- doc
- encryption and privacy
- Creating and using LUKS encrypted volumes
Introduction to LUKS
The simplest way to carry around the documents that you want to use with Tails encrypted is to use the Persistent Storage.
You can create other encrypted volumes using LUKS to encrypt, for example, another USB stick or an external hard disk. LUKS is the standard for disk encryption in Linux.
- GNOME Disks allows you to create encrypted volumes.
- Die GNOME-Arbeitsumgebung erlaubt es Ihnen, verschlüsselte Laufwerke zu öffnen.
Comparison between LUKS and VeraCrypt
You can also open VeraCrypt encrypted volumes in Tails. VeraCrypt is a disk encryption tool for Windows, macOS, and Linux. See our documentation about VeraCrypt.
We recommend you use:
- VeraCrypt to share encrypted files across different operating systems.
- LUKS to encrypt files for Tails and Linux.
| LUKS | VeraCrypt | |
|---|---|---|
| Compatibility | Linux | Windows + macOS + Linux |
| Create new volumes | Yes | Outside of Tails |
| Open and modify existing volumes | Yes | Yes |
| Encrypted partitions (or entire disks) ¹ | Yes | Yes |
| Encrypted file containers ¹ | Complicated | Easy |
| Plausible deniability ² | No | Yes |
| Ease of use | Easier | More complicated |
| Speed | Faster | Slower |
Plausible deniability: in some cases (for example, with VeraCrypt hidden volumes), it is impossible for an adversary to technically prove the existence of an encrypted volume.
Still, deniable encryption might not protect you if you are forced to reveal the existence of the encrypted volume. See:
Create an encrypted partition
Choose Applications ▸ Utilities ▸ Disks to open GNOME Disks.
Identifizieren Sie das externe Speichermedium
Disks lists all the current storage devices on the left side of the screen.
Schließen Sie das externe Speichermedium an, welches Sie verwenden möchten.
Ein neues Medium erscheint in der Liste der Speichermedien. Wählen Sie es aus:
Überprüfen Sie, dass die Beschreibung des Mediums auf der rechten Seite des Bildschirms Ihrem Medium entspricht: das Modell, die Größe, usw.
Format the device
Click on the
button in the titlebar and choose Format
Disk… to erase all the existing partitions on the device.In dem Fenster Laufwerk formatieren:
If you want to securely erase all data on the device, choose to Overwrite existing data with zeroes in the Erase drop-down list.
Choose Compatible with all systems and devices (MBR/DOS) in the Partitioning drop-down list.
Then click Format….
In the confirmation dialog, make sure that the device is correct. Click Format to confirm.
Create a new encrypted partition
Now the schema of the partitions in the middle of the screen shows an empty device:
Click on the
button to create a new
partition on the device.Configure the various settings of your new partition in the partition creation assistant:
In the Create Partition screen:
Partition Size: you can create a partition on the whole device or only on part of it.
In the example below, we are creating a partition of 4.0 GB on a device of 8.1 GB.
In the Format Volume screen:
Volume Name: you can give a name to the partition. This name remains invisible until the partition is open but can help you to identify it during use.
Erase: you can choose to securely erase all data on the partition.
Secure deletion does not work as expected on USB sticks and SSDs (Solid-State Drives). Choose instead to overwrite existing data on the whole device when formatting the device.
See also our warning about secure deletion on USB sticks and SSDs.
Type: choose Internal disk for use with Linux systems only (Ext4) and Password protect volume (LUKS).
In the Set Password screen:
- Password: type a passphrase for the encrypted partition and repeat it to confirm.
Then click Create.
Creating the partition takes from a few seconds to a few minutes. After that, the new encrypted partition appears in the volumes on the device:
If you want to create another partition in the free space on the device, click on the free space and then click on the
button again.
Use the new partition
You can open this new partition from the sidebar of the file browser with the name you gave it.
After opening the partition with the file browser, you can also access it from the menu.
Open an existing encrypted partition
When plugging in a device containing an encrypted partition, Tails does not open the partition automatically but you can do so from the file browser.
Choose to open the file browser.
Click on the encrypted partition that you want to open in the sidebar.
Enter the passphrase of the partition in the password prompt and click Unlock.
After opening the partition with the file browser, you can also access it from the menu.
To close the partition after you finished using it, click on the
button next to the partition in the sidebar of the
file browser.
Speicherung sensibler Dokumente
Solche verschlüsselte Laufwerke sind nicht versteckt. Eine angreifende Person im Besitz des Mediums kann herausfinden, dass sich ein verschlüsseltes Laufwerk darauf befindet. Ziehen Sie in Erwägung, dass Sie gezwungen oder hereingelegt werden könnten, dass Passwort herauszugeben.
Opening encrypted volumes from other operating systems
It is possible to open such encrypted volumes from other operating systems. But, doing so might compromise the security provided by Tails.
Zum Beispiel könnten durch das andere Betriebssystem Thumbnails von Fotos erstellt und gespeichert werden. Oder die Inhalte von Dateien könnten vom anderen Betriebssystem indiziert werden.
Change the passphrase of an existing encrypted partition
To open GNOME Disks choose .
Plug in the external storage device containing the encrypted partition that you want to change the passphrase for.
The device appears in the list of storage devices. Click on it:
Check that the description of the device on the right side of the screen corresponds to your device: its brand, its size, etc.
Click on the partition displaying a
at the bottom-right corner.Click on the
button and choose