0.95

Download Tails 3.3

Direct download

1.2Verify your download using your browser

For your security,
always verify your download!

X

With an unverified download, you might:

Our browser extension makes it quick and easy.

Install Tails Verification extension Install Tails Verification extension

You seem to have JavaScript disabled. To use our browser extension, please allow all this page:

Your extension is an older version.

Update extension Update extension

Tails Verification extension installed!

Verifying $FILENAME

Verification successful!

Verification failed!

X

Most likely, the verification failed because of an error or interruption during the download.

Less likely, the verification might have failed because of a malicious download from our download mirrors or due to a network attack in your country or local network.

Downloading again is usually enough to fix this problem.

Please try to download again…

Verification failed again!

X

The verification might have failed again because of:

  • A software problem in our verification extension
  • A malicious download from our download mirrors
  • A network attack in your country or local network

Trying from a different place or a different computer might solve any of these issues.

Please try to download again from a different place or a different computer…

1.3Continue installing upgrading installing or upgrading

You are using $DETECTED-BROWSER.

Direct download is only available for:

  • Firefox $MINVER-FIREFOX and later (Download)
  • Chrome$MINVER-CHROME and later (Download)
  • Tor Browser $MINVER-TOR-BROWSER and later (Download)

Please update your browser to the latest version.

For your security,
always verify your download!

X

With an unverified download, you might:

Our browser extension for Firefox, Chrome, and Tor Browser makes this quick and easy.

Copy and paste this link in Firefox, Chrome, or Tor Browser:

https://tails.boum.org/install/debian/usb-download/

https://tails.boum.org/install/win/usb-download/

https://tails.boum.org/install/linux/usb-download/

https://tails.boum.org/install/mac/usb-download/

https://tails.boum.org/install/mac/dvd-download/

https://tails.boum.org/upgrade/tails-download/

https://tails.boum.org/install/dvd-download/

https://tails.boum.org/install/vm-download/

https://tails.boum.org/install/download/

BitTorrent download

X

BitTorrent is a peer-to-peer technology for file sharing that makes your download faster and easier to resume.

You need to install BitTorrent software on your computer, like Transmission (for Windows, macOS, and Linux).

BitTorrent doesn't work over Tor or in Tails.

1.1Download Tails (Torrent file)

Download Tails 3.3 Torrent file

1.2Verify your download using BitTorrent

Your BitTorrent client will automatically verify your download when it is complete.

1.3Continue installing upgrading installing or upgrading

Open and download the Torrent file with your BitTorrent client. It contains the Tails 3.3 ISO image that you will use in the next step.

Verify using OpenPGP (optional)

If you know OpenPGP, you can also verify your download using an OpenPGP signature instead, or in addition to, our browser extension or BitTorrent.

  1. Download the Tails signing key.

  2. Download the Tails 3.3 OpenPGP signature and save it to the same folder where you saved the ISO image.

Basic OpenPGP verification

Verifying using OpenPGP but without authenticating our signing key through the OpenPGP Web of Trust is equivalent in terms of security to verifying using our browser extension or BitTorrent because it relies on downloading a genuine signing key from our website.

See instructions for basic OpenPGP verification.

This section provides simplified instructions:

In Windows with Gpg4win

See the Gpg4win documentation on verifying signatures.

Verify the date of the signature to make sure that you downloaded the latest version.

If the following warning appears:

Not enough information to check the signature validity.
Signed on ... by tails@boum.org (Key ID: 0x58ACD84F
The validity of the signature cannot be verified.

Then the ISO image is still correct according to the signing key that you downloaded. To remove this warning you need to authenticate the signing key through the OpenPGP Web of Trust.

In macOS using GPGTools

  1. Open Finder and navigate to the folder where you saved the ISO image and the signature.
  2. Right-click on the ISO image and choose ServicesOpenPGP: Verify Signature of File.

In Tails

  1. Open the file browser and navigate to the folder where you saved the ISO image and the signature.
  2. Right-click on the signature and choose Open With Verify Signature.
  3. The verification of the ISO image starts automatically:

  4. After the verification finishes, click on the notification counter in the bottom-right corner and on the notification with a transparent background on the right of the notification area:

    Verify the date of the signature to make sure that you downloaded the latest version.

Using the command line

  1. Open a terminal and navigate to the folder where you saved the ISO image and the signature.
  2. Execute:

    gpg --keyid-format 0xlong --verify tails-amd64-3.3.iso.sig tails-amd64-3.3.iso

    The output of this command should be the following:

    gpg: Signature made 2017-11-14T05:20:28 CET
    gpg:                using RSA key BA2C222F44AC00ED9899389398FEC6BC752A3DB6
    gpg: Good signature from "Tails developers <tails@boum.org>" [undefined]
    gpg:                 aka "Tails developers (offline long-term identity key) <tails@boum.org>" [full]
    Primary key fingerprint: A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
         Subkey fingerprint: BA2C 222F 44AC 00ED 9899  3893 98FE C6BC 752A 3DB6

    Verify the date of the signature to make sure that you downloaded the latest version.

    If the output also includes:

    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.

    Then the ISO image is still correct according to the signing key that you downloaded. To remove this warning you need to authenticate the signing key through the OpenPGP Web of Trust.

Authenticate the signing key through the OpenPGP Web of Trust

Authenticating our signing key through the OpenPGP Web of Trust is the only verification technique that can protect you in case our website is compromised. It is also the most complicated technique and might not be possible for everyone to perform because it relies on trust relationships between individuals.

Read more about authenticating the Tails signing key through the OpenPGP Web of Trust.

The verification techniques presented until now (browser extension, BitTorrent, or OpenPGP verification) all rely on some information being securely downloaded using HTTPS from our website:

  • The checksum for the Firefox extension
  • The Torrent file for BitTorrent
  • The Tails signing key for the OpenPGP verification

But, while doing so, you could download malicious information if our website is compromised or if you are a victim of a man-in-the-middle attack.

The OpenPGP verification is the only technique that allows you to verify the ISO image even better by also authenticating the Tails signing key through the OpenPGP Web of Trust. Relying on the OpenPGP Web of Trust is the only way to completely protect you from malicious downloads.

If you are verifying an ISO image from inside Tails already, for example to do a manual upgrade, then the Tails signing key is already included in Tails. You can trust this signing key as much as you are trusting your Tails installation already because you are not downloading it.

One of the inherent problems of standard HTTPS is that the trust we usually put in a website is defined by certificate authorities: a hierarchical and closed set of companies and governmental institutions approved by your web browser vendor. This model of trust has long been criticized and proved several times to be vulnerable to attacks as explained on our warning page.

We believe that, instead, users should be given the final say when trusting a website, and that designation of trust should be done on the basis of human interactions.

The OpenPGP Web of Trust is a decentralized trust model based on OpenPGP keys that can help solving this problem. Let's see this with an example:

  1. You are friends with Alice and really trust her way of managing OpenPGP keys. So you are trusting Alice's key.
  2. Furthermore, Alice met Bob, a Tails developer, in a conference and certified Bob's key. So Alice is trusting Bob's key.
  3. Bob is a Tails developer who directly owns the Tails signing key. So Bob fully trusts the Tails signing key.

In this scenario, Alice found a path to trust the Tails signing key without the need to rely on certificate authorities.

If you are on Debian, Ubuntu, or Linux Mint, you can install the debian-keyring package which contains the OpenPGP keys of all Debian developers. Some Debian developers have certified the Tails signing key and you can use these certifications to build a trust path. This technique is explained in detail in our instructions on installing Tails from Debian, Ubuntu, or Linux Mint using the command line.

Relying on the Web of Trust requires both caution and intelligent supervision by the users. The technical details are outside of the scope of this document.

Since the Web of Trust is actually based on human relationships and real-life interactions, the best is to get in touch with people knowledgeable about OpenPGP and build trust relationships in order to find your own trust path to the Tails signing key.

For example, you can start by contacting a local Linux User Group, an organization offering Tails training, or other Tails enthusiasts near you and exchange about their OpenPGP practices.

After you build a trust path, you can certify the Tails signing key by signing it with your own key to get rid of some warnings during the verification process.