1. Other useful resources
  2. Tails project
    1. What is the relationship between Tor and Tails?
    2. Why is Tails based on Debian and not on another distribution?
    3. Why isn't Tails based on Ubuntu?
    4. Why does Tails ship the GNOME Desktop?
  3. Tails website
    1. Why does tails.boum.org rely on a commercial SSL certificate?
  4. Hardware compatibility
    1. Does Tails work with 64-bit processors?
    2. Does Tails work on ARM architecture, Raspberry Pi, or tablets?
  5. Installation
    1. Can I install Tails permanently onto my hard disk?
    2. Can I install Tails with UNetbootin, YUMI, Rufus or my other favorite tool?
    3. Should I update Tails using apt-get or Synaptic?
    4. Can I buy a preinstalled Tails device?
  6. Web browser
    1. Why is JavaScript enabled by default in Tor Browser?
    2. Can I install other add-ons in Tor Browser?
    3. Should I manually update add-ons included in Tor Browser?
    4. Can I view websites using Adobe Flash with Tails?
    5. How to analyse the results of online anonymity tests?
    6. Is Java installed in the Tor Browser?
  7. Persistence
    1. Can I save my custom settings?
    2. How strong is the encryption of the persistent volume and LUKS?
    3. Is it possible to recover the passphrase of the persistent volume?
  8. Networking
    1. Can I use Tails with a VPN?
    2. Can I choose the country of my exit nodes or further edit the torrc?
    3. Does Tails change the MAC address of my network interfaces?
    4. How does the DNS resolution work in Tails?
    5. Why does Tails automatically connect to several websites when starting?
    6. Can I help the Tor network by running a relay or a bridge in Tails?
    7. Can I run a Tor hidden service on Tails?
    8. Can I use ping in Tails?
  9. Software not included in Tails
    1. Can my favourite software be included in Tails?
    2. Can I download using BitTorrent with Tails?
    3. Can I download videos from websites?
  10. Desktop environment
    1. Why is the time set wrong?
  11. Other security issues
    1. Is it safe to use Tails on a compromised system?
    2. Can I verify the integrity of a Tails device?
    3. Can I use the memory wipe feature of Tails on another operating system?
    4. Where is the New Identity button?
    5. Can I use TrueCrypt with Tails?
    6. Does Tails collect information about its users?
    7. Does Tails need an antivirus?

Other useful resources

Tails project

What is the relationship between Tor and Tails?

See our explanation about why does Tails use Tor.

Why is Tails based on Debian and not on another distribution?

We are deeply rooted and involved in Debian. The friendships, relationships, and technical expertise we have in Debian have many benefits for Tails, and we are not ready to build the same relationship with Ubuntu, OpenBSD, or any other distribution. See our statement about our relationship with upstream for details.

See also the article Why there are so many Debian derivatives by Stefano Zacchiroli.

Why isn't Tails based on Ubuntu?

First, see the answer to the previous question.

  1. The rapid development cycle of Ubuntu would be too fast for Tails.
  2. Ubuntu adds features in ways that we find dangerous for privacy. For example Ubuntu One (partly discontinued) and the Amazon ads and data leaks.
  3. Ubuntu is led by a company that takes most of the important decisions and has the power to make them happen.
  4. We usually ship kernels and video drivers from Debian backports. The result is comparable to Ubuntu in terms of support for recent hardware.
  5. We think that the general quality of the maintenance work being done on packages matters from a security perspective. Debian maintainers generally are experts in the fields their packages deal with; while it is generally not the case outside of the limited number of packages Ubuntu officially supports.
  6. We are actively working on improving AppArmor support in Tails; a security framework that is already used in a few Ubuntu applications.
  7. We are also working on adding compiler hardening options to more Debian packages included in Tails; another security feature that Ubuntu already provides.

Why does Tails ship the GNOME Desktop?

We had users ask for LXDE, XFCE, MATE, KDE, and so on, but we are not going to change desktop. According to us, the main drawback of GNOME is that it requires quite a lot of resources to work properly, but it has many advantages. The GNOME Desktop is:

  • Well integrated, especially for new Linux users.
  • Very well translated and documented.
  • Doing relatively good regarding accessibility features.
  • Actively developed.
  • Well maintained in Debian, where it is the default desktop environment.

We invested quite some time in acquiring GNOME knowledge, and switching our desktop environment would require going through that process again.

We are not proposing several desktop environments to choose from because we want to limit the amount of software included in Tails.

Tails website

Why does tails.boum.org rely on a commercial SSL certificate?

HTTPS provides encryption and authentication on the web. The standard authentication mechanism through SSL certificates is centralized and based on commercial or institutional certificate authorities. This mechanism has proven to be susceptible to various methods of compromise. See our warning about man-in-the-middle attacks.

Still, we use HTTPS on our website and rely on a commercial certificate even if we acknowledge those security problems.

  1. Providing no HTTPS and no kind of encryption would be a worse option.

  2. Providing a self-signed certificate or another marginally supported authentication mechanism would not work for the majority of users. Modern browsers display very strong warnings when facing a self-signed certificate, and many people would think the website is broken while it is not.

We prefer to provide weak security, using a commercial certificate, that still works for most people. At the same time, we make clear this security is limited and encourage stronger ways of verifying the authenticity of Tails once downloaded. See our documentation on verifying the ISO image using OpenPGP.

Hardware compatibility

Does Tails work with 64-bit processors?

Yes. Tails automatically detects the type of processor of the computer and loads a 32-bit or a 64-bit kernel accordingly.

Does Tails work on ARM architecture, Raspberry Pi, or tablets?

For the moment, Tails is only available on the x86 and x86_64 architectures. The Raspberry Pi and many tablets are based on the ARM architecture. Tails does not work on the ARM architecture so far.

Look for a tablet with an AMD or Intel processor. Try to verify its compatibility with Debian beforehand, for example make sure that the Wi-Fi interface is supported.

Installation

Can I install Tails permanently onto my hard disk?

This is not possible using the recommended installation methods. Tails is designed to be a live system running from a removable media: DVD, USB stick or SD card.

This is a conscious decision as this mode of operation is better for what we want to provide to Tails users: amnesia, the fact that Tails leaves no traces on the computer after a session is closed.

Can I install Tails with UNetbootin, YUMI, Rufus or my other favorite tool?

No. Those installation methods are unsupported. They might not work at all, or worse: they might seem to work, but produce a Tails device that does not behave like Tails should. Follow the download and installation documentation instead.

Should I update Tails using apt-get or Synaptic?

No. Tails provides upgrades every six weeks, that are thoroughly tested to make sure that no security feature or configuration gets broken. If you upgrade the system yourself using apt-get or Synaptic, you might break things. Upgrading when you get a notification from Tails Upgrader is enough.

Can I buy a preinstalled Tails device?

No, we don't sell preinstalled Tails devices.

Selling preinstalled devices would in fact be a pretty bad idea:

  • If burned on a DVD, then this DVD would be outdated on the next release. This means after 6 weeks at most.
  • If installed onto a USB stick, then it would be impossible to verify that the Tails on the USB stick is genuine. Trusting that a Tails device is genuine should be based either on cryptographic verification or on personal trust (if you know someone you trust who can clone a Tails device for you). But once Tails is installed on a USB stick it is not possible to use our cryptographic verification techniques anymore. Being able to trust your Tails device is something that we really care about.

Web browser

Why is JavaScript enabled by default in Tor Browser?

Many websites today require JavaScript to work correctly. As a consequence JavaScript is enabled by default in Tails to avoid confusing many users. But the Torbutton extension, included in Tails, takes care of blocking dangerous JavaScript functionalities.

Tor Browser also includes a security slider and the NoScript extension to optionally disable more JavaScript. This might improve security in some cases. However, if you disable JavaScript, then the fingerprint of your browser will differ from most Tor users. This might break your anonymity.

We think that having JavaScript enabled by default is the best possible compromise between usability and security in this case.

Can I install other add-ons in Tor Browser?

Installing add-ons in Tor Browser might break the security built in Tails.

Add-ons can do many things within the browser, and even if all the networking goes through Tor, some add-ons might interact badly with the rest of the configuration or leak private information.

  1. They can track and reveal information about your browsing behaviour, browsing history, or system information, either on purpose or by mistake.

  2. They can have bugs and security holes that can be remotely exploited by an attacker.

  3. They can have bugs breaking the security offered by other add-ons, for example Torbutton, and break your anonymity.

  4. They can break your anonymity by making your browsing behaviour distinguishable amongst other Tails users.

Unless proven otherwise, no add-on, apart from the ones already included in Tails, have been seriously audited and should be considered safe to use in this context.

Should I manually update add-ons included in Tor Browser?

No. Tails provides upgrades every six weeks, that are thoroughly tested to make sure that no security feature or configuration gets broken. Updating add-ons in Tor Browser might break the security built in Tails.

Can I view websites using Adobe Flash with Tails?

Adobe Flash Player is not included in Tails for several reasons:

  • It is proprietary software which prevents us from legally including it in Tails.
  • It is closed source and so we have no idea of what it really does.
  • It has a very long history of serious security vulnerabilities.
  • It is known to favor privacy invasive technologies such as Local shared object.
  • Adobe only maintains their GNU/Linux Flash plugin for Google Chrome.

We have considered including open-source alternative software to Adobe Flash, such as Gnash, but it is not the case yet, see #5363.

But you can already watch HTML5 videos with Tor Browser.

How to analyse the results of online anonymity tests?

Fingerprinting websites such as https://panopticlick.eff.org/ or https://ip-check.info/ try to retrieve as much information as possible from your browser to see if it can be used to identify you.

As explained in our documentation about fingerprinting, Tails provides anonymity on the web by making it difficult to distinguish a particular user amongst all the users of Tor Browser (either in Tails or on other operating systems).

So, the information retrieved by such fingerprinting websites is not harmful for anonymity in itself, as long as it is the same for all users of Tor Browser.

For example, the user-agent property of the browser was set to Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3, as of Tails 0.21 and Tor Browser 2.3.25-13. This value preserves your anonymity even if the operating system installed on the computer is Windows NT and you usually run Firefox. On the other hand, changing this value makes you distinguishable from others users of Tor Browser and breaks your anonymity.

Furthermore, we verify the result of those websites before each release, see our test suite.

Is Java installed in the Tor Browser?

Tails does not include a Java plugin in its browser because it could break your anonymity.

Persistence

Can I save my custom settings?

… like language, keyboard layout, background image, toolbar position, browser settings, touchpad preferences, etc.

By default Tails does not save anything from one working session to another. Only the persistent volume allows you to reuse data across different working sessions. See the list of existing persistent features.

We are frequently requested to add new persistent features but we are usually busy working on other priorities. See our open tickets about persistence. Any bit of help is welcome.

How strong is the encryption of the persistent volume and LUKS?

Tails uses LUKS to encrypt the persistent volume. This is the same technique as the one we recommend for creating and using encrypted volumes in general.

LUKS is a very popular standard for disk encryption in Linux. LUKS is the default technique for full-disk encryption proposed by many distribution, including Debian and Ubuntu, when installing a regular system.

Currently the default cipher is aes-cbc-essiv:sha256 with a key size of 256 bits.

To understand better how persistence work, see our design document.

Is it possible to recover the passphrase of the persistent volume?

No. The encryption of the persistent volume is very strong and it is not possible to recover the passphrase of the persistent volume. If the passphrase is weak enough, an attacker, using a brute force attack, could try many possible passphrases and end up guessing your passphrase.

Networking

Can I use Tails with a VPN?

Three possible scenarios need to be distinguished:

  • Using a VPN instead of Tor
  • Using a VPN to connect to Tor (VPN before Tor)
  • Connecting to a VPN using Tor (VPN after Tor)

For more information, see our blueprint on VPN support.

Using a VPN instead of Tor

It is a very fundamental assumption of Tails to force all outgoing traffic to anonymity networks such as Tor. VPN are not anonymity networks, because the administrators of the VPN can know both where you are connecting from and where you are connecting to. Tor provides anonymity by making it impossible for a single point in the network to know both the origin and the destination of a connection.

Using a VPN to connect to Tor (VPN before Tor)

In some situations, you might be forced to use a VPN to connect to the Internet, for example by your ISP. This is currently not possible using Tails. See #5858.

Tor bridges can also be useful to bypass the limitations imposed by your ISP.

Connecting to a VPN using Tor (VPN after Tor)

In some situtations, it can be useful to connect to a VPN through Tor:

  • To access services that block connections coming from Tor.
  • To access ressources only available inside a VPN, for example at your company or University.

This is currently not possible easily using Tails.

Can I choose the country of my exit nodes or further edit the torrc?

It is possible to edit the Tor configuration file (torrc) with administration rights but you should not do so as it might break your anonymity.

For example, as mentioned in the Tor Browser FAQ, using ExcludeExitNodes is not recommended because "overriding the exit nodes can mess up your anonymity in ways we don't understand".

Does Tails change the MAC address of my network interfaces?

Starting from Tails 0.23, MAC spoofing is enabled by default on all interfaces.

How does the DNS resolution work in Tails?

See our design document on this topic.

Why does Tails automatically connect to several websites when starting?

Tor requires the system clock to be well synchronized in order to work properly. When starting Tails, a notification is displayed while the clock is being synchronized.

This synchronization is made by sending HTTPS queries through Tor to severals websites and deducing a correct time from their answers. The list of websites that could be queried in this process can be found in /etc/default/htpdate.

See also our design document on this topic.

Can I help the Tor network by running a relay or a bridge in Tails?

It is currently impossible to run a Tor relay or bridge in Tails. See #5418.

Can I run a Tor hidden service on Tails?

It is technically possible to use Tails to provide a hidden service but it is complicated and not documented yet.

For example, some people have been working on how to run a web server behind a hidden service on Tails. See #7879.

Can I use ping in Tails?

It is impossible to use ping in Tails, because ping uses the ICMP protocol while Tor can only transport TCP connections.

Software not included in Tails

Can my favourite software be included in Tails?

First of all, make sure that this software is already available in Debian, as this is a requirement to be included in Tails. Adding to Tails software which is not in Debian imply an additional workload that could compromise the sustainability of the project. On top of that, being in Debian brings many advantages:

  • It is included in the Debian process for security updates and new versions.
  • It is authenticated using OpenPGP signatures.
  • It is under the scrutiny of the Debian community and its many users and derivatives, including Ubuntu.

To check whether a software is in Debian, search for it on https://packages.debian.org/. If it is not yet available in Debian, you should ask its developers why it is not the case yet.

Second, this software might not be useful to accomplish our design goals. Refer to our design documents to understand which are the intended use cases, and the assumptions on which Tails is based.

We also try to limit the amount of software included in Tails, and we only add new software with a very good reason to do so:

  • We try to limit the growth of the ISO image and automatic upgrades.
  • More software implies more security issues.
  • We avoid proposing several options to accomplish the same task.
  • If a package needs to be removed after its inclusion, for example because of security problems, then this might be problematic as users might rely on it.

After considering all this, if you still think that this software is a good candidate to be included in Tails, please explain us your proposal on tails-dev@boum.org.

If a software is not included in Tails, but is included in Debian, you can use the additional software feature of the persistent volume to install it automatically at the beginning of each working session.

Here is some of the software we are often asked to include in Tails:

  • bitmessage: not in Debian
  • torchat: see #5554
  • retroshare: not in Debian
  • veracrypt: can not be in Debian because of license issues, see Debian bug #814352

Can I download using BitTorrent with Tails?

Tails does not ship any BitTorrent software and is unlikely to do so in the future.

The problem with using BitTorrent over Tor is double:

We had relatively vague plans to improve on this situation.

Can I download videos from websites?

You can install youtube-dl as an additional package. youtube-dl allows downloading videos from more than 700 websites.

For example, to download a YouTube video, execute the following command in a terminal:

torsocks youtube-dl "https://www.youtube.com/watch?v=JWII85UlzKw"

For more information, refer to the official youtube-dl documentation.

Desktop environment

Why is the time set wrong?

When Tails starts, the system timezone is set to UTC (Greenwich time). So, this time might be a few hours in the future if you are West from the United Kingdom, or in the past if you are East from the UK. The minutes should be accurate.

We do this for anonymity reasons: if some application reveals your actual timezone, it might help identifying who you are.

Having all Tails users set to the same timezone, makes it more difficult to distinguish you amongst all the other Tails users.

We are working on a custom clock applet with configurable timezone. See #6284.

Other security issues

Is it safe to use Tails on a compromised system?

Tails runs independently from the operating system installed on the computer. So, if the computer has only been compromised by software, running from inside your regular operating system (virus, trojan, etc.), then it is safe to use Tails. This is true as long as Tails itself has been installed using a trusted system.

If the computer has been compromised by someone having physical access to it and who installed untrusted pieces of hardware, then it might be unsafe to use Tails.

If the BIOS of the computer has been compromised, then it might also be unsafe to use Tails.

See our warning page for more details.

Can I verify the integrity of a Tails device?

It is not possible to verify the integrity of a Tails device when running Tails from this same device. This would be like asking to someone whether she is a liar; the answer of a true liar would always be "no".

  • To verify the integrity of a DVD from a separate trusted system, you can verify the signature of the ISO image as documented in verify the ISO image using OpenPGP against the DVD itself.

  • There is no documented method of verifying the integrity of a USB stick or SD card installed using Tails Installer. However, if you have another trusted Tails device, you can clone it onto the untrusted device to reset it to a trusted state.

Can I use the memory wipe feature of Tails on another operating system?

The memory wipe mechanism that Tails uses on shutdown to protect against cold boot attacks is not yet available in other Linux distributions. In the future, we would like to package it for Debian.

If you want to implement this feature outside of Tails, have a look at the corresponding design documentation.

Where is the New Identity button?

In our warning page we advice to restart Tails every time that you want to use a different contextual identity.

The New Identity feature of Tor Browser is limited to the browser.

Tails used to provide a New Identity feature, but this feature was not a good solution to separate contextual identities, as it was dangerous:

  • Already existing connections could stay open.
  • Other sources of information could reveal your past activities, for example the cookies stored in Tor Browser or the random nick in Pidgin.

Tails is a full operating system, so a new identity should be thought on a broader level. Restart Tails instead.

Can I use TrueCrypt with Tails?

No, TrueCrypt was removed in Tails 1.2.1. But you can still open TrueCrypt volumes using cryptsetup.

Furthermore, TrueCrypt is now discontinued and its development team recommends against using it. We recommend using other encryption tools such as LUKS.

Does Tails collect information about its users?

When Tails starts, two HTTPS requests are made automatically to our website through Tor:

  • A security check is performed to know if security issues have been announced for this version of Tails. The language of the working session is passed along with this request to display the notification in the preferred language of the user.
  • Tails Upgrader checks for newer versions. The version of the running Tails is passed along with this request.

We believe it is important to notify the user of known security issues and newer versions. We calculate statistics based on the security check to know how many times Tails has been started and connected to Tor. Those statistics are published in our monthly reports.

Does Tails need an antivirus?

No, as other Linux systems, Tails doesn't require an antivirus to protect itself from most malwares, such as viruses, trojans, and worms. There are various reasons why Linux operating systems generally don't need antivirus softwares, including the permission design of Linux systems.

See the Wikipedia page on Linux malware for further details.