Create and use encrypted volumes
Download Tails 0.23 March 19, 2014

The simplest way to carry around the documents you want to use with Tails and make sure that they haven't been accessed nor modified is to store them in an encrypted volume: a dedicated partition on a USB stick or an external hard-disk.

Tails comes with utilities for LUKS, a standard for disk-encryption under Linux.

  • The Gnome Disk Utility, allows you to create encrypted volumes
  • The Gnome Desktop, allows you to open encrypted volumes
  1. Create an encrypted partition
    1. Open the Gnome Disk Utility
    2. Identify your external storage device
    3. Format the device
    4. Create a new encrypted partition
    5. Use the new partition
  2. Open an existing encrypted partition

Create an encrypted partition

Open the Gnome Disk Utility

From the menu Applications ▸ System Tools ▸ Disk Utility.

Disk Utility

Identify your external storage device

The disk utility will list all the current storage devices on the left side of the screen:

List of storage devices

Plug in the external storage device that you want to use.

A new device should appear in the list of storage devices. Click on it with the cursor:

A new storage device appeared in the list

Format the device

Check that the description of the device on the right side of the screen corresponds to your device: its brand, its size, etc.

Drive description

Click on Format Drive to erase all the existing partitions on the device. If you're not sure, don't change the default option: Master Boot Record.

Format drive

You will be prompted with a confirmation message.

Are you sure you want to format the drive?

Create a new encrypted partition

Now the schema of the partitions in the middle of the screen shows an empty device.

Free 3.9 GB

Click on Create Partition.

A window with options to configure the new partition will appear.

Create partition on…

  • Size: you can decide to create a partition on the whole device or just on part of it. In this example we are creating a partition of 2.0 GB on a device of 3.9 GB.
  • Type: you can change the filesystem type of the partition. If you are not sure you can leave the default value: Ext4.
  • Name: you can set a name for the partition. This name will remain invisible until the partition is open but will help you to identify it during use.
  • Encrypt underlying device: check this box to encrypt the partition!

Then click on Create.

You will be asked to enter a passphrase for the new partition.

Enter Passphrase

Then click on Create.

Creating the partition might take a few seconds after which the schema of the device will display the new encrypted partition:

Encrypted 2.0 GB / secret 2.0 GB ext4

At this point you can create other partitions in the free space left on the device, if you want, by clicking on it and doing again Create Partition.

Use the new partition

Now you can access this new volume from the Places menu with the name you gave it. You won't be asked for its passphrase unless you unplug it and plug it again.

Places ▸ secret

Open an existing encrypted partition

When plugging a device containing an encrypted partition, Tails won't mount it automatically but it will appear in the Places menu. If several partitions appear as Encrypted, like in the example, you can use its size to guess which one is the one you want to open.

Places ▸ 2.0 GB Encrypted

You will be asked to enter the passphrase to unlock the volume.

Enter a password to unlock the volume.

In case you get it wrong, you will be warned with an error message. You can try to open the partition as before and as many times as you want.

Unable to mount 2.0 GB Encrypted

In case you get it right, it will open a file browser in this partition.

secret - File Browser

Once you are done using the device, to close the encrypted partition choose Places ▸ Computer, right-click on the device, and select Safely Remove Drive.