Skip to content

Instantly share code, notes, and snippets.

@mc2pw
Last active February 26, 2023 23:57
Show Gist options
  • Save mc2pw/aeb4ca3972fea54d4858 to your computer and use it in GitHub Desktop.
Save mc2pw/aeb4ca3972fea54d4858 to your computer and use it in GitHub Desktop.
Setting up Tails with Persistence

Tails - The Amnesic Incognito Live System - is a live operating system that "aims at preserving your privacy and anonymity." It is a Linux Debian distribution configured to follow several security measures including sending all internet traffic through the Tor network.

These are the steps I followed for setting up Tails. Tails provides a utility for setting up persistence, this utility only works when running a Tails installation created from within Tails using the Tails Installer. After consistently getting an "Operation System Not Found" message on my computer when trying to run the Tails installed by the Tails Installer, some research lead me to find out it was possible to set up persistence manually. This turned out to provide greater flexibility, as now I am able to keep my persistent partition on a USB drive and my Tails installation on a disk.

Setting up Tails - Download, Verify and Install

This is a summary of the steps outlined in the download page.

Step 1. Download the ISO image, the signature and the signing key.

Step 2. Import the signing key

$ gpg --keyid-format long --import tails-signing.key

Currently the fingerprint of the key should be DBB802B258ACD84F, but as pointed out in the download page, it is advisable to double-check the authenticity of the signing key.

Step 3. Verify the ISO image

gpg --keyid-format long --verify tails-i386-<version>.iso.sig tails-i386-<version>.iso

Step 4. Either burn the ISO image into a disk, or write into a USB or SD card. In the latter case just run

dd if=<ISO image> of=<device> bs=16M && sync

The device can be obtained running df -h.

Additionally if you have already deleted the ISO image file, you can still recover it from the USB, disk, etc. where it is installed (e.g. for the purpose of verifying it).

dd if=<device> | head -c <size> > tails.iso

The size can be obtained from the Content-Length header when starting a download of the ISO image.

Persistence

(Tested on version 3.2)

If Tails is installed on a USB drive or SD card, going to "Applications -> System Tools -> Configure persistent volume" allows creating a persistent partition alongside Tails. If you run Tails from a DVD and plug the medium containing the partition, the partition will likewise be recognized at startup. This allows having a persistent partition even when Tails runs from a DVD.

Manual Persistence

(NOT RECOMMENDED. This may not apply to newer versions)

Create the Partition

Boot Tails. If your data will be stored in an internal drive or a Virtual Box virtual drive, then select "Yes" in the greeter and set the administrative passphrase.

Create an encrypted partition. This can be done with the Disk Utility: Applications -> Accessories -> Disk Utility.

  1. Open the Disk Utility
  2. Select the device where the partition will be created. For an internal drive or a Virtual Box virtual drive additional steps are required every time Tails boots (see first paragraph of next section).
  3. If there is no space for creating a partition or the formatting scheme is not GUID, then format the drive setting the scheme to "GUID Partition Table". This will make all data inaccessible.
  4. Create partition setting type to "Ext4" and name to TailsData, and making sure both checkboxes ("Take ownership of filesystem" and "Encrypt underlying device") are checked. You will be promted for a passphrase. The crypsetup FAQ has a detailed explanation on how to choose a good passphrase.
  5. After the partition has been created, select the upper part of the partition marked "Encrypted." Edit the partition setting type to "Linux Reserved Partition" and the partition label to TailsData.

Configure Ownership and Permissions

Reboot Tails. If you ceated the partition inside an internal drive or a Virtual Box virtual drive, you must change the boot parameters by hitting Tab at the Tails boot screen and deleting the phrase live-media=removable. Two "Yes" buttons should appear this time, one for persistence and one for more options. If the first button does not appear then something went wrong with the previous steps. Select both "Yes" buttons, hit "Forward," and set a root passphrase.

Configure ownership and permissions on the partition to match those in the Persistence Documentation. This can be done running the following commands.

$ sudo su
# cd /live/persistence/TailsData_unlocked
# chown root:root .
# chmod 0775 .
# setfacl -m u:tails-persistence-setup:rwx .
# touch persistence.conf
# chown tails-persistence-setup:tails-persistence-setup persistence.conf
# chmod 0600 persistence.conf

Make directories persistent. For now we can go with the most basic setup, i.e. persisting the entire home directory.

# cp -r /etc/skel amnesia
# chown -R amnesia:amnesia amnesia
# echo "/home/amnesia source=amnesia" > persistence.conf

Verify Eveything is in Order

Reboot. After rebooting and enabling persistence in the greeter, your persistent partition should be mounted on your home directory.

$ mount | grep home
/dev/mapper/TailsData_unlocked on /home/amnesia type ext4 (rw,noatime,data=ordered)

The default settings noatime and data=ordered indicate that no access time will be stored and that only metadata is journaled (see the ext4 docs for more details). These settings are good enough to keep the impacts on Flash drive performance to a minimum.

If the partition is not mounted, then the ownership and permissions might not have been set correctly. The live-persist script checks the permissions on the persistence root directory. The code of the function mountpoint_has_correct_access_rights shows the exact checks. You may need to correct the permissions, remove the live-additional-software.conf.insecure_disabled and persistence.conf.insecure_disabled files, and create a new persistence.conf file (with the correct permissions).

Additional Software Packages

When installing additional software packages using sudo apt-get install package lists and caches are updated in /var/lib/apt/lists and /var/cache/apt/archives. These directories must be made persistent so that packages can be reinstalled without having to be downloaded again, and so that the system can provide automatic reinstalls and updates. To make the directories persistent add these lines to persistence.conf.

/var/cache/apt/archives source=apt/cache
/var/lib/apt/lists      source=apt/lists

Now you can make packages be reinstalled automatically at startup by adding their names (separated by newlines) to the file live-additional-software.conf (located inside /live/persistence/TailsData_unlocked/).

Finetuning Persistence

Tails persistence utilities improve upon Debian Live, since they allow one to not "persist too much." With some additional finetuning one can take advatage of this. The persistence.conf file generated by the Tails persistence configuration assistant (with all options checked) can serve as a starting point. The entries of this file can be found in lib/Tails/Persistence/Configuration/Presets.pm in the persistence-setup repository.

/home/amnesia/Persistent                             source=Persistent
/home/amnesia/.gnupg                                 source=gnupg
/home/amnesia/.ssh                                   source=openssh-client
/home/amnesia/.purple                                source=pidgin
/home/amnesia/.claws-mail                            source=claws-mail
/home/amnesia/.gnome2/keyrings                       source=gnome-keyrings
/etc/NetworkManager/system-connections               source=nm-system-connections
/home/amnesia/.mozilla/firefox/bookmarks             source=bookmarks
/etc/cups                                            source=cups-configuration
/home/amnesia/.electrum                              source=electrum
/var/cache/apt/archives                              source=apt/cache
/var/lib/apt/lists                                   source=apt/lists
/home/amnesia                                        source=dotfiles,link
/home/amnesia/.icedove                               source=icedove

In the case of dotfiles (the source directory for /home/amnesia) create an empty directory with the default owner (amnesia) and permissions. The other directories should be copied from their current location using the -p option to preserve all permissions (e.g. cp -rp /home/amesia/.electrum electrum). This is especially important in the case of gnupg since we want to be able to use the configuration file provided by Tails for security.

Copy any dotfiles to be persisted into /live/persistence/TailsData_unlocked/dotfiles. To persist my desktop and keepassx configuration I copied the .config/dconf and .config/keepassx directories.

You may also include directories in the persistent drive /live/persistence/TailsData_unlocked/ that are not intended for use in persistence.conf. For example, I created a directory (with amnesia:amnesia as the owner) named Keys in the persistent partition to store keepassx keys, encrypted backups of private keys, and any other secret material that changes infrequently.

You are now ready to start using Tails and letting more people know about it.

@the-shell-bee
Copy link

After I download tails os disc image I could nt install in vm ware it is showing corrupted disk image, I tried to downloading it for several time same it is showing corrupted disk image

Copy link

ghost commented Feb 26, 2023

@mc2pw
This helped me understand persistence.conf better for configing peristence on tails and live systems 👍
Thing i'm needing help with is setting up Dino XMPP Client in a way to not persist certain folders /avatars & /files but everything else in Dino folder?

I followed this guide originally: Dino Tails Guide

but its not enouch cause I would like to not persist those two folders for privacy reasons. (gajim is easy to do this cause files and avatars are stored in .cache)

I tried this with no luck:

find '/home/amnesia/.local/share/dino/ -mindepth 1 -maxdepth 1 -not \( -name avatars -o -name files \) -printf '%p source=dino/%P\n' | sudo tee -a /live/persistence/TailsData_unlocked/persistence.conf >/dev/null'

should I use link command?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment