Resources for the global digital safety training community.
Credits
Last Updated 2015-05Participants learn to enable persistence, and/or create and access an encrypted USB in order to save settings and store documents within Tails.
Tails is a relatively easy-to-use and hard-to-misuse workspace for handling confidential documents. By enabling a feature called persistence, users can configure Tails to save created data within the operating system in what’s called a persistent folder.
As participants get prepared, you may wish to set the stage for this Deepening exercise by explaining that there are two methods of securely storing confidential data in Tails:
Before beginning, you may wish to remind the participants that an initial installation of Tails from an image file cannot be updated and files cannot be saved to it; however, by enabling a feature called persistence, users can configure Tails to save created data within the operating system in what’s called a persistent folder.
Begin by demonstrating to the group how to enable persistence within Tails, with participants following along on their own machines with their own live Tails USBs.
Explain that the persistent volume is an encrypted partition within a Tails instance, and that partition is further protected by a passphrase of the user’s choosing.
Once complete, restart Tails to apply the changes. When you arrive at the Tails Greeter, make sure to enable persistence as prompted by inputting your persistence passphrase.
Now when you are in Tails, you can navigate to the Persistent folder, where any file you store will be locally encrypted on the USB and accessible across Tails sessions as long as you activate persistence in the Tails Greeter.
After completing the above steps demonstrating the process for creating a Persistent folder within Tails to the group, you can now demonstrate the difference in functionality between the new Persistent folder and the regular Tails amnesiac’s home folder. Have participants do the following:
In this step, explain that participants will learn how to create a separate, encrypted USB drive that can be used for storing documents without altering Tails.
Once Disk Utility has been launched, have participants insert their blank USB into their computers.
Disk Utility will ask about the desired partitioning scheme for this newly formatted device - leaving the default option of Master Boot Record selected should suffice for this exercise. Take a pause here to remind participants of the definitions of scheme and partition (from the Staying Anonymous with Tails Input).
Participants should now see a screen showing the total memory of their USB device, which will be 100% empty. In the lower left-hand corner, click the “plus” symbol next to Create Partition.
Ensure that both Take Ownership of Filesystem and Encrypt Underlying Device are both selected; the latter ensures that the partition created on the USB is also encrypted when it is created.
In this next part of the exercise, walk participants through the process of accessing their encrypted USB within Tails, identifying the device in subsequent Tails sessions, and testing that the encrypted partition and device are working properly.
Once the encrypted device has been created, have participants go to the Tails desktop and find the encrypted partition under the Places menu. It should appear under the name that was given to it during the creation process.
Note that it will not appear at first using the name that was originally given to it, but rather as “[Size of encrypted partition] Encrypted”. If there are multiple encrypted devices present on a machine while using Tails, users will need to remember which is which by the size of the partition.
Wrap this section of the module, reviewing that these are two methods in which Tails can be used to store sensitive documents in a protected manner.
Tails USBs with persistence enabled carry additional data from session to session in a way that Tails USBs without persistence will not, and thus will have differing data “fingerprints”.
Both within Tails using an encrypted external drive and on an encrypted drive itself, the presence of an encrypted volume itself is not hidden; however, the data within is only accessible via a passphrase. Participants should protect this passphrase the same way they might protect any other.
However, is not advisable to do so as it may compromise the device’s security.