First steps

  1. Download the Tails disk image: https://tails.boum.org/download/index.en.html
  2. Burn it to DVD. If you don’t know how to burn a disk image, here’s a how-to for every OS: https://help.ubuntu.com/community/BurningIsoHowto
  3. Boot from DVD

Now you should think about how you want to use Tails. There are two options…

Using Tails as a completely amnesic system

If you never intend to permanently save any files and just want to browse in Tor land, this is the way to go. Out-of-the-box, Tails will not utilize your hard-drives. It completely stays in RAM. Open your amnesia’s Home folder on the Desktop: Anything saved in there will be wiped on shutdown

You can still make changes to Tails, like installing DownThemAll (Firefox-integrated download manager), adding software packages through apt-get, but everything will be lost after shutdown

If you use Tails this way, the big advantage is: No evidence at all. If you’ve decided that even well-encrypted files are too much of a risk for you, this is the way to go. There’s no recoverable evidence of your activities, no clean-up tools needed. You can look at pictures, even download files to your amnesia’s Home folder - they will irrecoverably be gone on shutdown. Using Tails for this kind of surfing is way more fail-safe and easier than cleaning up a Windows machine every day

Using Tails with a persistent volume

If you want to do more with your Tails setup, you will need a USB-stick to put a persistent volume on it. Installing Tails on a USB stick is best done within Tails, read the instructions here: https://tails.boum.org/doc/firststeps/usbinstallation/index.en.html

Being able to boot from USB depends on your PC’s motherboard - most can do it. You might need to change BIOS settings, you will find that information on the web. Now that you have booted from your Tails USB-stick, you can create a persistent volume on its remaining space. Instructions: https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html

Read closely which files or features can be made persistent. Especially the GNOME keyring and the saved APT Packages / APT lists can be very useful. I recommend enabling the Personal data option, which means that you can permanently store files on the encrypted portion of the stick. It will be represented by the folder called Persistent. You might not want to use it for your main storage due to the size of your USB stick - read on how to setup an encrypted external drive.

Encryption of an external drive

I guess many of you use TrueCrypt. You can continue to use TrueCrypt on Tails - but not in the long run. Right now, you’d have to enable TrueCrypt in the boot options: https://tails.boum.org/doc/encryptionandprivacy/truecrypt/index.en.html

In future versions of Tails, TrueCrypt support will be dropped entirely (reasons being: License issues and concerns about TC’s somewhat closed development). Instead, you should use LUKS, the Linux standard for disk encryption. It is easily configured through the GNOME Disk Utility. You’ll find the instructions here.

Make sure you choose a strong passphrase, as described in chapter 2. Note that Disk Utility allows you to change the volume’s passphrase at any time without re-encrypting the whole drive. That’s possible because of the two-layer encryption structure: There’s a master key that encrypts your drive. Your passphrase encrypts the master key. Should you change your passphrase, only the master key will be re-encrypted.

How to mount a LUKS-encrypted volume in Windows

Although it’s a Linux file system, there is a way to access it in Windows. If you ever feel the need to access your drive in a Windows environment, use http://www.freeotfe.org. Not recommended for various security reasons, but possible

Secure deletion of a drive or partition

If you’ve decided to ditch your old Windows environment, it’s important to destroy potential evidence. Don’t keep old drives that you used for downloading, viewing, or storing of anything illegal or incriminating. Overwriting such a drive once is sufficient. Don’t waste your time with 35-pass methods. Read here why.

How to do it in Tails:

  1. Identify the ID of your drive or partition
  2. Open GNOME Disk Utility from the menu bar: Applications > System Tools > Disk Utility
  3. Click on the drive you plan to wipe. It should look like this: click here
  4. You find the ID in the line Device. In the case shown in the screenshot, it would be /dev/sdb/. A drive’s ID always looks like: /dev/sdX/. A partition’s ID always looks like: /dev/sdXY/

Use shred command in Terminal: shred is shipped with Tails, it does not have a GUI (Graphical User Interface). You control it via the command line, which is called Terminal in Tails. In the menu bar, click on the black item representing a command line prompt to launch Terminal. The command: shred -vf -n 1 /dev/sdX/ will overwrite the drive /dev/sdX/ once with random data (n -1), output progress info (-v), and operate as a force-overwrite (-f).The operation will take some hours (500GB took me about 4-5 hours). - BE CAREFUL. Make sure you identified the right drive. Once overwritten, data is lost.

Using the persistent volume

If you’ve installed Tails on a USB stick, going to Applications - Tails - Configure persistent volume will walk you through an installation wizard for the persistent volume. Make sure you choose a strong password - read chapter 2

Despite the Persistence feature, Tails will never work like an installed OS that you are probably used to. It will remain a live OS that can preserve some resources, but for the sake of security and integrity, it can’t be as comfortable as an installed OS. Go to Applications - Tails - Configure persistent volume to take a look at the available options. You can sort the Persistence options into four categories:

  1. Persistent file storage (Personal Data)
  2. Persistent configuration files for some Tails apps (e.g. Pidgin, GNOME Keyring, SSH client)
  3. Persistent software lists and software downloads (APT lists and APT Packages, read chapter 8!)
  4. Persistent directories (for instance, paths to configuration files for additionally installed software - advanced!)

Items will be made persistent after a reboot. Any time you enable a Persistence feature, reboot before using it.

Storing files on the persistent volume

This is the most basic option. It enables a persistent a persistent folder found in /amnesia/Persistent/. Keep in mind, all other directories, for instance the Desktop, are still not persistent. Due to USB sticks’ limited capacities I don’t recommend the Persistent folder as your main storage. It’s as secure as your password is, so you can use it for sensitive files though. I, for one, only keep the following items in the Persistent folder:

  • Backups of password keyrings and other important files
  • Bookmarks
  • Some notes and text files; stuff I want to have with me on the go

That’s just an example; use the folder however you like. Just choose a strong password as described in chapter 2.

Firefox bookmark management

You may have already noticed that a Persistence preset for the Firefox/Iceweasel browser is missing. Main reason being, Tails wants to discourage you from changing anything browser-related, for security reasons. That makes sense, but also means that we have to find sync bookmarks manually.

Theoretically, you could make the bookmarks.html file persistent, in which the browser stores all bookmarks. For technical reasons, this is harder than it looks, because the profile’s directory changes on each launch of Firefox. Unless someone finds a better solution for this, we are left with two options for the bookmarks problem:

  • Use Firefox/Iceweasel’s integrated Import and Backup feature:
    1. create your bookmarks in Firefox/Iceweasel
    2. go to Bookmarks - Show all bookmarks - Import and Backup - Backup
    3. save this backup file in your Persistent folder
    4. via the same menu, import this file the next time you boot Tails
  • Keep the links in a plain text file (.txt), stored in Persistent folder
    1. this might look a bit puritan, but it’s easier to handle.

===The password manager - Passwords and Encryption Keys

The tool is found in System > Preferences > Passwords and Encryption Keys. It allows you to:

  • store passwords or logins in an encrypted keyring
  • create an OpenPGP key for encrypting mails

I want to focus on the first feature. You may be registered on several Tor sites. It’s a hassle to choose passwords that are both easy to remember and secure. That’s why it might be a good idea to use a password manager. Thus you can choose cryptic, ridiculously long logins, but only have to remember the master password of your password manager. First, enable Persistence for the GNOME Keyring. As always, this is done in Applications > Tails > Configure persistent volume. Don’t forget to reboot after making that change. Now, you can create persistent password keyrings.

To create a keyring:

  1. Open the manager from System > Preferences > Passwords and Encryption Keys
  2. Click File > New > Password Keyring, choose a name and password

To add a password to this keyring:

  1. Open the manager from System > Preferences > Passwords and Encryption Keys
  2. Click File > New > Stored password
  3. Select your previously created keyring
  4. For a description, e.g. use the site’s URL or your account’s name
  5. Type or paste the password

To access a password:

  1. Open the manager from System > Preferences > Passwords and Encryption Keys
  2. Right-click on the keyring, Unlock
  3. Double-click the password entry
  4. Expand the password field and click Show Password

Creating a backup of the keyring: In case you lose your USB stick, it might be handy to have a backup of your passwords. Keyrings are small files that you can store on some other encrypted volume (for instance, your encrypted external drive, chapter 5.a). In case you need to recover the backup, just put the files back into their original location.

  1. Open a file browser window. Click Go > Location ...
  2. In the address field, insert: /home/amnesia/.gnome2/keyrings and press Enter
  3. You’ll see your keyring(s) with the file extension .keyring
  4. Copy those files to another (encrypted!) volume

Recovering a keyring backup:

  1. Close the program Passwords and Encryption keys if it’s open
  2. Go to your backup location, copy the .keyring file(s)
  3. In the file browser, click Go - Location ...
  4. In the address field, input: /home/amnesia/.gnome2/keyrings and press Enter
  5. Paste your .keyring files into this folder
  6. Restart Password and Encryption keys
  7. Your keyring are back in place

Pidgin for IM/Chat/IRC

Pidgin is pre-configured for chatting through Tor. Many chat protocols are supported. If you want your account settings to be permanent, enable the Persistence option Pidgin in Applications > Tails > Configure persistent volume and reboot

What’s not safe to do:

  • For anonymous chatting, don’t ever log into any services that could be traced back to you. That includes:
  • services that may have personal information about you (name, address, phone, email, real-life friends, etc)
  • services you previously logged into without Tor (always assume services log IP addresses!)
What’s safe to do:
  • Using any of the supported chat protocols with accounts you created with Tor and without giving personal information. The TorChat plugin:
    • Good news: The developer of TorChat has also created a TorChat Pidgin plugin
    • Bad news: it doesn’t work on Tails. Same problem as with standalone TorChat, read about that issue in chapter 8.d

Installing software: The basics

Keep in mind you should modify Tails only when necessary and to the minimum. The whole point of Tails is to provide a safely configured system. Don’t tamper with it. Read the warnings [[https:/tails.boum.org/doc/first_steps/persistence/warnings/index.en.html here]. Yet, you sometimes need something that’s not included in Tails.

  • Tails is Linux/Debian based. You can install software that’s provided in Debian repositories (or manually download a .deb file)
  • You’ll need admin privileges for any installation. That requires to enable More options when booting, after which you can set an admin password. You don’t need an insanely strong password here, because it’s not for encryption
  • Installation is either done via: Synaptic Package Manager (System > Administration > Synaptic Package Manager), Terminal command: sudo apt-get install, or manually install a downloaded .deb file (Terminal: sudo dpkg -i /path/to/file.deb). The last part is only necessary for applications that are not included in the usual Debian repositories

It is recommended to enable the following Persistence options (Applications > System tools > Configure persistent volume):

  • APT lists
  • APT packages

APT lists are information about software, its versions and their availability. Once you trigger an update of that list via sudo apt-get update, the list will be kept. APT packages are the applications you download via sudo apt-get install or Synaptic Package Manager. Important: ONLY the packages are kept. Not the actual application’s installation or the application’s configuration. This means that you have to install your applications again, on every boot. This might feel cumbersome, but actually it is not.

Save a .txt file with the commands you need to run on every boot and paste them into Terminal. You don’t need to include sudo apt-get update, just append every application you wish to install to sudo apt-get install. It could look like this: sudo apt-get install app1 app2 && sudo dpkg -i “/PATH/app3.deb” && app1. This line would do the following:

  1. install app1
  2. install app2
  3. install app3 from local file
  4. launch/initialize app1

Take a look at the syntax: with &&, you chain different commands, so you can put multiple commands in one line. Obviously, all of the above is meant for advanced computer users. Especially if you try and install a .deb file manually, so-called dependencies will come into play. That means, to install the application, some other packages need to be installed to make it work. This is also the case if you install via apt-get or Synaptic Package Manager, but in those cases, dependencies are handled automatically

Recommended software additions

  1. DownThemAll (via Firefox/Iceweasel)
  2. Gnome-screensaver (via apt-get)

DownThemAll: Tails strongly advises against installing browser plugins. You should run a vanilla Iceweasel for three reasons:

  1. Don’t change the browser’s footprint. You want to look like every other TorBrowser out there
  2. The plugin could contain malicious or buggy code
  3. Don’t risk messing up the browser’s safe setup. You don’t want anything to interfere with TorButton or proxy settings, for instance

On the other hand, without download managers, you’d lose the ability to resume unstable downloads. Adding a download manager is on Tails’ agenda, let’s hope they do it soon. In the meantime, I’ve chosen DownThemAll for the following reasons:

  1. It is Free Open Source software
  2. It completely runs within Iceweasel/Firefox (does not have own proxy/network settings)

How to install DownThemAll

  1. Download the xpi-file from the developer http://www.downthemall.net/main/install-it/downthemall-2-0-13/
  2. Save it in your Persistent folder, so you don’t need to download it for subsequent installations
  3. Drag it onto a running Iceweasel window, which will need to restart

Note: The fact you’re saving a copy of DTA to your disk also means you should manually check for updates once in a while.

How to install gnome-screensaver (via apt-get)

For some reason, Tails does not bring its own screen lock. You should always lock the screen, even if you’re just opening the door or feeding the dog. Primal download and installation of gnome-screensaver:

  1. Open a Terminal
  2. Run: sudo apt-get update && sudo apt-get install gnome-screensaver && gnome-screensaver
  3. To lock the screen, press CTRL+ALT+L or click Lock Screen in the menu bar’s System tab

Subsequent installations of gnome-screensaver:

  1. Save the following command to a .txt file in your Persistent folder, so you can easily paste it into a Terminal window: sudo apt-get install gnome-screensaver && gnome-screensaver
  2. Note the difference to the primal installation: We don’t update the package list again (apt-get update) and also, the package gnome-screensaver will not be downloaded again, if you’ve enabled the Persistence options for APT-Lists and APT-Packages. If you need to chain multiple installations together I wrote a syntax example in chapter 7.1

I2P / iMule (not recommended)

If you don’t know anything about I2P, don’t use it. You are most likely better off with Tor, so just stick with that. iMule is an eMule clone based on the anonymous darknet I2P. Although Tails is focused on Tor, it also ships with an I2P console. The following steps are just an orientation for advanced users only.

  1. You can start I2P from the menu bar: Internet > i2p
  2. You’ll need to enable the SAM bridge for iMule: I2P Console > I2P Services > Clients > SAM application bridge
  3. Restart the console
  4. iMule depends on libcrypto++8 and python / wxgtk, install it
  5. Install iMule (download here and take the i386 squeeze Package)
  6. Bootstrap with a nodes.dat; I took this
  7. You should be up and running, wait for discovery of more clients.
  8. iMule is slow anyway

TorChat (not working)

It’s a pity, but TorChat is not being shipped with Tails (Tails’ developers disagree with TorChat’s implementation). It is not impossible to get TorChat working with Tails. I got as far as:

  • installing TorChat
  • making the hidden service directory persistent

The major problem is the following: TorChat uses its own Tor instance - not the one that’s already running on the system. This conflicts with Tail’s setup. It could be resolved by putting TorChat in client mode, which forces it to use the system’s Tor instance. That requires making changes to Tail’s torrc (Tor config), which I am not able to (safely) do. If somebody finds a safe way, tell us. Remember, you actually don’t want to make persistent changes to Tail’s system, especially the Tor setup.

File and folder handling in Terminal

For the most part, you can stick with the graphical File Browser. Some tasks though require the Terminal, for example joining a split file. Here are some the more basic commands.

  • cd - change directory. A Terminal window always starts at /home/amnesia/. For example, the command cd /home/amnesia/Persistent takes you to your Persistent folder. cd .. takes you one level up in the directory hierarchy - in this case, back to the /amesia/ home folder. You can also type cd and, before pressing Enter, drag a folder from File Browser onto the Terminal window to add its full path! Works with individual files as well.
  • Ls list all files and folders in current directory. ls -a includes hidden files and folders.
  • Cat is a utility to join files. Example: You download a split video, with parts named Video 1.avi.001, Video 1.avi.002, as so on. Steps to join the video:
    1. Put all the parts of your video in one folder
    2. Open a Terminal window and jump to your video folder’s path with: cd /path/to/folder/
    3. Remember, you can drag the folder onto Terminal to add its path
    4. Run cat “Video 1.avi” * > “Video 1.avi” in Terminal

Take a close look at cat’s syntax to understand what it does: cat “Video 1.avi” * > “Video 1.avi” This command means that cat will look at all files that begin with “Video 1.avi” and put them all together in a single file called “Video 1.avi”. The asterisk works as a wildcard, just as in a file search. The quotes are necessary because the Terminal doesn’t like spaces in file names. Before you delete the split parts, make sure that the joined file was created correctly. cat doesn’t give feedback and if a part were missing, it won’t tell you.

That little file-joining operation should just serve as a tiny example of the command line’s capabilities. If you spend some time exploring it and search on the internet for Debian/Linux-related tips, you’ll get good use out of it, for example creating split .rar archives, encoding video clips and much more.

General advice

  • Don’t lose your paranoia (don’t feel totally safe with Tails). Paranoia keeps you thinking and aware
  • Using Tails does not magically make you safe for all eternity
  • Updating Tails whenever a new version comes out is crucial for maintaining a secure state
  • Don’t screw with Tails
  • Don’t make system paths persistent - that will prevent Tails from being properly updated
  • If you can avoid it, don’t install additional software
  • Don’t install browser plugins. At most, DownThemAll
  • Don’t’ try and make Iceweasel/Firefox persistent. The potential ill effects outweigh the discomfort of adding DTA or bookmarks every time
  • Never leave incriminating files unencrypted on any drive. That includes your old Windows system, if you ever downloaded, stored or viewed incriminating files with it
  • So, please erase all drives that could still keep unencrypted incriminating files or traces. Read chapter 6 for a how-to. Better be safe than sorry
  • READ the Tails documentation. Browse in Tails’ [https:/tails.boum.org/forum forum] to see how other people resolve their problems.
  • Unsure about something? Ask questions!

Taken and Wikified from source: http://xzu2i6kiyhysfn4s.onion.market/Tails.html