Creating a Spy USB Drive with the Secure Tails Operating System
Tor is undoubtedly one of the most essential tools for protecting your personal data. But to truly secure yourself from all angles and work without leaving any traces, you need more than just Tor. Tails is a Debian Linux-based operating system built on serious data protection principles. By using a USB drive with Tails, you can avoid not only online surveillance but also physical searches of your home.
Introduction
Tails isn’t the only Linux distribution that prioritizes data protection, but in my opinion, it’s currently the best choice for anyone who wants to keep their communications private, their personal data secure, and their important information safe from prying eyes. Since I’ve mentioned Tails’ data protection principles, let’s list them:
- Confidentiality of information: We need to protect our data from outsiders. This means encrypting everything, using strong cryptographic algorithms and long keys. Some things will even be encrypted multiple times. Nothing should be stored or transmitted in plain text.
- Concealing the existence of information (steganographic protection): We need to hide the very fact that data is being stored or transmitted. We’ll use hidden crypto containers and fill free disk space with random data that’s indistinguishable from encrypted data.
- Concealing the recipient of information: Sometimes, it’s necessary to hide not just the information itself but also the recipient. Multi-layer encryption and “onion” routing help with this.
- Plausible deniability: You might need to mislead persistent investigators (for example, during a search). We’ll create fake but convincing encrypted partitions on top of hidden containers with important data, where we’ll store things like a cookbook or cat pictures from the internet.
- The ability to deny sending information or revoke digital signatures: The OTR protocol and using HMAC instead of digital signatures help with this.
- Working on a computer without leaving traces: Anything that could remain in RAM, on the hard drive, or even in the video card’s memory must be thoroughly wiped. All important data should only be stored on a securely encrypted, hidden, and protected device, minimizing the risk of leaks.
All these principles complement each other. If you truly care about protecting your data and maintaining privacy, don’t neglect any of them.
Installation
To install Tails, you’ll need two USB drives. Why two? Because Tails can only be installed using Tails itself. Download the ISO from the official website at tails.boum.org. It’s recommended to verify the image with OpenPGP; detailed instructions are available on the site. Write the downloaded image to the first (intermediate) USB drive using Universal USB Installer. Then, shut down your computer and boot from the USB drive. Once the OS loads, insert the second (main) USB drive and select Applications → Tails → Tails Installer → Install by Cloning.
If everything works, your system is ready to use.
Getting Started
After booting from your working USB drive, you’ll need to create a persistent, protected partition—a kind of “hard drive on a USB stick.” Do this via Application → Tails → Configure Persistence.
Restart your computer and, at the boot screen, select Use Persistence and More Options, then enter the password for your storage.
From the menu at the bottom of the screen, select your region. This is important because Tor’s entry nodes depend on your region. You may need to experiment; for me, Denmark worked best.
In the advanced settings menu, set a password for programs that require administrator rights. You can use any password; it only works for the session and doesn’t affect anything else.
Keep in mind that booting takes some time, and then Tails will take a few more minutes to connect to Tor. You can monitor the process by clicking the Onion Circuits icon (the onion) in the top right corner of the screen.
After a while, Tails will notify you of a successful connection to Tor. By default, all network traffic is routed through Tor. Now you can download whatever you need for work.
Additional Software, Saving Files and Settings
By default, Tails isn’t designed to save installed software, settings, or files after the computer is turned off. However, the creators have provided a way to store certain data in the persistent partition. You can configure what gets saved in Settings → Persistent.
Most menu items are self-explanatory, so I’ll focus on the last three. The second and third from the bottom are for storing APT packages. Since Tails is based on Debian, you can install most software you need using apt-get. While the programs themselves won’t be saved after shutdown, the APT packages will remain in the persistent partition if configured. This allows you to quickly deploy all necessary software during system startup.
The last menu item, Dotfiles, lets you create a folder in the persistent partition with files that will be linked to your Tails home folder at boot. Here’s how it works:
/live/persistence/TailsData_unlocked/dotfiles ├── file_a ├── folder │ ├── file_b │ └── subfolder │ └── file_c └── emptyfolder
In your home folder, the structure will look like this:
/home/amnesia
├── file_a → /live/persistence/TailsData_unlocked/dotfiles/file_a
└── folder
├── file_b → /live/persistence/TailsData_unlocked/dotfiles/folder/file_b
└── subfolder
└── file_c → /live/persistence/TailsData_unlocked/dotfiles/folder/subfolder/file_c
Protecting Data and Plausible Deniability
Your persistent partition is already encrypted, but it has a significant drawback: it doesn’t provide plausible deniability. To achieve this, I suggest a solution different from the Tails developers’ recommendations. The Tails team suggests using cryptsetup based on LUKS, which allows you to create hidden partitions. However, such a partition isn’t completely hidden—its header can be detected, revealing its existence.
This isn’t good enough for me, so I use the tried-and-true TrueCrypt 7.1a. The header of a hidden TrueCrypt partition is indistinguishable from random data, and as far as I know, it can’t be detected. It’s best to keep the TrueCrypt binary in the persistent partition as well.
I won’t go into detail about creating a double crypto container, but here’s an important nuance: since a hidden TrueCrypt partition is truly hidden, even the program itself doesn’t know it exists until you enter the correct password. Because of this, writing files to the outer (decoy) partition can damage the hidden one. To prevent this, when mounting the outer partition to store decoy files (like cat pictures), select Mount Options → Protect hidden volume when mounting outer volume.
Just like a lizard can drop its tail in danger, you can now enter the password for the decoy partition and show everyone your cat photos instead of confidential information if needed.
Communication
Now that your information is secure, you can start communicating. Let’s start with Pidgin, which is a great IRC client and comes pre-installed in Tails with the OTR (Off-the-Record) plugin. OTR is especially interesting because it provides secure data transmission with deniability—meaning it’s impossible to prove a specific person wrote a specific message.
Before chatting via OTR, connect to an IRC server. It’s crucial to use SSL. Tor encrypts traffic between its nodes, but if you don’t use SSL, your traffic will be unencrypted between your computer and the Tor entry node, and between the Tor exit node and the recipient. Some Tor nodes are banned on IRC servers, so you may need to restart Tor using the command /etc/init.d/tor restart.
Once connected to the server, select Buddies → New Instant Message. In the chat window, choose Not Private → Start Private Conversation.
You’ll be offered three authentication options: answer a secret question you’ve agreed on with your contact (the answer must match exactly, including spaces and case), enter a shared secret phrase, or verify the fingerprint—a 40-character sequence identifying the OTR user.
Now you can chat over OTR. But what about voice communication? Unfortunately, this is tricky. Since Tails routes all traffic through Tor, there are issues with voice calls. Most VoIP programs use UDP, but Tor only supports TCP. Also, Tor isn’t fast, so you may experience delays and dropped calls.
Still, there’s OnionPhone, a special plugin for TorChat. Mumble also works, though it’s less secure. To use Mumble over Tor, run it with torify mumble and select Force TCP in the network settings.
You can use email in Tails just like in any other OS. The standard build includes the Icedove email client, and its settings and keys can be stored in the persistent partition. One important thing to remember: email subjects are not encrypted. This isn’t a bug, but a feature of the protocol. Also, it’s recommended to encrypt files sent via email.
Conclusion
I’ve only described some of Tails’ features, but the basic build includes a wide range of additional programs for you to explore. For example, check out software for erasing file metadata—it can help you protect yourself even better.