mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-08 23:02:55 -04:00
tails best update
This commit is contained in:
anarsec
parent
65f2209457
commit
0dd1aa0caa
1 changed files with 6 additions and 6 deletions
|
|
@ -168,7 +168,7 @@ Not everyone will need to apply all of the advice below. For example, if you're
|
|||
|
||||
If your Tails USB stick has a write-protect switch like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), when the switch is locked you are protected from an attacker compromising the Tails software stored on the USB. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, your Tails USB is immutable, so the compromise cannot carry over to subsequent Tails sessions ("malware persistence") by modifying operating system files. The only other way to establish "malware persistence" is firmware compromise, which you have already mitigated.
|
||||
|
||||
Note that Heads firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting.
|
||||
Note that Heads firmware makes a write-protect switch unnecessary because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting.
|
||||
|
||||
If you aren't using Heads and you are unable to obtain a USB with a write-protect switch, you have three options.
|
||||
|
||||
|
|
@ -188,16 +188,16 @@ If you need to upgrade Tails, you can do so in a dedicated session with the swit
|
|||
|
||||
### 2. For a dedicated configuration session, if you decide to use Persistent Storage.
|
||||
|
||||
[Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to carry over between sessions that would otherwise be amnesiac, by saving data onto the Tails USB itself. Because Persistent Storage requires writing to the Tails USB, it is generally impractical to use with a write-protect switch.
|
||||
[Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to carry over between sessions that would otherwise be amnesiac, by saving data onto the Tails USB itself. Because Persistent Storage requires writing to the Tails USB, it is generally impractical to use with a write-protect switch. An alternative to the write-protect switch is using Heads — Heads verifies the authenticity and integrity of the Tails USB through a digital signature upon boot, and this makes it safe to write to the Tails USB, so Persistent Storage will work as expected.
|
||||
|
||||
Another reason to avoid using Persistent Storage features is that many of them store personal data to the Tails USB. If your Tails session is compromised, the data you access during that session can be used to tie your activities together. If there is personal data on the Tails USB, such as an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization with Persistent Storage enabled, you would need a dedicated Tails USB for each identity, and updating them all every month would be a lot of work.
|
||||
Another reason to avoid using Persistent Storage features is that many of them store personal data to the Tails USB. If your Tails session is compromised, the data you access during that session can be used to tie your activities together. If there is personal data on the Tails USB, such as an email inbox, compartmentalization of Tails sessions is no longer possible *when Persistent Storage is unlocked*. To achieve compartmentalization with Persistent Storage unlocked, you would need a dedicated Tails USB for each identity, and updating them all every month would be a lot of work.
|
||||
|
||||
However, you may want to use some Persistent Storage features that don't store personal data, such as the additional software feature. This requires unlocking the switch for a dedicated Persistent Storage configuration session:
|
||||
|
||||
* Start an "unlocked" session, [create Persistent Storage](/posts/tails#optional-create-and-configure-persistent-storage) with additional software enabled, [install the additional software](/posts/tails#installing-additional-software), and select to "Install Every Time" when prompted.
|
||||
* Now that the configuration is complete, restart Tails into a "locked" session before actually using the software. Don't set an Administration password, which is only required during the initial installation. In a "locked" session, none of the files you work on are saved to the Tails USB because it is "locked", but now the additional software is configured to install every time you enter your Persistent Storage password at the Welcome Screen. To have a "locked" session with Persistent Storage, the USB switch will need to be switched to the read-only position *after* you receive the notification "Additional Software installed succesfully" (and before you connect to the Internet).
|
||||
|
||||
The Persistent Storage feature is not possible with the DVD or `toram` boot option.
|
||||
The Persistent Storage feature is not possible with the DVD or `toram` boot option.
|
||||
|
||||
## "Personal data" USBs
|
||||
|
||||
|
|
@ -302,10 +302,10 @@ If you are using Persistent Storage, this is another passphrase that you will ha
|
|||
|
||||
SiriKali is an encrypted volume program that uses [gocryptfs](https://nuetzlich.net/gocryptfs/) behind the scenes. It is [available in the Debian repository](https://packages.debian.org/bookworm/sirikali) and can be easily installed as [additional software](/posts/tails#installing-additional-software). In Synaptic, install both sirikali and gocryptfs (if you are comfortable on the [command line](/glossary/#command-line-interface-cli), you can use gocryptfs directly and you don't actually need sirikali). If you don't want to reinstall SiriKali every session, you will need to [configure Additional Software in Persistent Storage](/posts/tails-best#unlocking-the-switch).
|
||||
|
||||
Using SiriKali to create a volume will make two new directories: a "cipher" directory where the encrypted files are actually stored (`VolumeName/` on your "personal data" USB), and a "plain" directory where you access your decrypted volume once it is mounted there (`/home/amnesia/.SiriKali/VolumeName`).
|
||||
|
||||
### Creating an encrypted volume
|
||||
|
||||
Using SiriKali to create a volume will make two new directories: a "cipher" directory where the encrypted files are actually stored (`VolumeName/` on your "personal data" USB), and a "plain" directory where you access your decrypted volume once it is mounted there (`/home/amnesia/.SiriKali/VolumeName`).
|
||||
|
||||
* Plug in the "personal data" USB where you will store this encrypted volume and enter its LUKS passphrase.
|
||||
* Then in SiriKali, press "Create Volume" and select the option "gocryptfs."
|
||||
* You will be prompted for a password. Create a new entry in your KeepassXC file and generate a password using the Generate Password feature (the dice icon).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue