Friday, 13 June 2014

Getting Started With Tails

Because Tails is designed to be used as a live operating system, in many respects downloading and creating a live disk is the same as most other Linux distros. However, given that security is likely the most important consideration for users, special attention should be paid to validating and verifying the download before using the operating system. The following process is aimed at Ubuntu users, links are provided for other operating systems where appropriate.

You can download Tails from the Tails Download, Verify and Install page.

In order to verify the download, you must also download the Tails signing key which you can get from the same link. But (and this is a big but for the security conscious), how can you be sure that the key that you have downloaded is genuine? It's possible (although, not likely) that the key has been compromised by a man-in-the-middle attack and you may want to ensure that the key that you have downloaded has been signed by members of the Debian Development Team.

"Tails signing key is actually already signed by the keys of several official developers of Debian, the operating system on which Tails is based. Debian makes an extensive use of OpenPGP and you can download the keys of all Debian developers by installing the debian-keyring package. You can then verify the signatures those developers made with their own key on Tails signing key."

First, download the signature from Tails Download page to your Download folder (in this example, home/[user]/Downloads/)1 and check that the key is signed. Open a terminal and then:

gpg --import /home/[user]/Downloads/tails-signing.key

This command imports the key into your gpg keyring. In order to check the signatures, you must first locate the Tails key id: the following code will list all public keys (including the Tails key that you've just imported) in your keyring.

gpg --list-public-keys

The output will include the following entry:

pub 4096R/BE2CD9C1 2010-10-07 [expires: 2015-02-05]

uidTails developers (signing key)

uidT(A)ILS developers (signing key)

The relevant ID is the second part (BE2CD9C1) of the alpha-numeric string on the first line; using this key ID, check the signatures with:

gpg --check-sigs BE2CD9C1

The output will appear as follows:

Note the last line which warns us that: "308 signatures not checked due to missing keys". These missing keys are those of the Debian Developers and others for whom you have no public keys in your keyring. You can download the Debian keys from the Ubuntu Software Center (search for debian-keyring) or with:

sudo apt-get install debian-keyring

Now that you have access to the Debian keys, you can check to see if any of the missing keys are in the Debian keyring:

gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --keyid-format long --check-sigs BE2CD9C1

By using the Debian keyring (rather than your personal keyring) the number of missing keys has been reduced to 300 telling us that eight of the signatories on the Tails key are in the Debian keyring. I think this a more elegant solution that the recommended process: checking random signatures can be both time-consuming and frustrating. Moreover, there is no need to import signatures into your personal keyring that you will be unlikely to use again. Whilst not foolproof, this should give you confidence that the Tails key that you have downloaded is genuine and can be used with confidence to check the Tails .iso file. Fortunately, this is not such a long-winded process as validating the signature!

Change to the Download directory:

cd /home/[user]/Downloads

Next, check the signature of the .iso file matches the signing key:2

gpg --keyid-format long --verify tails-i386-1.0.1.iso.sig tails-i386-1.0.1.iso

If all's gone well, you should see:

gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST

gpg: using RSA key 1202821CBE2CD9C1

gpg: Good signature from "Tails developers (signing key) "

Don't worry if you see a warning telling you that "[t]his key is not certified with a trusted signature!", this simply means that you haven't personally signed the Tails key.

Now you're ready to burn the Live Disk. In Ubuntu you simply follow the same procedure as for all Linux Distros: in your file manager, navigate to your download, right-click the .iso file and then select Write to Disc...3. Remember that it is good practise to burn the disk at the lowest possible speed in order to reduce errors.

To use your Live Disk, simply reboot your PC using the optical drive as the first boot device.

That's it! Now you're ready to use the Tails operating system. In the next post, I'll look at the pros & cons of burning a Live USB and consider whether or not to create a persistence file.

Sources & References:


    1. Change [user] to suit your circumstances - usually your username
    2. Remember, over time the version numbers will change: make sure that you are referencing the correct file (download) name.
    3. In some other distros (for instance, Mint) this might not be as easy. However, there are appps (such as K3B) that will burn your Live Disk: search the software center or use the link above. Windows users can use Infrarecorder to burn their installation disks.

No comments:

Post a Comment