Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-08-01 19:06:06 -04:00
Code Issues Projects Releases Packages Wiki Activity

miscellaneous feedback integration

Browse source
This commit is contained in:
anarsec 2023-10-03 21:11:45 +00:00
parent 5755584357
commit 8afa5b96a8
No known key found for this signature in database
9 changed files with 74 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

44
content/posts/tails-best/index.md
View file

@ -111,7 +111,7 @@ To summarize: For highly sensitive activities, use Internet from a random cafe,
You can mitigate this first issue by **using a computer you trust to install Tails**:
* According to our [recommendations](/recommendations/#your-computer), this would ideally be a [Qubes OS](/posts/qubes/) system, as it is much harder to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick that has been installed with Qubes OS (and who uses these best practices), you could [clone it](/posts/tails/#installation) instead of installing it yourself.
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it, or first learn the basics of the command line and GnuPG with [Linux Essentials](/posts/linux/).
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [Appendix](#appendix-3-gpg-explanation).
* Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs used during Tails sessions) into any other computer while it is running a non-Tails operating system; if the computer is infected, the infection can [spread to the USB](https://en.wikipedia.org/wiki/BadUSB).
### 2. Running Tails on a computer with a compromised BIOS, firmware, or hardware
@ -345,6 +345,48 @@ Some places in the world, like China, Japan, the UK, Singapore, the US, and even
Hacking is really a way of life. If you are truly committed to your cause, you should fully embrace it and avoid being sloppy at all costs.
# Appendix 3: GPG Explanation
Most Linux users will rarely need to use the [command line interface](/posts/linux/#the-command-line-interface). If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.boum.org/install/expert/index.en.html):
* `wget`: this downloads files from the Internet using the Command Line (rather than a web browser)
* `gpg`: this handles [GPG encryption](/glossary#gnupg-openpgp) operations. This is used to verify the integrity and authenticity of the Tails download.
* `apt`: this manages packages in Debian.
* `dd`: this copies a file from one disk to another.
Using `gpg` during the installation of Tails will be less confusing if you understand how it works.
First, some clarification. [PGP and GPG](/glossary/#gnupg-openpgp) are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for encrypted email communication ([although we don't recommend it](/posts/e2ee/#pgp-email)), but we use it here only to verify the integrity and authenticity of files.
GPG is a classic example of [public-key cryptography](/glossary/#public-key-cryptography). GPG provides cryptographic functions for [encrypting](/glossary/#encryption), decrypting, and signing files; our concern here is digitally signing files. The Tails team [digitally signs](/glossary/#digital-signatures) their .img releases. GPG gives us a way to verify that the file has actually been "signed" by the developers, which allows us to trust that it hasn't been tampered with.
Now you need to understand the basics of public-key cryptography. [This Computerphile video](https://invidious.sethforprivacy.com/watch?v=GSIDS_lvRv4) has a great overview with visual aids. To summarize, a **secret/private** key is used to **sign** messages, and only the user who has that key can do so. Each **private** key has a corresponding **public** key - this is called a **key pair**. The public key is shared with everyone and is used to verify the signature. Confused? Watch the video!
![](signature.png)
Tails signs their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the [Tails verification instructions](https://tails.boum.org/install/expert/index.en.html).
## Step: Generate a Key-Pair
Tails recommends this [Riseup guide](https://riseup.net/en/security/message-security/openpgp/gpg-keys#using-the-linux-command-line) to generate a key-pair.
* `gpg --gen-key` will prompt you for some configuration options and then generate your key-pair.
## Step: Verify the Tails public key
* `gpg --import < tails-signing.key` imports the Tails public key into your keyring so that it can be used.
* `gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import` imports the public key of a Debian developer into your keyring so that it can be used.
* `gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F` allows you to verify the Tails public key with the Debian developer's public key by examining the output as instructed. This is so that if the source of the Tails public key (tails.net) is compromised, you have an external source of truth to alert you.
* `gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F` will certify the Tails public key with the key you created in the last step.
Now we know that we have a genuine version of the Tails public key. `gpg` also knows this because we chose to certify it.
## Step: Verify the downloaded Tails .img file
* `TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.10.img.sig tails-amd64-5.10.img` allows you to verify that the .img file is signed as it should be by examining the output as instructed. Version numbers in the command will change.
Now that we know that we have a genuine version of the Tails .img file, we can proceed to install it on a USB.
<br>
<hr>

BIN
content/posts/tails-best/signature.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 157 KiB