Tails above the Rest, Part III

In my first two columns in this series, I gave an overview of Tails, including how to get the distribution securely, and once you have it, how to use some of the basic tools. In this final column, I cover some of the more advanced features of Tails, such as some of its log in options, its suite of encryption tools and the persistent disk.

Superuser and Windows Camouflage

By default, Tails operates with superuser privileges disabled. You don't need superuser privileges to use most of Tails, as those privileges come in handy only if you want to install extra software, modify any local hard drives on the system or do anything else that requires root privileges. Tails disables superuser privileges so an attacker also cannot perform superuser functions that might threaten the security of your system. That said, if you intend on using Tails routinely as your desktop, you may find you want to install extra software on a persistent disk.

To enable the superuser account, at the initial login window, click the Yes button under More options, and then click the Forward button at the bottom of that window. In the new window, enter the administrator password in the Password and Verify Password text boxes, and then click Login. You also may have noticed a check box in this window to enable Windows Camouflage. This option changes the default desktop theme to look like a default Windows XP install. The idea here is that if you are using Tails in a public place (like on an Internet café, library or hotel computer), at a glance, your desktop probably will blend in with the rest.

Encryption Tools

As you might imagine, a security- and anonymity-focused distribution like Tails provides a number of encryption tools. These include more general-purpose tools like GNOME disk manager, which you can use to format new encrypted volumes and the ability to mount encrypted volumes that show up in the Places menu at the top of the desktop. In addition to general-purpose tools, Tails also includes an OpenPGP applet that sits in the notification area (that area of the panel at the top right-hand section of the desktop along with the clock, sound and network applets). The OpenPGP applet has a clipboard icon by default, and you can think of it much like a secured clipboard in the sense that it lets you copy and paste plain text into it and then encrypt or sign it.

The simplest way to encrypt text is via a passphrase, since you don't have to create or import a GPG keypair into your Tails system (made even more difficult if you don't take advantage of a persistent disk). To encrypt with a passphrase, type the text that you want to encrypt into a local text editor (don't type it into a Web browser window as there is a possibility for JavaScript attacks to access what you type). Select the text, then right-click on the clipboard icon and select Copy. Next, click on the clipboard icon and select Encrypt Clipboard with Passphrase. You will be presented with a passphrase dialog box where you can enter the passphrase you want to use, and once the text is encrypted, the clipboard icon will change to display a lock. This means that your desktop clipboard now contains encrypted text, and you can paste it in any other application, like a Web e-mail application, by right-clicking in that input box and selecting Paste.

If you have copied your GPG keys to this Tails session, you also can use the same tool to encrypt text with your keys. Once you copy the text to the applet, just click on the applet and select Sign/Encrypt Clipboard with Public Keys. You then will be prompted to select the keys of any recipients you want to be able to decrypt the message. Once you finish with this wizard, you can paste the encrypted text like with the above passphrase option.

You also can use the same applet to decrypt text that has been encrypted with a passphrase. To do this, select the complete encrypted section, including the -----BEGIN PGP MESSAGE----- at the beginning and the -----END PGP MESSAGE----- at the end. Then, right-click on the OpenPGP applet and select Copy. The icon should change to a lock if the text is encrypted or a red seal if it is only signed. Then, click on the applet and select Decrypt/Verify Clipboard. If the message is encrypted with a passphrase, you should see an Enter passphrase dialog box. Otherwise, if the message used public-key cryptography and you have your keypair on this installation of Tails, you may be prompted for the passphrase to unlock your secret key. If your passphrase or key is able to decrypt the message successfully, you will get a GnuPG results window along with the decrypted text.


Kyle Rankin is Chief Security Officer at Purism, a company focused on computers that respect your privacy, security, and freedom. He is the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu