Updating to Tails (TOR and i2P)
Downloading Tails could not be easier, as all that’s needed is shown and explained on their website (see below).
Before downloading, take some reasonable precautions, such as making sure that your internet connection, router and DNS is unlikely to be compromised. How to do so is beyond the scope of this article, but Horowitz had some pointers back in 2014 (cw-eviltwin).
Counterintuitively, it may be safer to download via BitTorrent rather than straight from the website. Either way, upon downloading, you may “Decrypt and verify” the ISO image with GPG, as shown on their website (import their key in your GPG program, then Decrypt & Verify). This is important, especially if you’ll be trusting this with your privacy and/or anonymity.
If you see the above message, the ISO images is still correct. The warning signifies that you haven’t yet “trusted” their key by personally signing their key with your own key. The important part is making sure you have the correct key (from Tails developer) by checking against several sources. That’s what the link above attempts to show you.
Since this discussion is so important, we will mirror it below.
Tails signing key is actually already signed by the keys of several official developers of Debian, the operating system on which Tails is based. Debian makes an extensive use of OpenPGP and you can download the keys of all Debian developers by installing the
debian-keyring
package. You can then verify the signatures those developers made with their own key on Tails signing key.To download the Debian keyring you can do:
sudo apt-get install debian-keyring
To get a list of the signatures made by other people on Tails signing key you can do:
gpg --keyid-format long --list-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F
You will get something like this:
pub 4096R/DBB802B258ACD84F 2015-01-18 [expires: 2016-01-11] Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F uid [ unknown] Tails developers (offline long-term identity key) <tails@boum.org> sig 3 DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org> sig 1202821CBE2CD9C1 2015-01-19 Tails developers (signing key) <tails@boum.org> sig BACE15D2A57498FF 2015-01-19 [User ID not found] sig 9C31503C6D866396 2015-02-03 [User ID not found] sig BB3A68018649AA06 2015-02-04 [User ID not found] sig 091AB856069AAA1C 2015-02-05 [User ID not found] sub 4096R/98FEC6BC752A3DB6 2015-01-18 [expires: 2016-01-11] sig DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org> sub 4096R/3C83DCB52F699C56 2015-01-18 [expires: 2016-01-11] sig DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org>
The lines ending with '[User ID not found]' are signatures made by keys you still don't have in your keyring. You could try to search for them in the Debian keyring by their key ID: the 16 digit code between the 'sig' tag and the date. You could for example do:
gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --list-key 9C31503C6D866396
If this signature corresponds to a key in the Debian keyring you will get something like this:
pub 4096R/0x9C31503C6D866396 2010-09-27 Key fingerprint = 4900 707D DC5C 07F2 DECB 0283 9C31 503C 6D86 6396 uid [ unknown] Stefano Zacchiroli <zack@upsilon.cc> uid [ unknown] Stefano Zacchiroli <zack@debian.org> uid [ unknown] Stefano Zacchiroli <zack@cs.unibo.it> uid [ unknown] Stefano Zacchiroli <zack@pps.jussieu.fr> uid [ unknown] Stefano Zacchiroli <zack@pps.univ-paris-diderot.fr> sub 4096R/0x7DFA4FED02D0E74C 2010-09-27
You can then import it in your own keyring by doing:
gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export 9C31503C6D866396 | gpg --import
Now you can try to verify the signature made by this new key on Tails signing key by doing:
gpg --keyid-format long --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F
On the output, the status of the verification is indicated by a flag directly following the "sig" tag. A "!" indicates that the signature has been successfully verified, a "-" denotes a bad signature and a "%" is used if an error occurred while checking the signature (e.g. a non supported algorithm). For example, in the following output the signature of Stefano Zacchiroli on Tails signing key has been successfully verified:
pub 4096R/DBB802B258ACD84F 2015-01-18 [expires: 2016-01-11] Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F uid [ unknown] Tails developers (offline long-term identity key) <tails@boum.org> sig!3 DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org> sig! 1202821CBE2CD9C1 2015-01-19 Tails developers (signing key) <tails@boum.org> sig! 9C31503C6D866396 2015-02-03 Stefano Zacchiroli <zack@upsilon.cc> sub 4096R/98FEC6BC752A3DB6 2015-01-18 [expires: 2016-01-11] sig! DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org> sub 4096R/3C83DCB52F699C56 2015-01-18 [expires: 2016-01-11] sig! DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org> 3 signatures not checked due to missing keys
When installing to a USB stick, what you need to choose is whether you want encrypted persistence or not, or, to put it simply, whether you want to keep data between sessions. This is a difficult question, as it inherently deals with the privacy and security vs convenience trade-off. If you do not want to retain data, you might want to consider burning to a read-only medium such as a DVD-ROM.
You need at least 4GB for encrypted persistence; if you only want the ISO burned, 2GB should suffice.
*(*This article is unfinished – it was scheduled to appear in the hope that it will be finished before, but since this message is here and until it is removed, the article is to be considered work in progress*)*.
Sources / More info: tails.boum.org, cw-eviltwin, tp-check
Comments