So, you want to set up Tails live Linux USB, but for one reason or another, you can't follow the instructucation provided for one reason or another; in my case, due to policy restrictions. What to do? Well, here is an alternative method that should be just as cryptographically secure as the "official" instructions.
So what, exactly, is Tails? While the official About page has all the juicy details, Wikipedia puts it simpler: "The Amnesic Incognito Live System is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity. All its outgoing connections are forced to go through Tor, and non-anonymous connections are blocked. The system is designed to be booted as a live DVD or live USB, and will leave no digital footprint on the machine unless explicitly told to do so."
Such a system is ideal for just about everybody who wants to keep their web browsing activities anonymous. While this can (and perhaps should) consist of just about everybody, some key "types" may be whistleblowers, activists, researchers, and even the idly curious. But I won't go much deeper into who/why/security caveats about TOR or Tails, since they do it much better themselves. But what I will go over, is an alternative method for installing Tails.
First, let us take a look at the quick steps from the Tails site: https://tails.boum.org/download/index.en.html
As stated in those instructions, unless you verify thge PGP Key, there is no guarantee that you you aren't the victim of a Man-in-the-Middle attack. So they've provided a few steps and tools to be as sure as possible that no MITM attack took place. The problem with these steps is that they assume you either have the tools already, or the ability to install them.
I have neither. So what to do?
Well, I DO have the ability to make a bootable USB (as odd as that seems). So, assuming you have the ISO file and the ability to make a bootable USB, we can still create a cryptographically secure Tails USB. Here's how:
Before we begin, we will need 3 USB sticks:
- one for the ISO file itself, 2GB minimum
- a temporary USB for a temporary bootable Tails, 2GB minimum
- the "real" bootable USB, 4GB would likely be THE minimum, but I would suggest 8GB or more
- Download the ISO file, and copy it onto the ISO USB.
- Make the temporary bootable USB:
- pv -ptreb /tails.iso | dd of=/dev/sdb
- Reboot into that Tails
- When the Tails Greeter comes up, selec 'Yes' under 'More options?'
- Put in an Administration Password
- Click 'Login'
- Go to Applications - Tails - Tails Installer
- Select 'Install by cloning'
- Target Device: your "permanent" Tails USB
- click 'Install Tails'
- Once complete, poweroff, and reboot into the new Tails USB
- At the Tails Greeter, you will notice there's a new option on this USB: 'Use persistence?', though we will want to LATER, for no, leave this on No
- though under 'More options?', select yes
- Put in an Administrator Passord
- Click 'Login'
- Go to Applications - Tails - Configure Persitence
- Carefully choose your encryption password. TheIntercept wrote a nice article about password strength. It is certainly worth reading.
- Be sure to select ALL options for encryption when asked
- Reboot back to the same USB
- This time, at the Tails Greeter, select 'Yes' under 'Use persistence?'
- also select advanced options and set an admin password
- And you're DONE!
Now, let us see what we can do to further customize this...
One of the first things I do to any Live bootable Linux, is to update the sources and upgrade all applications that require it. While this is entirely possible with Tails, these updates won't survive a reboot. There is a way to use the Additional software packages persistence feature, but they fail to mention a very important detail: the installed binaries don't actually stay in the encypted persistence. Instead, what you actually wind up doing is creating a list of applications that are installed at boot time. So while not an issue for one of two small apps, if you have some larger changes in mind, you will need to essentially re-install these apps at EVERY BOOT! An alternative (though untested by me) option would be to possibly manually install the binaries to the encrypted persistence, and reference them there (through the $PATH variable or some aliases). Fortunately, if/when Tails identifies security holes, they are very quick about addressing them. These updates, through a Tails-specific updater, ARE persistent, so at least we don't need to wrroy about that. There's even a check when Tails boots, and if there is a newer version available, it will notify you and ask if you want to update; the process is VERY simple and painless.
- Very secure
- Leaves no trace on the system you booted from (it even performs a quick memory wipe on shutdown)
- Not suitable for everyday use
- Cannot effectively install additional software
- Not easily cutomizable
Now, in Tails' defence, some of these "cons" are by deliberate design. The software that is pre-installed in Tails has been thoroughly checked and vetted, and you can be (very reasonably) sure that this software will not leak any of your information; the additional software you might want to install will likely not have gone through that same verification and vetting process, and may leak some info.
So what do you think of Tails? What customizations have you managed to perform?