The simplest way to carry around the documents you want to use with Tails and make sure that they haven't been accessed nor modified is to store them in an encrypted volume: a dedicated partition on a USB stick or an external hard-disk.
Tails comes with utilities for LUKS, a standard for disk-encryption under Linux.
- The GNOME Disk Utility, allows you to create encrypted volumes.
- The GNOME desktop, allows you to open encrypted volumes.
To store encrypted files on a Tails device, it is recommended to create a persistent volume instead.
To open the GNOME Disk Utility choose .
Disk Utility lists all the current storage devices on the left side of the screen.
Plug in the external storage device that you want to use.
A new device appears in the list of storage devices. Click on it:
Check that the description of the device on the right side of the screen corresponds to your device: its brand, its size, etc.
Click on Format Drive to erase all the existing partitions on the device.
In the dialog box to select the Scheme, if you are unsure, leave the default option Master Boot Record selected.
Now the schema of the partitions in the middle of the screen shows an empty device.
Click on Create Partition.
Configure the new partition:
- Size. You can decide to create a partition on the whole device or just on part of it. In this example we are creating a partition of 2.0 GB on a device of 3.9 GB.
- Type. You can change the file system type of the partition. If you are not sure you can leave the default value: Ext4.
- Name. You can set a name for the partition. This name remains invisible until the partition is open but can help you to identify it during use.
- Encrypt underlying device. Select this option to encrypt the partition.
Then click on thebutton.
Enter a passphrase for the new partition in the Enter passphrase dialog box. Then click on the button.
Creating the partition takes from a few seconds to a few minutes. After that, the new encrypted partition appears in the volumes of the device:
At this point you can create other partitions in the free space left on the device, if you want, by clicking on it and doing again Create Partition.
You can access this new volume from themenu with the name you gave it.
When plugging a device containing an encrypted partition, Tails does not mount it automatically but it appears in themenu. If several partitions appear as , like in the example, you can use its size to guess which one is the one you want to open.
Once you are done using the device, to close the encrypted partition choose Safely Remove Drive., right-click on the device, and select
Such encrypted volumes are not hidden. An attacker in possession of the device can know that there is an encrypted volume on it. Take into consideration that you can be forced or tricked to give out its passphrase.
It is possible to open such encrypted volumes from other operating systems, but it might break your security. Other operating systems should probably not be trusted to handle sensitive information or leave no trace.