The simplest way to carry around the documents you want to use with Tails and make sure that they haven't been accessed nor modified is to store them in an encrypted volume: a dedicated partition on a USB stick or an external hard-disk.

Tails comes with utilities for LUKS, a standard for disk-encryption under Linux.

  • The GNOME Disk Utility, allows you to create encrypted volumes.
  • The GNOME desktop, allows you to open encrypted volumes.

To store encrypted files on a Tails device, it is recommended to create a persistent volume instead.

Create an encrypted partition

To open the GNOME Disk Utility choose Applications ▸ Accessories ▸ Disk Utility.

Identify your external storage device

Disk Utility lists all the current storage devices on the left side of the screen.

  1. Plug in the external storage device that you want to use.

  2. A new device appears in the list of storage devices. Click on it:

    A new storage device appeared
 in the list

Format the device

  1. Check that the description of the device on the right side of the screen corresponds to your device: its brand, its size, etc.

  2. Click on Format Drive to erase all the existing partitions on the device.

  3. In the dialog box to select the Scheme, if you are unsure, leave the default option Master Boot Record selected.

Create a new encrypted partition

Now the schema of the partitions in the middle of the screen shows an empty device.

Free 3.9 GB

  1. Click on Create Partition.

  2. Configure the new partition:

    Create partition on…

    • Size. You can decide to create a partition on the whole device or just on part of it. In this example we are creating a partition of 2.0 GB on a device of 3.9 GB.
    • Type. You can change the file system type of the partition. If you are not sure you can leave the default value: Ext4.
    • Name. You can set a name for the partition. This name remains invisible until the partition is open but can help you to identify it during use.
    • Encrypt underlying device. Select this option to encrypt the partition.

    Then click on the Create button.

  3. Enter a passphrase for the new partition in the Enter passphrase dialog box. Then click on the Create button.

  4. Creating the partition takes from a few seconds to a few minutes. After that, the new encrypted partition appears in the volumes of the device:

    Encrypted 2.0 GB / secret 2.0 GB ext4

  5. At this point you can create other partitions in the free space left on the device, if you want, by clicking on it and doing again Create Partition.

Use the new partition

You can access this new volume from the Places menu with the name you gave it.

Places ▸ secret

Open an existing encrypted partition

When plugging a device containing an encrypted partition, Tails does not mount it automatically but it appears in the Places menu. If several partitions appear as Encrypted, like in the example, you can use its size to guess which one is the one you want to open.

Places ▸ 2.0 GB Encrypted

Once you are done using the device, to close the encrypted partition choose Places ▸ Computer, right-click on the device, and select Safely Remove Drive.

Storing sensitive documents

Such encrypted volumes are not hidden. An attacker in possession of the device can know that there is an encrypted volume on it. Take into consideration that you can be forced or tricked to give out its passphrase.

Opening encrypted volumes from other operating systems

It is possible to open such encrypted volumes from other operating systems, but it might break your security. Other operating systems should probably not be trusted to handle sensitive information or leave no trace.