Tails below the radar: the private portable OS

No doubt, the Tor browser is an essential privacy protection tool. However, Tor alone cannot cover you up and hide your traces. To stay undercover, you need Tails. Tails is a security-focused, Debian-based Linux distribution made to ensure your privacy and anonymity. Tails on a portable flash drive can fully protect you from tracking; furthermore, your privacy won’t be compromised even if your residence is searched!


Tails is not the only Linux distribution focused on privacy protection. However, I believe it is the best choice for someone who wants to preserve their confidentiality, keep communications private, protect personal data, and hide important information from prying eyes. The OS is based on the following principles:

  1. Preserve confidentiality. Your data is confidential. You don’t want others to see it. Protect it with strong encryption and secure cryptographic keys. Use multilayer encryption for some types of data. Not a single piece of data should be stored or transmitted in plain view.

  2. Conceal information. Want to play plausible deniability? Hide the very fact that you have something stored or transmitted! Hidden containers make it possible.

  3. Conceal destination. You may need to hide your recipients as well as the data. Layered encryption and onion routing will help.

  4. Plausible deniability. You may be forced to reveal your secret. Make sure whatever you reveal is not your real secret! Every hidden volume is nested in a standard container. Make sure that the container has something that looks convincing enough to satisfy your chasers.

  5. Deniable authentication and information transition, revocable digital signatures, etc. The Off-the-Record Messaging (OTR) cryptographic protocol and HMAC message authentication code (instead of the digital signature) will help.

  6. No traces to be left on the computer. Every trace in the RAM, on the hard drive, or even in the GPU memory must be thoroughly cleaned up. Sensitive information must be stored on a securely encrypted storage device that is kept in a physically secure way; the risk of a leak must be reduced to the minimum.

The above principles supplement each other. If you are concerned about the security of your data and about your privacy, never disregard any of them.


Two flash drives are required to install Tails. Why do you need two of them? To understand what is recursion, you need to understand what is recursion first… You can install Tails only with Tails. The ISO can be downloaded from the official website tails.boum.org. I recommend checking the image with OpenPGP immediately; a detailed instruction is available on its website. Then unpack the downloaded image to the interim flash drive using Universal USB Installer. After that, you can boot the computer from the flash drive. When the OS is loaded, plug in the second (main) flash drive and select Applications → Tails → Tails Installer → Install by Cloning.

If the installation went successfully, the system is ready to work.

Getting started

After booting-up from the interim flash drive, you have to create a persistent protected volume (a ‘hard drive on a flash’). To do so, select Application → Tails → Configure Persistence.

Restart the PC and select Use Persistence, More Options, and specify the password to unlock the storage.

Then select Region from the menu on the bottom of the screen. This is important because Tor input nodes are location-dependent. I suggest experimenting with the value. In my case, Denmark turned out to be the best choice.

In the Advanced Settings menu, set a password for programs requiring administrator privileges. You can use any password; it works in the framework of the current session and does not affect anything.

Please note that the boot-up takes some time, and then it may take Tails a few minutes to connect to Tor. You can monitor this process by clicking the Onion Circuits icon, a little onion in the upper right corner of the screen.

After a while, Tails will notify you of a successful connection to Tor. By default, the network is configured to direct all traffic through Tor. Now you can download the tools.

Additional software, saving files and settings

By default, Tails does not save the installed software, settings, and files after the shutdown. However, its developers provided the possibility to store some data in the persistent volume. You can select what to keep there in Settings → Persistent.

Most of the menu items are self-explanatory; only the last three items need explanations. The APT Packages and APT Lists relate to the storage of APT packages. Tails is based on Debian; therefore, the majority of required packages can be installed using the apt-get function. The programs won’t be saved after the shutdown, but you can configure Tails to save APT packages in the persistent volume. This makes it possible to load the required software during the boot-up.

The last menu item, Dotfiles, allows creating a folder with files in the persistent volume; links to these files will be created in the Tails home directory during the boot-up.

Below is an example of a file structure in the persistent volume.

Accordingly, the link structure in the home directory will look as follows:

Cleaning up data, detaching tail

The persistent volume is already encrypted. However, there is a problem: it does not deny the very existence of encrypted data plausibly enough. I will suggest my own solution to ensure plausible deniability; it is different from recommendations provided by the Tails developers. It is up to you which way to choose.

The Tails developers recommend using LUKS-based cryptsetup utility to set up hidden volumes. However, LUKS volumes are not hidden completely. As far as I know, it is possible to find the header of a hidden volume, i.e. detect its presence.

This is not acceptable. Therefore, I decided to use the old, discontinued, but familiar TrueCrypt 7.1a (the last version that can still create new volumes). The header of a hidden volume created with TrueCrypt is undistinguishable from random data and, as far as I know, is impossible to detect. The best way is to store the TrueCryp binary code in the persistent volume.


VeraCrypt, the true TrueCrypt successor, offers all of the same features with substantially stronger security and many more functions, such as the ability to encrypt on-the-fly-encryption keys stored in the computer’s RAM or use a nonstandard number of hash iterations to derive the encryption key from your password.

I am not the one to tell you how to make a layered hidden volume, but one thing is worth mentioning. Because the hidden volume created with TrueCrypt is really ‘hidden’, TrueCrypt itself has no idea of its existence until you enter the password. If you enter the password of the hidden volume, the hidden volume will be mounted. If, however, you enter the password to the outer layer, the outer (nonhidden) volume will be mounted, and the hidden volume can be damaged when you store files to the outside (fake) volume. To prevent this, when you mount the outside volume, select: Mount Options → Protect hidden volume.

Like a lizard detaching its tail in dangerous situations, now you can enter the password to the outside volume and demonstrate the funny pics instead of your confidential information.


Now that your data is secure, you can start exchanging information (a.k.a. chatting). Pidgin Instant Messenger is an excellent IRC client, and Tails developers have further enhanced it. The OS includes Pidgin with a built-in plugin for the OTR protocol (the one you want to use). Keeping it simple, this protocol ensures secure data transfer with deniable authentication; it is impossible to prove that a specific message came from a specific person.

Prior to starting communication via OTR, you have to connect to an IRC server. Do not forget to make sure that you use SSL. Tor encrypts traffic between its nodes, but if you don’t use SSL, your data would be transferred unencrypted from your computer to the entry node and from the exit node to the addressee. Some Tor nodes are banned on IRC servers; therefore, you might need to restart Tor using the command: /etc/init.d/tor restart.

After connecting to the server, select: Buddies → New Instant Message.

A dialog window opens. Select: Not Private → Start Private Conversation.

The program offers three authentication options: answer to a secret question known both to you and the other party (the answers must be identical, spaces and letter cases do matter), enter a common secret phrase, or verify the fingerprint (a 40-symbol sequence identifying an OTR user).

Now you can communicate via ORT. Unfortunately, voice communications are problematic. As you know, Tails directs all traffic via Tor, which causes serious issues when transmitting voice. First, the majority of VoIP programs rely on UDP, while Tor only supports TCP packets. Second, Tor is not too fast; sometimes packets arrive with significant delays. As a result, poor voice quality and frequent disconnections are more than likely.

Still, there is a special plugin for TorChat: OnionPhone. Mumble works more or less satisfactory as well, although it is less secure. To launch Mumble via Tor, you have to use the torify mumble command and select “Force TCP” in its network settings.


Similar to other operating systems, Tails supports e-mail. Its standard build includes the Icedove mail client. Its settings and keys can be stored in the persistent volume. Important: message subjects are not encrypted. This is not an error but a feature of the protocol you must be aware of. In addition, it is strongly recommended to encrypt files sent via e-mail.


In this article, I only covered a few of the functions offered by Tail. However, the standard distro includes an impressive set of extra programs that are useful as well. For instance, I strongly recommend checking out software enabling you to erase file metadata; this will raise your security level even higher.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">