Tails - The Amnesic Incognito Live System - is a live operating system that "aims at preserving your privacy and anonymity." It is a Linux Debian distribution configured to follow several security measures including sending all internet traffic through the Tor network.
These are the steps I followed for setting up Tails. Tails provides a utility for setting up persistence, this utility only works when running a Tails installation created from within Tails using the Tails Installer. After consistently getting an "Operation System Not Found" message on my computer when trying to run the Tails installed by the Tails Installer, some research lead me to find out it was possible to set up persistence manually. This turned out to provide greater flexibility, as now I am able to keep my persistent partition on a USB drive and my Tails installation on a disk.
This is a summary of the steps outlined in the download page.
Step 1. Download the ISO image, the signature and the signing key.
Step 2. Import the signing key
$ gpg --keyid-format long --import tails-signing.key
Currently the fingerprint of the key should be DBB802B258ACD84F, but as pointed out in the download page, it is advisable to double-check the authenticity of the signing key.
Step 3. Verify the ISO image
gpg --keyid-format long --verify tails-i386-<version>.iso.sig tails-i386-<version>.iso
Step 4. Either burn the ISO image into a disk, or write into a USB or SD card. In the latter case just run
dd if=<ISO image> of=<device> bs=16M && sync
The device can be obtained running df -h
.
Additionally if you have already deleted the ISO image file, you can still recover it from the USB, disk, etc. where it is installed (e.g. for the purpose of verifying it).
dd if=<device> | head -c <size> > tails.iso
The size can be obtained from the Content-Length header when starting a download of the ISO image.
(Tested on version 3.2)
If Tails is installed on a USB drive or SD card, going to "Applications -> System Tools -> Configure persistent volume" allows creating a persistent partition alongside Tails. If you run Tails from a DVD and plug the medium containing the partition, the partition will likewise be recognized at startup. This allows having a persistent partition even when Tails runs from a DVD.
(NOT RECOMMENDED. This may not apply to newer versions)
Boot Tails. If your data will be stored in an internal drive or a Virtual Box virtual drive, then select "Yes" in the greeter and set the administrative passphrase.
Create an encrypted partition. This can be done with the Disk Utility: Applications -> Accessories -> Disk Utility.
- Open the Disk Utility
- Select the device where the partition will be created. For an internal drive or a Virtual Box virtual drive additional steps are required every time Tails boots (see first paragraph of next section).
- If there is no space for creating a partition or the formatting scheme is not GUID, then format the drive setting the scheme to "GUID Partition Table". This will make all data inaccessible.
- Create partition setting type to "Ext4" and name to TailsData, and making sure both checkboxes ("Take ownership of filesystem" and "Encrypt underlying device") are checked. You will be promted for a passphrase. The crypsetup FAQ has a detailed explanation on how to choose a good passphrase.
- After the partition has been created, select the upper part of the partition marked "Encrypted." Edit the partition setting type to "Linux Reserved Partition" and the partition label to TailsData.
Reboot Tails. If you ceated the partition inside an internal drive or a Virtual Box virtual drive, you must change the boot
parameters by hitting Tab at the Tails boot screen and deleting the phrase live-media=removable
. Two "Yes" buttons should
appear this time, one for persistence and one for more options. If the first button does not appear then something went wrong
with the previous steps. Select both "Yes" buttons, hit "Forward," and set a root passphrase.
Configure ownership and permissions on the partition to match those in the Persistence Documentation. This can be done running the following commands.
$ sudo su
# cd /live/persistence/TailsData_unlocked
# chown root:root .
# chmod 0775 .
# setfacl -m u:tails-persistence-setup:rwx .
# touch persistence.conf
# chown tails-persistence-setup:tails-persistence-setup persistence.conf
# chmod 0600 persistence.conf
Make directories persistent. For now we can go with the most basic setup, i.e. persisting the entire home directory.
# cp -r /etc/skel amnesia
# chown -R amnesia:amnesia amnesia
# echo "/home/amnesia source=amnesia" > persistence.conf
Reboot. After rebooting and enabling persistence in the greeter, your persistent partition should be mounted on your home directory.
$ mount | grep home
/dev/mapper/TailsData_unlocked on /home/amnesia type ext4 (rw,noatime,data=ordered)
The default settings noatime
and data=ordered
indicate that no access time will be stored and that only metadata is
journaled (see the ext4 docs for more details).
These settings are good enough to keep the impacts on Flash drive performance to a minimum.
If the partition is not mounted, then the ownership and permissions might not have been set correctly. The live-persist script checks the permissions on the persistence root directory. The code of the function mountpoint_has_correct_access_rights shows the exact checks. You may need to correct the permissions, remove the live-additional-software.conf.insecure_disabled and persistence.conf.insecure_disabled files, and create a new persistence.conf file (with the correct permissions).
When installing additional software packages using sudo apt-get install
package lists and caches are updated in /var/lib/apt/lists and /var/cache/apt/archives. These directories must be made persistent so that packages can be reinstalled
without having to be downloaded again, and so that the system can provide automatic reinstalls and updates. To make the directories persistent add these lines to persistence.conf.
/var/cache/apt/archives source=apt/cache
/var/lib/apt/lists source=apt/lists
Now you can make packages be reinstalled automatically at startup by adding their names (separated by newlines) to the file live-additional-software.conf (located inside /live/persistence/TailsData_unlocked/).
Tails persistence utilities improve upon Debian Live, since they allow one to not "persist too much." With some additional finetuning one can take advatage of this. The persistence.conf file generated by the Tails persistence configuration assistant (with all options checked) can serve as a starting point. The entries of this file can be found in lib/Tails/Persistence/Configuration/Presets.pm in the persistence-setup repository.
/home/amnesia/Persistent source=Persistent
/home/amnesia/.gnupg source=gnupg
/home/amnesia/.ssh source=openssh-client
/home/amnesia/.purple source=pidgin
/home/amnesia/.claws-mail source=claws-mail
/home/amnesia/.gnome2/keyrings source=gnome-keyrings
/etc/NetworkManager/system-connections source=nm-system-connections
/home/amnesia/.mozilla/firefox/bookmarks source=bookmarks
/etc/cups source=cups-configuration
/home/amnesia/.electrum source=electrum
/var/cache/apt/archives source=apt/cache
/var/lib/apt/lists source=apt/lists
/home/amnesia source=dotfiles,link
/home/amnesia/.icedove source=icedove
In the case of dotfiles (the source directory for /home/amnesia) create an empty directory with the default owner (amnesia)
and permissions. The other directories should be copied from their current location using the -p
option to preserve all
permissions (e.g. cp -rp /home/amesia/.electrum electrum
). This is especially important in the case of gnupg since we want
to be able to use the configuration file provided by Tails for security.
Copy any dotfiles to be persisted into /live/persistence/TailsData_unlocked/dotfiles. To persist my desktop and keepassx configuration I copied the .config/dconf and .config/keepassx directories.
You may also include directories in the persistent drive /live/persistence/TailsData_unlocked/ that are not intended for use in persistence.conf. For example, I created a directory (with amnesia:amnesia as the owner) named Keys in the persistent partition to store keepassx keys, encrypted backups of private keys, and any other secret material that changes infrequently.
You are now ready to start using Tails and letting more people know about it.