Updating to Tails (TOR and i2P)

Prompted by the latest Kali update (the rolling Sana), I looked through all my USB stick and decided to update them all. One such stick has Tails, the privacy and anonymity minded OS on a stick with Tor and i2P, used by privacy advocates all over the world (including Edward Snowden).

20151030-Screenshot1-tailsDownloading Tails could not be easier, as all that’s needed is shown and explained on their website (see below).

Before downloading, take some reasonable precautions, such as making sure that your internet connection, router and DNS is unlikely to be compromised. How to do so is beyond the scope of this article, but Horowitz had some pointers back in 2014 (cw-eviltwin).

Counterintuitively, it may be safer to download via BitTorrent rather than straight from the website. Either way, upon downloading, you may “Decrypt and verify” the ISO image with GPG, as shown on their website (import their key in your GPG program, then Decrypt & Verify). This is important, especially if you’ll be trusting this with your privacy and/or anonymity.

20151105-Screenshot9-tails

If you see the above message, the ISO images is still correct. The warning signifies that you haven’t yet “trusted” their key by personally signing their key with your own key. The important part is making sure you have the correct key (from Tails developer) by checking against several sources. That’s what the link above attempts to show you.

Since this discussion is so important, we will mirror it below.

Tails signing key is actually already signed by the keys of several official developers of Debian, the operating system on which Tails is based. Debian makes an extensive use of OpenPGP and you can download the keys of all Debian developers by installing thedebian-keyring package. You can then verify the signatures those developers made with their own key on Tails signing key.

To download the Debian keyring you can do:

sudo apt-get install debian-keyring

To get a list of the signatures made by other people on Tails signing key you can do:

gpg --keyid-format long --list-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F

You will get something like this:

pub   4096R/DBB802B258ACD84F 2015-01-18 [expires: 2016-01-11]
      Key fingerprint = A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
uid               [ unknown] Tails developers (offline long-term identity key) <tails@boum.org>
sig 3        DBB802B258ACD84F 2015-01-18  Tails developers (offline long-term identity key) <tails@boum.org>
sig          1202821CBE2CD9C1 2015-01-19  Tails developers (signing key) <tails@boum.org>
sig          BACE15D2A57498FF 2015-01-19  [User ID not found]
sig          9C31503C6D866396 2015-02-03  [User ID not found]
sig          BB3A68018649AA06 2015-02-04  [User ID not found]
sig          091AB856069AAA1C 2015-02-05  [User ID not found]
sub   4096R/98FEC6BC752A3DB6 2015-01-18 [expires: 2016-01-11]
sig          DBB802B258ACD84F 2015-01-18  Tails developers (offline long-term identity key) <tails@boum.org>
sub   4096R/3C83DCB52F699C56 2015-01-18 [expires: 2016-01-11]
sig          DBB802B258ACD84F 2015-01-18  Tails developers (offline long-term identity key) <tails@boum.org>

The lines ending with '[User ID not found]' are signatures made by keys you still don't have in your keyring. You could try to search for them in the Debian keyring by their key ID: the 16 digit code between the 'sig' tag and the date. You could for example do:

gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --list-key 9C31503C6D866396

If this signature corresponds to a key in the Debian keyring you will get something like this:

pub   4096R/0x9C31503C6D866396 2010-09-27
      Key fingerprint = 4900 707D DC5C 07F2 DECB  0283 9C31 503C 6D86 6396
uid                 [ unknown] Stefano Zacchiroli <zack@upsilon.cc>
uid                 [ unknown] Stefano Zacchiroli <zack@debian.org>
uid                 [ unknown] Stefano Zacchiroli <zack@cs.unibo.it>
uid                 [ unknown] Stefano Zacchiroli <zack@pps.jussieu.fr>
uid                 [ unknown] Stefano Zacchiroli <zack@pps.univ-paris-diderot.fr>
sub   4096R/0x7DFA4FED02D0E74C 2010-09-27

You can then import it in your own keyring by doing:

gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export 9C31503C6D866396 | gpg --import

Now you can try to verify the signature made by this new key on Tails signing key by doing:

gpg --keyid-format long --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F

On the output, the status of the verification is indicated by a flag directly following the "sig" tag. A "!" indicates that the signature has been successfully verified, a "-" denotes a bad signature and a "%" is used if an error occurred while checking the signature (e.g. a non supported algorithm). For example, in the following output the signature of Stefano Zacchiroli on Tails signing key has been successfully verified:

pub   4096R/DBB802B258ACD84F 2015-01-18 [expires: 2016-01-11]
      Key fingerprint = A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
uid               [ unknown] Tails developers (offline long-term identity key) <tails@boum.org>
sig!3        DBB802B258ACD84F 2015-01-18  Tails developers (offline long-term identity key) <tails@boum.org>
sig!         1202821CBE2CD9C1 2015-01-19  Tails developers (signing key) <tails@boum.org>
sig!         9C31503C6D866396 2015-02-03  Stefano Zacchiroli <zack@upsilon.cc>
sub   4096R/98FEC6BC752A3DB6 2015-01-18 [expires: 2016-01-11]
sig!         DBB802B258ACD84F 2015-01-18  Tails developers (offline long-term identity key) <tails@boum.org>
sub   4096R/3C83DCB52F699C56 2015-01-18 [expires: 2016-01-11]
sig!         DBB802B258ACD84F 2015-01-18  Tails developers (offline long-term identity key) <tails@boum.org>

3 signatures not checked due to missing keys

Get into the Web of Trust!

When installing to a USB stick, what you need to choose is whether you want encrypted persistence or not, or, to put it simply, whether you want to keep data between sessions. This is a difficult question, as it inherently deals with the privacy and security vs convenience trade-off. If you do not want to retain data, you might want to consider burning to a read-only medium such as a DVD-ROM.

You need at least 4GB for encrypted persistence; if you only want the ISO burned, 2GB should suffice.

*(*This article is unfinished – it was scheduled to appear in the hope that it will be finished before, but since this message is here and until it is removed, the article is to be considered work in progress*)*.

Sources / More info: tails.boum.org, cw-eviltwin, tp-check

Comments

Popular posts from this blog