diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md index 0aaa068..dc0e95a 100644 --- a/content/posts/e2ee/index.md +++ b/content/posts/e2ee/index.md @@ -146,10 +146,10 @@ Some of [Signal Configuration and Hardening Guide](https://blog.privacyguides.or Signal Desktop on Whonix is not guaranteed to have Tor Stream Isolation from other applications in the same qube, so we will install it in a dedicated qube. Signal Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository). -* Go to **Applications menu > Qubes Tools > Qube Manager** +* Go to **Applications menu → Qubes Tools → Qube Manager** * Clone whonix-ws-16, and call it something like whonix-ws-16-signal. * We do this to not add attack surface to the base Whonix Workstation template. If you also install other messaging applications like Element Desktop, they could share a cloned template with a name like whonix-ws-16-e2ee -* Open a Terminal in the new Template: **Applications menu > Template: whonix-ws-16-signal: Xfce Terminal** +* Open a Terminal in the new Template: **Applications menu → Template: whonix-ws-16-signal: Xfce Terminal** * Run the commands in the [Signal install guide](https://www.signal.org/download/linux/) to install Signal Desktop in the Template. * Note that the layout of the Signal install guide is a bit confusing for users unfamiliar with the command line; `wget` and `cat` are separate commands, but `echo` in #2 is one command that is so long it takes two lines (which is why the second line is indented). * Template qubes require a proxy for `wget`. Before running the command, create a configuration file at `~/.wgetrc` in the Template, with the contents: @@ -159,7 +159,7 @@ http_proxy = 127.0.0.1:8082 https_proxy = 127.0.0.1:8082 ``` * [Create an App qube](/posts/qubes/#how-to-organize-your-qubes) with the Template `whonix-ws-16-signal` and networking `sys-whonix`. -* In the new App qube's **Settings > Applications** tab, bring Signal into the Selected column, and press **OK**. +* In the new App qube's **Settings → Applications** tab, bring Signal into the Selected column, and press **OK**. * Updates will be handled by **Qubes Update** as you would expect. >**Alternative:** You can install Signal Desktop in a Whonix Workstation App qube by using [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/), and you will not need to bother with Templates. Signal Desktop on Flathub is [community maintained](https://github.com/flathub/org.signal.Signal), not official, which [is a security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security). @@ -186,7 +186,7 @@ Matrix can either be used through a web client (using Element Web on Tor Browser A matrix ID looks like @username:homeserver, so for example, @anarsec:riot.anarchyplanet.org. Just like email, you can message accounts that are on different homeservers. -As soon as you have logged in, go to **Settings > Security & Privacy**. +As soon as you have logged in, go to **Setting → Security & Privacy**. * You will see that under **Where you're signed in** it lists all signed-in devices. For anonymous use cases, you will generally only be signed-in on one device. * Scroll down to **Secure Backup**. This is a feature that allows you to verify a new session without having access to a signed-in device. Press **Set up**, then the **Generate a Security Key** choice. Save the Security Key in KeePassXC. This "Security Key" will be needed for logging into a new device or session. * For Element Desktop, you will only need to use the Security Key if you sign out. @@ -222,10 +222,10 @@ The easiest option is to use the Element web client on Tor Browser is a disposab To install Element Desktop, Whonix is not guaranteed to have Tor Stream Isolation from other applications in the same qube, so we will install it in a dedicated qube. Element Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository). -* Go to **Applications menu > Qubes Tools > Qube Manager** +* Go to **Applications menu → Qubes Tools → Qube Manager** * Clone whonix-ws-16, and call it something like whonix-ws-16-element. * We do this to not add attack surface to the base Whonix Workstation template. If you also install other messaging applications like Signal Desktop, they could share a cloned template with a name like whonix-ws-16-e2ee -* Open a Terminal in the new Template: **Applications menu > Template: whonix-ws-16-element: Xfce Terminal** +* Open a Terminal in the new Template: **Applications menu → Template: whonix-ws-16-element: Xfce Terminal** * Run the commands in the [Element install guide](https://element.io/download#linux) to install Element Desktop in the Template. * Template qubes require a proxy for `wget`. Before running the command, create a configuration file at `~/.wgetrc` in the Template, with the contents: ``` @@ -234,7 +234,7 @@ http_proxy = 127.0.0.1:8082 https_proxy = 127.0.0.1:8082 ``` * [Create an App qube](/posts/qubes/#how-to-organize-your-qubes) with the Template `whonix-ws-16-element` and networking `sys-whonix`. -* In the new App qube's **Settings > Applications** tab, bring Element Desktop into the Selected column, and press **OK**. +* In the new App qube's **Settings → Applications** tab, bring Element Desktop into the Selected column, and press **OK**. * Updates will be handled by **Qubes Update** as you would expect. * Avoid pressing "Sign Out", simply shutdown the qube when finished. diff --git a/content/posts/nophones/index.md b/content/posts/nophones/index.md index 76eda5f..86878ac 100644 --- a/content/posts/nophones/index.md +++ b/content/posts/nophones/index.md @@ -8,7 +8,7 @@ tags = ["mobile"] [extra] blogimage="/images/prison.jpg" -toc=false +toc=true +++ With effective [security culture and OPSEC](https://www.csrc.link/read/csrc-bulletin-1-en.html#header-a-base-to-stand-on-distinguishing-opsec-and-security-culture), the forces of repression wouldn't know about our specific criminal activities, but they also wouldn't know about our lives, [relationships](https://www.csrc.link/threat-library/techniques/network-mapping.html), movement patterns, etc. This knowledge is a huge asset to help them narrow down suspects and execute targeted surveillance. The location of your phone is [tracked at all times](https://anonymousplanet.org/guide.html#your-metadata-including-your-geolocation), and this data is harvested by private companies, enabling police to bypass laws requiring them to obtain a warrant. [Hardware identifiers and the subscription information](https://anonymousplanet.org/guide.html#your-imei-and-imsi-and-by-extension-your-phone-number) of the phone are logged by cell towers with every connection. Hacking services like [Pegasus](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) bring total phone compromise within the reach of even local law enforcement agencies, and are 'zero-click', meaning that success doesn't rely on you clicking a link or opening a file. diff --git a/content/posts/qubes/index.md b/content/posts/qubes/index.md index 36ca5b4..eb018e2 100644 --- a/content/posts/qubes/index.md +++ b/content/posts/qubes/index.md @@ -137,7 +137,7 @@ While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persiste Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, and all can be browsed through a web browser for [Debian](http://packages.debian.org/) as well as [Fedora](https://packages.fedoraproject.org/), or on the command line. -It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, in order to not unnecessarily increase the attack surface of all App qubes based on the default Template. For example, to install packages for working with documents which are not included by default in `debian-11`, I clone it first. Go to **Applications menu > Qubes Tools > Qube Manager**. Right-click `debian-11` and select "Clone qube". Name the new Template `debian-11-documents`. +It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, in order to not unnecessarily increase the attack surface of all App qubes based on the default Template. For example, to install packages for working with documents which are not included by default in `debian-11`, I clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click `debian-11` and select "Clone qube". Name the new Template `debian-11-documents`. To install new software, as the [docs](https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-default-repositories) detail: @@ -153,7 +153,7 @@ To install new software, as the [docs](https://www.qubes-os.org/doc/how-to-insta > >5. Restart all qubes based on the template. > ->6. (Recommended) In the relevant qubes’ **Settings > Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.) +>6. (Recommended) In the relevant qubes’ **Settings → Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.) ![menu](menu.png) Remember, you should not be running `apt update` or `dnf update`. @@ -165,7 +165,7 @@ You may want to use software that is not present in the Debian/Fedora repositori # How to Organize Your Qubes The next step is to decide how to organize your system - there is much more flexibility in this regard than in a monolithic system like Tails. In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended set-up for the typical user, which can be futher extended as needed. -After installation, a number of qubes already exist. Click on the Applications Menu to see all of them. We will delete the following default App qubes because they use the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu > Qubes Tools > Qube Manager**. Right-click and select "Delete qube" for each. +After installation, a number of qubes already exist. Click on the Applications Menu to see all of them. We will delete the following default App qubes because they use the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each. How the App qubes will be organized, without displaying service qubes or Templates: @@ -179,22 +179,22 @@ How the App qubes will be organized, without displaying service qubes or Templat It's possible to just use the system as it is now, but let's show you how to create an App qube and a disposable. -* **A Monero qube**. Lets say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize that activity. Go to **Applications menu > Qubes Tools > Create Qubes VM** +* **A Monero qube**. Lets say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize that activity. Go to **Applications menu → Qubes Tools → Create Qubes VM** * **Name**: Project-monero * **Color**: Yellow * **Type**: AppVM * **Template**: whonix-ws-16 * **Networking**: sys-whonix - * The official Monero wallet is natively included in whonix-ws. Now that the qube exists, in the **Settings > Applications** tab, bring Monero Wallet into the Selected column, and press **OK**. The shortcut will now appear in the Applications Menu. + * The official Monero wallet is natively included in whonix-ws. Now that the qube exists, in the **Settings → Applications** tab, bring Monero Wallet into the Selected column, and press **OK**. The shortcut will now appear in the Applications Menu. -* **An offline disposable qube**. Right now both disposables have networking (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu > Qubes Tools > Create Qubes VM** +* **An offline disposable qube**. Right now both disposables have networking (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu → Qubes Tools → Create Qubes VM** * **Name**: debian-11-offline-dvm * **Color**: Black * **Type**: AppVM * **Template**: debian-11-documents * **Networking**: none - * You could equally use Fedora. In the new qubes' **Settings > Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the offline disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template. - * Go to **Applications menu > Qubes Tools > Qubes Global Settings**. Set the default disposable Template to `debian-11-offline-dvm` + * You could equally use Fedora. In the new qubes' **Settings → Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the offline disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template. + * Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-11-offline-dvm` * Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network, and which is destroyed upon being exited. [Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to configure qubes that otherwise require advanced command line use to set up. Available configurations include: @@ -205,10 +205,10 @@ It's possible to just use the system as it is now, but let's show you how to cre If you want your qubes that are not using Tor to be forced through a VPN, this is the easiest way to set that up. -By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - if an App qube is close to filling up, the Disk Space Monitor widget will have a notification. To increase the private storage size of any given qube, in the qubes' **Settings > Basic** tab, change "Private storage max size". This storage won't be used immediately, it is just the max that can be used by that qube. +By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - if an App qube is close to filling up, the Disk Space Monitor widget will have a notification. To increase the private storage size of any given qube, in the qubes' **Settings → Basic** tab, change "Private storage max size". This storage won't be used immediately, it is just the max that can be used by that qube. # How to Use Disposables -Disposables can be launched from the Applications menu; the disposable will be at the top, and the disposable Template near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu > Disposable: whonix-16-ws-dvm > Tor Browser**. This is how you do all Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, this can be accomplished from the Qubes Domains widget, in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would start yet another disposable. +Disposables can be launched from the Applications menu; the disposable will be at the top, and the disposable Template near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu → Disposable: whonix-16-ws-dvm → Tor Browser**. This is how you do all Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, this can be accomplished from the Qubes Domains widget, in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would start yet another disposable. Once you close all windows of a disposable, the whole disposable shuts down and is destroyed. The next time that it boots, the disposable will completely reflect the state of its Template. In contrast, an App qube needs to be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local` and `/rw/config` directory. The next time that it boots, all locations in the file system of an App qube other than these three directories will reflect the state of its Template. Take a look at how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information. @@ -228,12 +228,12 @@ If your file is opening in a different application than what you require, you'll For PDF files, right-clicking will also give the option **Convert To Trusted PDF**. This will sanitize the PDF file so that it can go from being untrusted to trusted. This is achieved by it being converted into images in a disposable, and cleaning the metadata. -Particular types of files in an App qube can be set to be opened in a disposable by default. However, if I set PDF files to always open in a disposable, this is not failsafe - some files may end in `.pdf` but in reality be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd nonetheless like to set the default of only opening PDF files in a disposable, right-click a PDF and select **Open With Other Application > qvm-open-in-dvm**. +Particular types of files in an App qube can be set to be opened in a disposable by default. However, if I set PDF files to always open in a disposable, this is not failsafe - some files may end in `.pdf` but in reality be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd nonetheless like to set the default of only opening PDF files in a disposable, right-click a PDF and select **Open With Other Application → qvm-open-in-dvm**. # How to Use Devices (like USBs) To learn how to attach devices, we will format the empty USB or hard drive you will be using for backups. The USB will be attached to an offline disposable to mitigate against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB). -1. Go to **Applications menu > Disposable: debian-11-offline-dvm > Disks**. The disposable will have a name with a random number like disp4653. If Disks is not present, make the change on the **Settings > Applications** tab. +1. Go to **Applications menu → Disposable: debian-11-offline-dvm → Disks**. The disposable will have a name with a random number like disp4653. If Disks is not present, make the change on the **Settings → Applications** tab. ![widget](media-removable.png) @@ -243,7 +243,7 @@ To learn how to attach devices, we will format the empty USB or hard drive you w 3. The empty USB or hard drive should now be displayed in the Disks application. Format the empty device and then create a new encrypted partition, [like you would in Tails](/posts/tails/#how-to-create-an-encrypted-usb). You can use the same LUKS password as is used for your Qubes OS LUKS, because you will need to memorize it to restore from backup, and it will contain the same data. -4. Before removing the USB drive, first eject it using the Qubes Devices widget, which ejects it from the qube. Then go to **Applications menu > sys-usb > Files**, and select "Safely Remove Drive" to eject it from the computer. +4. Before removing the USB drive, first eject it using the Qubes Devices widget, which ejects it from the qube. Then go to **Applications menu → sys-usb → Files**, and select "Safely Remove Drive" to eject it from the computer. There are command line instructions for using an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice). Webcams and microphones are considered devices, and must be attached to an App qube in order to use them. @@ -254,18 +254,18 @@ As soon as your qubes are organized in the way that you would like, backup your Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup): ->1. Go to **Applications menu > Qubes Tools > Backup Qubes**. +>1. Go to **Applications menu → Qubes Tools → Backup Qubes**. > >2. Move the VMs that you want to back up to the right-hand Selected column. VMs in the left-hand Available column will not be backed up. You may choose whether to compress backups by checking or unchecking the Compress the backup box. Compressed backups will be smaller but take more time to create. Once you have selected all desired VMs, click Next. > ->3. Go to **Applications menu > Disposable: debian-11-offline-dvm > Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be backing up to and attach it ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **+ Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in it called `backups`. +>3. Go to **Applications menu → Disposable: debian-11-offline-dvm → Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be backing up to and attach it ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **+ Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in it called `backups`. > >4. In Backup Qubes, select the destination for the backup: >* **Target qube**: select the disposable, named something like disp1217. >* **Backup directory**: click **...** to select the newly created folder `backups`. >5. Set an encryption passphrase, which can be the same as your Qubes OS user passphrase, because you will need to memorize it to restore from backup, and it will contain the same data. This is dom0, so you won't be able to paste it from a password manager. >6. Untick "Save settings as default backup profile", and press **Next**. ->7. Once the backup is complete, test restore your backup. Go to **Applications menu > Qubes Tools > Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you can’t restore your data from it, and you can’t be sure that your backup is not corrupted until you try to restore. +>7. Once the backup is complete, test restore your backup. Go to **Applications menu → Qubes Tools → Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you can’t restore your data from it, and you can’t be sure that your backup is not corrupted until you try to restore. # Whonix and Tor The Whonix project has their own [extensive documentation](https://www.whonix.org/wiki/Documentation), as does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), upon which it is based. When Whonix is used in Qubes OS it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems as well, but it's preferable to use it on Qubes OS due to the superior isolation it provides. @@ -317,13 +317,13 @@ There is a lot more flexibility in how you configure Qubes OS than Tails, but mo During the [post-installation of Qubes OS](#getting-started), you have the option of installing exclusively Debian or Fedora Templates (instead of both). You also have the option of using the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates, and to convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will either be Whonix or Kicksecure - Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora. Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template you will clone the Debian Template - follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend to use disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable: -* Go to **Applications menu > Qubes Tools > Create Qubes VM** +* Go to **Applications menu → Qubes Tools → Create Qubes VM** * Name: kicksecure-16-dvm * Color: purple * Type: AppVM * Template: kicksecure-16 * Networking: default (sys-firewall) -* In the new qubes' **Settings > Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template. +* In the new qubes' **Settings → Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template. Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If during the Qubes OS installation, you set all sys qubes to use the Debian Template, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-11-dvm`. If you want to use disposable Kicksecure for sys qubes: * Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-16-dvm` Template. diff --git a/content/posts/tails-best/index.md b/content/posts/tails-best/index.md index 04f18fd..ef7f9a3 100644 --- a/content/posts/tails-best/index.md +++ b/content/posts/tails-best/index.md @@ -178,7 +178,7 @@ The first time you use it, you create a gocryptfs filesystem; `gocryptfs -init cipher` -You will be prompted for the password. Create a new entry in your KeepassXC file and create a password by using the Generate Password feature (the dice icon). Then copy the password, and paste it into the terminal (Edit > Paste, or Ctrl+Shift+V). It will output a master key—save this in the KeepassXC entry. +You will be prompted for the password. Create a new entry in your KeepassXC file and create a password by using the Generate Password feature (the dice icon). Then copy the password, and paste it into the terminal (Edit → Paste, or Ctrl+Shift+V). It will output a master key—save this in the KeepassXC entry. Every time you use the filesystem, mount it and enter the password: diff --git a/content/posts/tails/index.md b/content/posts/tails/index.md index 7f2190a..79ac9ca 100644 --- a/content/posts/tails/index.md +++ b/content/posts/tails/index.md @@ -224,7 +224,7 @@ Some sites offer both a classic URL as well as an .onion address. In this case, The Tor network is blocked and otherwise rendered more inconvenient to use in many ways. You may be confronted with CAPTCHA images (a kind of game that verifies you “are not a robot”) or obliged to provide additional personal data (ID card, phone number…) before proceeding, or Tor may be completely blocked. -Perhaps only certain Tor relays are blocked. In this case, you can change the Tor exit nodes for this site: click on the ≣ > "New Tor circuit for this site". The Tor circuit (path) will only change for the one tab. You may have to do this several times in a row if you're unlucky enough to run into several relays that have been banned. +Perhaps only certain Tor relays are blocked. In this case, you can change the Tor exit nodes for this site: click on the ≣ → "New Tor circuit for this site". The Tor circuit (path) will only change for the one tab. You may have to do this several times in a row if you're unlucky enough to run into several relays that have been banned. It is also possible that the entire Tor network is blocked, because all Tor relays are public. In this case you can try to use a proxy to get to the site, such as https://hide.me/en/proxy (but only if you don't have to enter any personal data or do anything sensitive like login information). You can also check whether the page you want to access has been saved to the Wayback Machine: web.archive.org. @@ -248,7 +248,7 @@ The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prev *Downloads* -When you download something using the Tor Browser it will be saved in the Tor Browser folder (`/home/amnesia/Tor Browser/`), which is inside the "sandbox". If you want to do anything with this file, you should then move it out of the Tor Browser folder. You can use the file manager (Applications > Accessories > Files) to do this. +When you download something using the Tor Browser it will be saved in the Tor Browser folder (`/home/amnesia/Tor Browser/`), which is inside the "sandbox". If you want to do anything with this file, you should then move it out of the Tor Browser folder. You can use the file manager (Applications → Accessories → Files) to do this. *Uploads* @@ -275,7 +275,7 @@ If you're going to need to know a lot of passwords, it can be nice to have a sec ![seconds](seconds.png) -When you [create a new KeePassXC database](https://tails.boum.org/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), in the **Encryption settings** window, increase the **Decryption time** from the default to the maximum (5 seconds). Then, select a [strong passphrase](/posts/tails-best/#passwords) and then save your KeePassXC file. This file will contain all your passwords/passphrases, and needs to persist between sessions on your Persistent Storage or on a second LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). The decryption time setting of a pre-existing KeePassXC file can be updated: Database > Database Security > Encryption Settings. +When you [create a new KeePassXC database](https://tails.boum.org/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), in the **Encryption settings** window, increase the **Decryption time** from the default to the maximum (5 seconds). Then, select a [strong passphrase](/posts/tails-best/#passwords) and then save your KeePassXC file. This file will contain all your passwords/passphrases, and needs to persist between sessions on your Persistent Storage or on a second LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). The decryption time setting of a pre-existing KeePassXC file can be updated: Database → Database Security → Encryption Settings. As soon as you close KeePassXC, or if you don't use it for a few minutes, it will lock. Be careful not to forget your main passphrase. We recommend against using the auto-fill feature, because it is easy to fill your password into the wrong window by mistake. @@ -320,7 +320,7 @@ Exclusively store data on encrypted drives. This is necessary for using a separa * For "type" select **internal disk to be used with Linux systems only (Ext4)**; check **Password protected volume (LUKS)** * Enter a [strong passphrase](/posts/tails-best/#passwords) -When you insert an encrypted USB, it will not be opened automatically but only when you select it in the Places menu. You will be prompted to enter the passphrase. Before you can remove the disk when the work is done, you have to right-click on it under Places > Computer and then select Eject. +When you insert an encrypted USB, it will not be opened automatically but only when you select it in the Places menu. You will be prompted to enter the passphrase. Before you can remove the disk when the work is done, you have to right-click on it under Places → Computer and then select Eject. #### Encrypt a file with a password or with a public key