Tails above the Rest, Part III

In my first two columns in this series, I gave an overview of Tails, including how to get the distribution securely, and once you have it, how to use some of the basic tools. In this final column, I cover some of the more advanced features of Tails, such as some of its log in options, its suite of encryption tools and the persistent disk.

Superuser and Windows Camouflage

By default, Tails operates with superuser privileges disabled. You don't need superuser privileges to use most of Tails, as those privileges come in handy only if you want to install extra software, modify any local hard drives on the system or do anything else that requires root privileges. Tails disables superuser privileges so an attacker also cannot perform superuser functions that might threaten the security of your system. That said, if you intend on using Tails routinely as your desktop, you may find you want to install extra software on a persistent disk.

To enable the superuser account, at the initial login window, click the Yes button under More options, and then click the Forward button at the bottom of that window. In the new window, enter the administrator password in the Password and Verify Password text boxes, and then click Login. You also may have noticed a check box in this window to enable Windows Camouflage. This option changes the default desktop theme to look like a default Windows XP install. The idea here is that if you are using Tails in a public place (like on an Internet café, library or hotel computer), at a glance, your desktop probably will blend in with the rest.

Encryption Tools

As you might imagine, a security- and anonymity-focused distribution like Tails provides a number of encryption tools. These include more general-purpose tools like GNOME disk manager, which you can use to format new encrypted volumes and the ability to mount encrypted volumes that show up in the Places menu at the top of the desktop. In addition to general-purpose tools, Tails also includes an OpenPGP applet that sits in the notification area (that area of the panel at the top right-hand section of the desktop along with the clock, sound and network applets). The OpenPGP applet has a clipboard icon by default, and you can think of it much like a secured clipboard in the sense that it lets you copy and paste plain text into it and then encrypt or sign it.

The simplest way to encrypt text is via a passphrase, since you don't have to create or import a GPG keypair into your Tails system (made even more difficult if you don't take advantage of a persistent disk). To encrypt with a passphrase, type the text that you want to encrypt into a local text editor (don't type it into a Web browser window as there is a possibility for JavaScript attacks to access what you type). Select the text, then right-click on the clipboard icon and select Copy. Next, click on the clipboard icon and select Encrypt Clipboard with Passphrase. You will be presented with a passphrase dialog box where you can enter the passphrase you want to use, and once the text is encrypted, the clipboard icon will change to display a lock. This means that your desktop clipboard now contains encrypted text, and you can paste it in any other application, like a Web e-mail application, by right-clicking in that input box and selecting Paste.

If you have copied your GPG keys to this Tails session, you also can use the same tool to encrypt text with your keys. Once you copy the text to the applet, just click on the applet and select Sign/Encrypt Clipboard with Public Keys. You then will be prompted to select the keys of any recipients you want to be able to decrypt the message. Once you finish with this wizard, you can paste the encrypted text like with the above passphrase option.

You also can use the same applet to decrypt text that has been encrypted with a passphrase. To do this, select the complete encrypted section, including the -----BEGIN PGP MESSAGE----- at the beginning and the -----END PGP MESSAGE----- at the end. Then, right-click on the OpenPGP applet and select Copy. The icon should change to a lock if the text is encrypted or a red seal if it is only signed. Then, click on the applet and select Decrypt/Verify Clipboard. If the message is encrypted with a passphrase, you should see an Enter passphrase dialog box. Otherwise, if the message used public-key cryptography and you have your keypair on this installation of Tails, you may be prompted for the passphrase to unlock your secret key. If your passphrase or key is able to decrypt the message successfully, you will get a GnuPG results window along with the decrypted text.

Persistent Disk

Tails goes to great lengths to preserve your anonymity by intentionally not persisting any of your data. That said, if you use Tails routinely, you might find it useful if at least some of your settings stayed around between reboots. In particular, you may want to save account settings in the e-mail or Pidgin clients, or you may want to have your GPG keys persist so you don't have to copy them each session you come across an encrypted e-mail you need to open. Or, you may just have some documents you'd like to work on for more than one session. Whatever the reason, Tails includes a persistent disk option you can use to create an encrypted disk alongside Tails to store this kind of data.

Before you create a persistent volume, there are a few warnings to keep in mind. The first is that Tails goes to great lengths to pick secure programs and to give the programs it installs secure configuration. With persistent volumes, you have the potential to change a configuration or add new browser plugins or packages that may not be as secure or may reveal who you are. When you choose what levels of persistence to enable, it's always best to err on the side of only the features you need. It's also important to note that although the volume is encrypted, no steps are taken to hide that the volume exists. If someone recovers your Tails disk, he or she could see that the persistent volume is there and convince you to reveal your passphrase.

To create a persistent volume, click Applications→Tails→Configure persistent storage to launch the persistent volume wizard. The persistent volume will be created on the same device you are using for Tails, and the wizard will prompt you for the passphrase to use to encrypt the volume. Once the volume is created, you will need to restart Tails to enable the persistent disk.

Once you reboot, the initial login screen will detect that you have a persistent volume and provide a button labeled "Use persistence?" that you can click to use the persistent volume for this session. You then will be prompted for your passphrase. Once you are at your desktop, the persistent volume will show up as a disk under Places→Home Folder labeled Persistent. You then can drag or save any files to the disk that you want to persist across reboots much like any other directory.

The real power of the persistent volume is in Tails' ability to store certain configurations or files to it automatically. Click Application→Tails→Configure persistent storage again, and this time, you will see a number of persistent volume features that you can enable:

  • Personal Data: allows you to save personal files in a folder that appears under the Places menu.

  • GnuPG: persists any GPG keys or settings.

  • SSH Client: all of your SSH keys and configuration files.

  • Pidgin: Pidgin accounts and settings, including OTR encryption keys.

  • Claws Mail: settings for the Claws e-mail program.

  • GNOME Keyring: GNOME's key management software.

  • Network Connections: wireless passphrases and other network settings.

  • APT Packages: any packages you install on the live system can persist across reboots if you click this option.

  • APT Lists: any software repository lists that you download when you perform an apt-get update.

  • Browser Bookmarks: pretty self-explanatory.

  • Printers: printer configuration settings.

Select any of these options that you think you need, but keep in mind that it's best to enable only features you will use. You always can go back and re-enable any of these features later if you find you need them. Note that whenever you change a setting for the persistent disk, you will need to reboot for it to take effect.


One of the final security tools included with Tails makes the most sense if you happen to have the persistent disk enabled. KeePassX allows you to keep track of user names and passwords securely for any accounts you may have within a single encrypted file. The idea here is that you can pick a single, secure password that you can remember to decrypt this database. You can choose really difficult passwords (or have KeepassX generate random passwords for you based on character sets and lengths that you configure) and have KeepassX load the password into your clipboard so you can paste it into a login prompt without even seeing it.

To launch KeePassX, click Applications→Accessories→KeePassX, and click File→New Database to create a brand-new password database. If you are using a persistent disk, be sure you store the password database within the Persistent folder. The password database is protected by a passphrase, so select a nice secure password that you can remember for this database. Once the database is open, you then can select the appropriate category for your password and create new entries for each account. Once you are done and close KeePassX, if you didn't remember to save your changes, it will prompt you before it closes.

Hopefully you now are well on your way to secure, anonymous Internet use. The nice thing about Tails is that it's simple enough to use that you can share Tails disks with friends who may not be all that familiar with security and know they will gain an extra level of protection. Although this is the last column in my Tails series, you can expect more columns about security and privacy from me in the future.

Kyle Rankin is a Tech Editor and columnist at Linux Journal and the Chief Security Officer at Purism. He is the author of Linux Hardening in Hostile Networks, DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, Knoppix Pocket Reference, Linux Multimedia Hacks and Ubuntu Hacks, and also a contributor to a number of other O'Reilly books. Rankin speaks frequently on security and open-source software including at BsidesLV, O'Reilly Security Conference, OSCON, SCALE, CactusCon, Linux World Expo and Penguicon. You can follow him at @kylerankin.

Load Disqus comments