Tails above the Rest: the Installation

Install Tails to a Disk

I already mentioned the simplest and safest way to install Tails (via someone else's install) at the beginning of this article. Also, these days I'm assuming if you have a DVD burner, you know how to burn a new DVD from an ISO file. The slightly tricky scenario is the case where you need to create a Tails USB disk from the ISO, as that requires a few specific commands. The one caveat to this technique is that you will not be allowed to create a persistent volume on this particular USB Tails install if you use this method. Instead, you will use this process to bootstrap a first Tails USB key and then use that to install Tails to a second USB disk using the official installer built in to the Tails desktop.

The first step is to modify the ISO so that it can function as a bootable USB image. To do this, you need the isohybrid utility, which is part of the syslinux software suite. On a Debian-based system, you can run apt-get install syslinux, and on other distributions, your package will likely also simply be called syslinux.

Once the application is installed, plug in your USB stick and attempt to identify which device it shows up as. It's important you get the device right, as you are going to overwrite the device with a Tails install, and if you pick the wrong device name, you could end up wiping out the wrong drive—possibly including the main OS on your computer! If you already have a partition on the device and your desktop environment automatically mounts USB drives, you can use the df utility in a terminal to confirm the device:

$ df
Filesystem             1K-blocks     Used Available Use% Mounted on
rootfs                 146410652 25812772 120597880  18% /
udev                       10240        0     10240   0% /dev
tmpfs                     398856      728    398128   1% /run
/dev/mapper/sda2_crypt 146410652 25812772 120597880  18% /
tmpfs                       5120        0      5120   0% /run/lock
tmpfs                     797700      120    797580   1% /run/shm
/dev/sda1                 188403    24916    153759  14% /boot
/dev/sdb1                7503668   148036   6974464   3% /media/data

The drive likely will be the last device to show up on the list. In this case, my drive was mounted at /media/data, and the drive's name is /dev/sdb (/dev/sdb1 is the first partition on that drive). Be sure to unmount the device before you proceed. If your desktop environment doesn't automatically mount USB disks or if you have no partition on the drive, you may have to use a tool like dmesg to see the last disk device it mentions:

$ dmesg | grep sd
. . .
[291588.322874] sd 5:0:0:0: Attached scsi generic sg1 type 0
[291589.768931] sd 5:0:0:0: [sdb] 15248832 512-byte logical 
 ↪blocks: (7.80 GB/7.27 GiB)
[291589.769424] sd 5:0:0:0: [sdb] Write Protect is off
[291589.769433] sd 5:0:0:0: [sdb] Mode Sense: 23 00 00 00
[291589.769910] sd 5:0:0:0: [sdb] No Caching mode page present
[291589.769920] sd 5:0:0:0: [sdb] Assuming drive cache: write through
[291589.773642] sd 5:0:0:0: [sdb] No Caching mode page present
[291589.773646] sd 5:0:0:0: [sdb] Assuming drive cache: write through
[291589.791319]  sdb: sdb1
[291589.793656] sd 5:0:0:0: [sdb] No Caching mode page present
[291589.793662] sd 5:0:0:0: [sdb] Assuming drive cache: write through
[291589.793666] sd 5:0:0:0: [sdb] Attached SCSI removable disk
[291590.178671] EXT3-fs (sdb1): using internal journal
[291590.178679] EXT3-fs (sdb1): mounted filesystem with ordered data 

Again, the last disk that is mentioned in the output should correspond with the drive you inserted. In this case, I see the device was assigned sdb, and the kernel detected one partition: sdb1.

Now that I know that the device is /dev/sdb, I can modify the Tails ISO with isohybrid and then use the dd utility to write it to the disk. Instead of modifying the ISO I downloaded and verified, I like to make a copy of it first and then use isohybrid on the copy:

$ cp tails-i386-0.22.iso tails-i386-0.22-isohybrid.iso
$ isohybrid tails-i386-0.22-isohybrid.iso --entry 4 --type 0x1c
$ sudo dd if=tails-i386-0.22-isohybrid.iso of=YOURDEVICE bs=1M

Note that in the dd command, you will need to replace YOURDEVICE with your actual USB disk, such as /dev/sdb. I didn't put an actual device name in there in case someone accidentally copies and pastes the above lines into a terminal and presses Enter without reading the commands carefully. The dd command might take some time to complete, but provided you don't see any error messages, the image should have been copied correctly. Now all you need to do is reboot into Tails, and if you do want to take advantage of a persistent disk (which I will cover in a future column), you will want to use the Tails installer from within Tails to clone and install to a second USB disk.

How to use Tails and all of the software it includes is a big enough topic that I will cover it in my next column. If you can't wait until next month and do boot in to the environment, just click Login. Tails should connect to your network automatically, and once the Tor network is set up, it will launch a safe Web browser for you to use. I'll talk more about how best to use Tails next time.


Kyle Rankin is Chief Security Officer at Purism, a company focused on computers that respect your privacy, security, and freedom. He is the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu