tails best update

content/posts/tails-best/index.md

@@ -168,7 +168,7 @@ Not everyone will need to apply all of the advice below. For example, if you're
 
 If your Tails USB stick has a write-protect switch like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), when the switch is locked you are protected from an attacker compromising the Tails software stored on the USB. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, your Tails USB is immutable, so the compromise cannot carry over to subsequent Tails sessions ("malware persistence") by modifying operating system files. The only other way to establish "malware persistence" is firmware compromise, which you have already mitigated.  
 
-Note that Heads firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. 
+Note that Heads firmware makes a write-protect switch unnecessary because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. 
 
 If you aren't using Heads and you are unable to obtain a USB with a write-protect switch, you have three options.
 
@@ -188,9 +188,9 @@ If you need to upgrade Tails, you can do so in a dedicated session with the swit
 
 ### 2. For a dedicated configuration session, if you decide to use Persistent Storage.
 
-[Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to carry over between sessions that would otherwise be amnesiac, by saving data onto the Tails USB itself. Because Persistent Storage requires writing to the Tails USB, it is generally impractical to use with a write-protect switch. 
+[Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to carry over between sessions that would otherwise be amnesiac, by saving data onto the Tails USB itself. Because Persistent Storage requires writing to the Tails USB, it is generally impractical to use with a write-protect switch. An alternative to the write-protect switch is using Heads — Heads verifies the authenticity and integrity of the Tails USB through a digital signature upon boot, and this makes it safe to write to the Tails USB, so Persistent Storage will work as expected.  
 
-Another reason to avoid using Persistent Storage features is that many of them store personal data to the Tails USB. If your Tails session is compromised, the data you access during that session can be used to tie your activities together. If there is personal data on the Tails USB, such as an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization with Persistent Storage enabled, you would need a dedicated Tails USB for each identity, and updating them all every month would be a lot of work. 
+Another reason to avoid using Persistent Storage features is that many of them store personal data to the Tails USB. If your Tails session is compromised, the data you access during that session can be used to tie your activities together. If there is personal data on the Tails USB, such as an email inbox, compartmentalization of Tails sessions is no longer possible *when Persistent Storage is unlocked*. To achieve compartmentalization with Persistent Storage unlocked, you would need a dedicated Tails USB for each identity, and updating them all every month would be a lot of work. 
 
 However, you may want to use some Persistent Storage features that don't store personal data, such as the additional software feature. This requires unlocking the switch for a dedicated Persistent Storage configuration session: 
 
@@ -302,10 +302,10 @@ If you are using Persistent Storage, this is another passphrase that you will ha
 
 SiriKali is an encrypted volume program that uses [gocryptfs](https://nuetzlich.net/gocryptfs/) behind the scenes. It is [available in the Debian repository](https://packages.debian.org/bookworm/sirikali) and can be easily installed as [additional software](/posts/tails#installing-additional-software). In Synaptic, install both sirikali and gocryptfs (if you are comfortable on the [command line](/glossary/#command-line-interface-cli), you can use gocryptfs directly and you don't actually need sirikali). If you don't want to reinstall SiriKali every session, you will need to [configure Additional Software in Persistent Storage](/posts/tails-best#unlocking-the-switch).  
 
-Using SiriKali to create a volume will make two new directories: a "cipher" directory where the encrypted files are actually stored (`VolumeName/` on your "personal data" USB), and a "plain" directory where you access your decrypted volume once it is mounted there (`/home/amnesia/.SiriKali/VolumeName`).  
-
 ### Creating an encrypted volume 
 
+Using SiriKali to create a volume will make two new directories: a "cipher" directory where the encrypted files are actually stored (`VolumeName/` on your "personal data" USB), and a "plain" directory where you access your decrypted volume once it is mounted there (`/home/amnesia/.SiriKali/VolumeName`).  
+
 * Plug in the "personal data" USB where you will store this encrypted volume and enter its LUKS passphrase. 
 * Then in SiriKali, press "Create Volume" and select the option "gocryptfs."  
 	* You will be prompted for a password. Create a new entry in your KeepassXC file and generate a password using the Generate Password feature (the dice icon).