Tails above the Rest: the Installation

A few columns ago, I started a series aimed at helping everyone improve their privacy and security on the Internet. The first column in this series was an updated version of a Tor column I wrote a few years ago. While the new column talked about how to get up and running with Tor using the Tor Browser Bundle, in my original Tor column, I talked about how to browse even more anonymously by using a Knoppix live CD and live-installing Tor on top of it. That way, when you were done with your session, you simply could reboot and remove the Knoppix disc, and the host computer would be back to normal with no trace of your steps. Although the Tor Browser Bundle is incredibly useful, it doesn't cover the case where you would like to use Tor on a computer you don't own, much less using Tor without leaving a trace.

These days, there is a much better option than a Knoppix live CD—a live DVD/USB distribution called Tails, which does so much more than provide a live CD with Tor installed. Think of it like a live DVD version of the Tor Browser Bundle, only for the entire OS. With Tails, you boot in to a live environment either from a DVD or USB stick that is set with incredibly secure defaults. Tails takes great lengths to provide you with a secure, anonymous environment. Among other things, Tor automatically launches and connects once you start the desktop, and all communications are routed over it. By default, nothing you do in your desktop session persists—everything is not only erased when you reboot, Tails actually goes further and attempts to scrub the contents of RAM before it does reboot. Tails includes a Web browser configured much like in the Tor Browser Bundle with a number of privacy-enhancing plugins and settings already in place. Beyond that, it includes a password manager (Keepassx), GPG encryption software, an e-mail program (Claws), LUKS disk encryption software, secure chat via Pidgin with the OTR (Off the Record) plugin already installed, and it even includes an on-screen keyboard you can use to type in passwords if you are concerned a keylogger might be installed on your host machine.

In the next few columns, I'm going to discuss how to get and validate the Tails distribution and install it. I will follow up with what Tails can and can't do to protect your privacy, and how to use Tails in a way that minimizes your risk. Then I will finish with some more advanced features of Tails, including the use of a persistent volume (with this feature, depending on your needs, you could conceivably use Tails as your main Linux distribution).

Get Tails

If there is someone you trust who already has Tails, installation is easy. Either have them make a copy of their DVD, or in the case of a USB install, have them boot a computer into Tails, insert your USB disk, and then click Applications→Tails→Tails Installer. Finally, click Clone & Install in the GUI window that appears, and Tails will wipe out any data on your USB disk and clone itself there.

If you don't already know someone with Tails, installing Tails is a little bit more involved than with a normal live DVD. This is because if you truly want to use Tails for its intended purpose—security and anonymity—you will want to perform a few additional steps to confirm that the version of Tails you downloaded hasn't been tampered with.

If you have read my column about the Tor Browser Bundle, these steps will seem familiar. In addition to downloading the ISO image, instead of downloading an md5sum to validate it, you also will download a cryptographic signature. Then you will use that signature to validate that ISO image is the legitimate unmodified version. Finally, if you burn to a DVD, you will follow the same procedure you would use for any other DVD image, or if you want to install to a USB disk, there are a couple extra steps. I'll go over all of this below.

First, let's get Tails. The official Tails site is at https://tails.boum.org. (It's HTTPS, so be sure to check whether you get a certificate warning.) From the main page, you should see an image you can click to take you to the download page for the latest version of Tails (at the time of this writing, the latest version is 0.22). At the download page, you should see two main options: either download the ISO image and the corresponding signature as separate downloads, or use the torrent download, which will pull both files down together. The ISO is almost 1GB, so depending on your Internet connection, it may take some time. Once you have both the .iso file and the corresponding .sig signature file, you are ready to move on to validating the image.

Validate the ISO Image

Normally when you download an ISO or other large file, there is a .md5 checksum file that corresponds to it. The purpose of the .md5 file is just to validate that the large ISO file wasn't corrupted during the download and that the file that is on your desktop matched the file on the server. In the case of security software like Tails, unfortunately that kind of verification isn't enough. In particular, if attackers were able to position themselves between you and the Tails server (a Man in the Middle or MITM attack), the attackers potentially could send you a modified version of the Tails ISO that contained a backdoor. If they could do that, they also could send you a matching .md5 checksum file that matches their ISO.

To counter this threat, instead of a .md5 checksum, Tails has you download a cryptographic signature file created by the private key of the Tails maintainer. Much like cryptographic checksums on your distribution's packages, this signature file could be created only by a person with access to a specific GPG private key. In a MITM attack scenario, if attackers try to send you a modified version of the ISO, they would not be able to send you a modified version of the .sig signature file that would match without themselves having access to the official private key.

Validate the Signature with sha256sum

Since Tails users need to care a bit more about security than the average user, you will need to go through the extra step of validating this signature. Depending on how paranoid you are, there are a few ways you can go about this. The simplest way is to attempt to download the signature file from multiple computers that are in different locations (and even in different countries if you can swing that; see my "Raspberry Strudel: My Raspberry Pi in Austria" article in the February 2013 issue about one method of colocating a Raspberry Pi in another country). Then, confirm that all of the checksums match. The idea here is that even if someone were able to perform a MITM attack or otherwise compromise your home computer or home Internet connection, it would be much more difficult also to compromise the connection at a public computer at a library, all the computers your friends use and the computer you have at work. With this in mind, simply download as many different copies of the signature file from as many different locations you can, and then use a tool like sha256sum (like md5sum, just using a different algorithm) to compare the checksum of all the files to make sure they are all the same:


$ sha256sum tails-i386-0.22.iso.sig 
4578929f419d7f4bc99b99ec17a6c0ff3936c5bb02938d3940bac2b93580383b  
 ↪tails-i386-0.22.iso.sig

In fact, if you are downloading the same version of Tails as I'm mentioning in this article, you even could use the signature published here as an extra point to compare against.

Note: if you are truly paranoid, you also can use GPG to validate further that this signature was created with the actual Tails signing key by taking advantage of the fact that the Tails maintainer has gotten the signing key signed by a number of Debian maintainers. This process is a little more involved, but if you want to go that route, it is well-documented at https://tails.boum.org/doc/get/trusting_tails_signing_key/index.en.html#index3h1.

Validate the ISO with GPG

Once you have validated the signature, you can use it to validate the ISO. First, you need to download the public part of the signing key that was used for this signature from https://tails.boum.org/tails-signing.key. Once you have that signing key, import it into your GPG keyring:


$ cat tails-signing.key | gpg --keyid-format long --import
gpg: key 1202821CBE2CD9C1: public key "Tails developers 
 ↪(signing key) <tails@boum.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

With the signing key imported, you now can verify the ISO image with GPG:


$ gpg --keyid-format long --verify tails-i386-0.22.iso.sig 
 ↪tails-i386-0.22.iso

If you have added the signing key to your keyring, you will get a reply like:


gpg: Signature made Mon 09 Dec 2013 02:50:48 PM PST
gpg:                using RSA key 1202821CBE2CD9C1
gpg: Good signature from "Tails developers (signing key) 
     ↪<tails@boum.org>"
gpg:                 aka "T(A)ILS developers (signing key) 
     ↪<amnesia@boum.org>"
Primary key fingerprint: 0D24 B36A A9A2 A651 7878  7645 
 ↪1202 821C BE2C D9C1

Otherwise, you will more likely see the following output:


gpg: Signature made Mon 09 Dec 2013 02:50:48 PM PST
gpg:                using RSA key 1202821CBE2CD9C1
gpg: Good signature from "Tails developers (signing key) 
     ↪<tails@boum.org>"
gpg:                 aka "T(A)ILS developers (signing key) 
     ↪<amnesia@boum.org>"
gpg: WARNING: This key is not certified with a trusted 
               ↪signature!
gpg:          There is no indication that the signature 
               ↪belongs to the owner.
Primary key fingerprint: 0D24 B36A A9A2 A651 7878  7645 
 ↪1202 821C BE2C D9C1

Either output means the signature matched, and you have the legitimate ISO. The warning in the second reply simply means you haven't personally signed the Tails signing key with your own key, so it's not part of your web of trust.

The following reply is one to look out for. If you see this, it means the ISO was not correct and either downloaded incorrectly or was tampered with and can't be trusted:


gpg: Signature made Mon 09 Dec 2013 02:50:48 PM PST
gpg:                using RSA key 1202821CBE2CD9C1
gpg: BAD signature from "Tails developers (signing key) 
     ↪<tails@boum.org>"
Install Tails to a Disk

I already mentioned the simplest and safest way to install Tails (via someone else's install) at the beginning of this article. Also, these days I'm assuming if you have a DVD burner, you know how to burn a new DVD from an ISO file. The slightly tricky scenario is the case where you need to create a Tails USB disk from the ISO, as that requires a few specific commands. The one caveat to this technique is that you will not be allowed to create a persistent volume on this particular USB Tails install if you use this method. Instead, you will use this process to bootstrap a first Tails USB key and then use that to install Tails to a second USB disk using the official installer built in to the Tails desktop.

The first step is to modify the ISO so that it can function as a bootable USB image. To do this, you need the isohybrid utility, which is part of the syslinux software suite. On a Debian-based system, you can run apt-get install syslinux, and on other distributions, your package will likely also simply be called syslinux.

Once the application is installed, plug in your USB stick and attempt to identify which device it shows up as. It's important you get the device right, as you are going to overwrite the device with a Tails install, and if you pick the wrong device name, you could end up wiping out the wrong drive—possibly including the main OS on your computer! If you already have a partition on the device and your desktop environment automatically mounts USB drives, you can use the df utility in a terminal to confirm the device:


$ df
Filesystem             1K-blocks     Used Available Use% Mounted on
rootfs                 146410652 25812772 120597880  18% /
udev                       10240        0     10240   0% /dev
tmpfs                     398856      728    398128   1% /run
/dev/mapper/sda2_crypt 146410652 25812772 120597880  18% /
tmpfs                       5120        0      5120   0% /run/lock
tmpfs                     797700      120    797580   1% /run/shm
/dev/sda1                 188403    24916    153759  14% /boot
/dev/sdb1                7503668   148036   6974464   3% /media/data

The drive likely will be the last device to show up on the list. In this case, my drive was mounted at /media/data, and the drive's name is /dev/sdb (/dev/sdb1 is the first partition on that drive). Be sure to unmount the device before you proceed. If your desktop environment doesn't automatically mount USB disks or if you have no partition on the drive, you may have to use a tool like dmesg to see the last disk device it mentions:


$ dmesg | grep sd
. . .
[291588.322874] sd 5:0:0:0: Attached scsi generic sg1 type 0
[291589.768931] sd 5:0:0:0: [sdb] 15248832 512-byte logical 
 ↪blocks: (7.80 GB/7.27 GiB)
[291589.769424] sd 5:0:0:0: [sdb] Write Protect is off
[291589.769433] sd 5:0:0:0: [sdb] Mode Sense: 23 00 00 00
[291589.769910] sd 5:0:0:0: [sdb] No Caching mode page present
[291589.769920] sd 5:0:0:0: [sdb] Assuming drive cache: write through
[291589.773642] sd 5:0:0:0: [sdb] No Caching mode page present
[291589.773646] sd 5:0:0:0: [sdb] Assuming drive cache: write through
[291589.791319]  sdb: sdb1
[291589.793656] sd 5:0:0:0: [sdb] No Caching mode page present
[291589.793662] sd 5:0:0:0: [sdb] Assuming drive cache: write through
[291589.793666] sd 5:0:0:0: [sdb] Attached SCSI removable disk
[291590.178671] EXT3-fs (sdb1): using internal journal
[291590.178679] EXT3-fs (sdb1): mounted filesystem with ordered data 
 ↪mode

Again, the last disk that is mentioned in the output should correspond with the drive you inserted. In this case, I see the device was assigned sdb, and the kernel detected one partition: sdb1.

Now that I know that the device is /dev/sdb, I can modify the Tails ISO with isohybrid and then use the dd utility to write it to the disk. Instead of modifying the ISO I downloaded and verified, I like to make a copy of it first and then use isohybrid on the copy:


$ cp tails-i386-0.22.iso tails-i386-0.22-isohybrid.iso
$ isohybrid tails-i386-0.22-isohybrid.iso --entry 4 --type 0x1c
$ sudo dd if=tails-i386-0.22-isohybrid.iso of=YOURDEVICE bs=1M

Note that in the dd command, you will need to replace YOURDEVICE with your actual USB disk, such as /dev/sdb. I didn't put an actual device name in there in case someone accidentally copies and pastes the above lines into a terminal and presses Enter without reading the commands carefully. The dd command might take some time to complete, but provided you don't see any error messages, the image should have been copied correctly. Now all you need to do is reboot into Tails, and if you do want to take advantage of a persistent disk (which I will cover in a future column), you will want to use the Tails installer from within Tails to clone and install to a second USB disk.

How to use Tails and all of the software it includes is a big enough topic that I will cover it in my next column. If you can't wait until next month and do boot in to the environment, just click Login. Tails should connect to your network automatically, and once the Tor network is set up, it will launch a safe Web browser for you to use. I'll talk more about how best to use Tails next time.

Kyle Rankin is a Tech Editor and columnist at Linux Journal and the Chief Security Officer at Purism. He is the author of Linux Hardening in Hostile Networks, DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, Knoppix Pocket Reference, Linux Multimedia Hacks and Ubuntu Hacks, and also a contributor to a number of other O'Reilly books. Rankin speaks frequently on security and open-source software including at BsidesLV, O'Reilly Security Conference, OSCON, SCALE, CactusCon, Linux World Expo and Penguicon. You can follow him at @kylerankin.

Load Disqus comments