You need

2 GB of RAM

64-bit

Intel processor

not M1

2 GB of RAM

64-bit

Windows 7

or later

macOS 10.10 (Yosemite)

or later

Linux

any distribution

Debian

Ubuntu

or another derivative

Your Tails

1 USB stick

8 GB minimum

All data will be lost!

1 USB stick

8 GB minimum

All data will be lost!

Why?

X

It is currently impossible to manually upgrade a Tails USB stick while running from itself. This scenario requires creating an intermediary Tails on another USB stick, from which to upgrade your Tails.

a smartphone

another computer,
or a printer
to follow the instructions

another Tails

USB stick or DVD

1 hour in total

½ hour

¼ hour

1.3 GB to download

½ hour to install

½ hour to upgrade

Your steps

Warnings: Tails is safe but not magic!

Tails is safer than any regular operating system. But Tails, or any software or operating system, cannot protect you from everything—even if they pretend to.

The recommendations below will keep you even safer, especially if you are at high risk.

Protecting your identity when using Tails

Tails is designed to hide your identity.

But some of your activities could reveal your identity:

  • Sharing files with metadata, such as date, time, location, and device information
  • Using Tails for more than one purpose at a time
Protecting your identity

Limitations of the Tor network

Tails uses the Tor network because it is the strongest and most popular network to protect from surveillance and censorship.

But Tor has limitations if you are concerned about:

  • Hiding that you are using Tor and Tails
  • Protecting your online communications from determined, skilled attackers
Limitations of Tor

Reducing risks when using untrusted computers

Tails can safely run on a computer that has a virus.

But Tails cannot always protect you when:

  • Installing from an infected computer
  • Running Tails on a computer with a compromised BIOS, firmware, or hardware
Using untrusted computers

Protecting your identity when using Tails

Clean metadata from files before sharing them

Many files contain hidden data, or metadata:

  • JPEG and other image files often contain information about where a picture was taken and which camera was used.

  • Office documents often contain information about their author, and the date and time the document was created.

To help you clean metadata, Tails includes mat2, a tool to remove metadata in a wide range of file formats.

Metadata has been used in the past to locate people from pictures they took. For an example, see NPR: Betrayed by metadata, John McAfee admits he's really in Guatemala.

Use Tails sessions for only one purpose at a time

If you use Tails sessions for more than one purpose at a time, an adversary could link your different activities together.

For example, if you log into different accounts on the same website in a single Tails session, the website could determine that the accounts are used by the same person. This is because websites can tell when 2 accounts are using the same Tor circuit.

To prevent an adversary from linking your activities together while using Tails, restart Tails between different activities. For example, restart Tails between checking your work email and your whistleblowing email.

We are not aware of any such attacks to deanonymize people online who used Tails for different purposes at a time.

If you worry that the files in your Persistent Storage could be used to link your activities together, consider using a different Tails USB stick for each activity. For example, use one Tails USB stick for your activism work and another one for your journalism work.

Limitations of the Tor network

Tails makes it clear that you are using Tor and probably Tails

Everything you do on the Internet from Tails goes through the Tor network.

Tor and Tails don't protect you by making you look like any random Internet user, but by making all Tor and Tails users look the same. It becomes impossible to know who is who among them.

  • Your Internet service provider (ISP) and local network can see that you connect to the Tor network. They still cannot know what sites you visit. To hide that you connect to Tor, you can use a Tor bridge.

  • The sites that you visit can know that you are using Tor, because the list of exit nodes of the Tor network is public.

Parental controls, Internet service providers, and countries with heavy censorship can identify and block connections to the Tor network that don't use Tor bridges.

Many websites ask you to solve a CAPTCHA or block access from the Tor network.

Exit nodes can intercept traffic to the destination server

Tor hides your location from destination servers, but it does not encrypt all your communication. The last relay of a Tor circuit, called the exit node, establishes the actual connection to the destination server. This last step can be unencrypted.

A Tor connection goes through 3 relays with the last one establishing the actual connection to the final destination

The exit node can:

  • Observe your traffic. That is why Tor Browser and Tails include tools, like HTTPS Everywhere, to encrypt the connection between the exit node and the destination server, whenever possible.

  • Pretend to be the destination server, a technique known as machine-in-the-middle attack (MitM). That is why you should pay even more attention to the security warnings in Tor Browser. If you get such a warning, use the New Identity feature of Tor Browser to change exit node.

Warning: Potential Security Risk Ahead

To learn more about what information is available to someone observing the different parts of a Tor circuit, see the interactive graphics at Tor FAQ: Can exit nodes eavesdrop on communications?.

Tor exit nodes have been used in the past to collect sensitive information from unencrypted connections. Malicious exit nodes are regularly identified and removed from the Tor network. For an example, see Ars Technica: Security expert used Tor to collect government e-mail passwords.

Adversaries watching both ends of a Tor circuit could identify users

A powerful adversary, who could analyze the timing and shape of the traffic entering and exiting the Tor network, might be able to deanonymize Tor users. These attacks are called end-to-end correlation attacks, because the attacker has to observe both ends of a Tor circuit at the same time.

No anonymity network used for rapid connections, like browsing the web or instant messaging, can protect 100% from end-to-end correlation attacks. In this case, VPNs (Virtual Private Networks) are less secure than Tor, because they do not use 3 independent relays.

End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users. For an example, see Murdoch and Zieliński: Sampled Traffic Analysis by Internet-Exchange-Level Adversaries.

Reducing risks when using untrusted computers

Install Tails from a computer that you trust

Tails protects you from viruses and malware on your usual operating system. This is because Tails runs independently from other operating systems.

But your Tails might be corrupted if you install from a compromised operating system. To reduce that risk:

  • Always install Tails from a trusted operating system. For example, download Tails on a computer without viruses or clone Tails from a trusted friend.

  • Do not plug your Tails USB stick while another operating system is running on the computer.

  • Use your Tails USB stick only to run Tails. Do not use your Tails USB stick to transfer files to or from another operating system.

If you worry that your Tails might be corrupted, do a manual upgrade from a trusted operating system.

We don't know of any virus able to infect a Tails installation, but one could be created in the future.

No operating system can protect against hardware alterations

Your computer might be compromised if its physical components have been altered. For example, if a keylogger has been physically installed on your computer, your passwords, personal information, and other data typed on your keyboard could be stored and accessed by someone else, even if you are using Tails.

Try to keep your computer in a safe location. Hardware alterations are more likely on public computers, in internet cafés or libraries, and on desktop computers, where a device is easier to hide.

If you worry that a computer might be modified:

  • Use a password manager to paste saved passwords. This way, you don't have to type passwords that might be visible to people or cameras near you.

  • Use the Screen Keyboard, if you are using a public computer or worry that the computer might have a keylogger.

Keyloggers are easy to buy and hide on desktop computers but not on laptops. For an example, see KeeLog: KeyGrabber forensic keylogger getting started.

Other hardware alterations are much more complicated and expensive to install. For an example, see Ars Technica: Photos of an NSA “upgrade” factory show Cisco router getting implant.

No operating system can protect against BIOS and firmware attacks

Firmware includes the BIOS or UEFI and other software stored in electronic chips on the computer. All operating systems, including Tails, depend on firmware to start and run, so no operating system can protect against a firmware attack. In the same way that a car depends on the quality of the road it is driving on, operating systems depend on their firmware.

Keeping your computer in a safe location can protect against some firmware attacks, but some other firmware attacks can be performed remotely.

Firmware attacks have been demonstrated, but are complicated and expensive to perform. We don't know of any actual use against Tails users. For an example, see LegbaCore: Stealing GPG keys/emails in Tails via remote firmware infection.

Because you always have to adapt your digital security practices to your specific needs and threats, we encourage you to learn more by reading the following guides:

Verify the Tails signing key

If you already certified the Tails signing key with your own key, you can skip this step and start downloading and verifying the USB image.

In this step, you will download and verify the Tails signing key which is the OpenPGP key that is used to cryptographically sign the Tails USB image.

To follow these instructions you need to have your own OpenPGP key.

To learn how to create yourself an OpenPGP key, see Managing OpenPGP Keys by Riseup.

This verification technique uses the OpenPGP Web of Trust and the certification made by official Debian developers on the Tails signing key.

  1. Import the Tails signing key in your GnuPG keyring:

    wget https://tails.boum.org/tails-signing.key
    gpg --import < tails-signing.key
    
  2. Install the Debian keyring. It contains the OpenPGP keys of all Debian developers:

    sudo apt update && sudo apt install debian-keyring
    
  3. Import the OpenPGP key of Chris Lamb, a former Debian Project Leader, from the Debian keyring into your keyring:

    gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import
    
  4. Verify the certifications made on the Tails signing key:

    gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F
    

    In the output of this command, look for the following line:

    sig!         0x1E953E27D4311E58 2020-03-19  Chris Lamb <chris@chris-lamb.co.uk>
    

    Here, sig!, with an exclamation mark, means that Chris Lamb verified and certified the Tails signing key with his key.

    It is also possible to verify the certifications made by other people. Their name and email address appear in the list of certification if you have their key in your keyring.

    If the verification of the certification failed, then you might have downloaded a malicious version of the Tails signing key or our instructions might be outdated. Please get in touch with us.

    The line 175 signatures not checked due to missing keys or similar refers to the certifications (also called signatures) made by other public keys that are not in your keyring. This is not a problem.

  5. Certify the Tails signing key with your own key:

    gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F
    

Download Tails

  1. Download the USB image:

    wget --continue http://dl.amnesia.boum.org/tails/stable/tails-amd64-5.3.1/tails-amd64-5.3.1.img

Verify your download

In this step, you will verify your download using the Tails signing key.

  1. Download the signature of the USB image:

    wget https://tails.boum.org/torrents/files/tails-amd64-5.3.1.img.sig

  2. Verify that the USB image is signed by the Tails signing key:

    TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.3.1.img.sig tails-amd64-5.3.1.img

    The output of this command should be the following:

    gpg: Signature made Tue 02 Aug 2022 12:07:47 AM UTC
    gpg:                using EDDSA key CD4D4351AFA6933F574A9AFB90B2B4BD7AED235F
    gpg: Good signature from "Tails developers (offline long-term identity key) <tails@boum.org>" [full]
    gpg:                 aka "Tails developers <tails@boum.org>" [full]

    Verify in this output that:

    • The date of the signature is the same.
    • The signature is marked as Good signature since you certified the Tails signing key with your own key.

Install Tails using dd

  1. Make sure that the USB stick on which you want to install Tails is unplugged.

  2. Execute the following command:

    ls -1 /dev/sd?

    It returns a list of the storage devices on the system. For example:

    /dev/sda

  3. Plug in the USB stick on which you want to install Tails.

    All the data on this USB stick will be lost.

  4. Execute again the same command:

    ls -1 /dev/sd?

    Your USB stick appears as a new device in the list.

    /dev/sda /dev/sdb

  5. Take note of the device name of your USB stick.

    In this example, the device name of the USB stick is /dev/sdb. Yours might be different.

    If you are unsure about the device name, you should stop proceeding or you risk overwriting any hard disk on the system.

  6. Execute the following commands to copy the USB image that you downloaded earlier to the USB stick.

    Replace:

    • tails.img with the path to the USB image

    • device with the device name found in step 5

    dd if=tails.img of=device bs=16M oflag=direct status=progress

    You should get something like this:

    dd if=/home/user/tails-amd64-3.12.img of=/dev/sdb bs=16M oflag=direct status=progress

    If no error message is returned, Tails is being copied on the USB stick. The copy takes some time, generally a few minutes.

    If you get a Permission denied error, try adding sudo at the beginning of the command:

    sudo dd if=tails.img of=device bs=16M oflag=direct status=progress

    The installation is complete after the command prompt reappears.

Tails USB stick

Congratulations, you have installed Tails on your USB stick!

You will now restart your computer on this USB stick.

It might be a bit complicated or not work on your computer, so good luck!

If you already started on the other Tails, go directly to step 3: Verify that the other Tails is up-to-date.

Open these instructions on another device

In the next step, you will shut down the computer. To be able to follow the rest of the instructions afterwards, you can either:

  • Scan this QR code on your smartphone or tablet:

  • Print these instructions on paper.

  • Take note of the URL of this page:

    https://tails.boum.org/install/windows?back=1 https://tails.boum.org/install/mac?back=1 https://tails.boum.org/install/linux?back=1 https://tails.boum.org/install/expert?back=1 https://tails.boum.org/install/clone/pc?back=1 https://tails.boum.org/install/clone/mac?back=1 https://tails.boum.org/upgrade/tails?back=1 https://tails.boum.org/upgrade/windows?back=1 https://tails.boum.org/upgrade/mac?back=1 https://tails.boum.org/upgrade/linux?back=1 https://tails.boum.org/upgrade/clone?back=1

Restart on the intermediary Tails

Restart on the other Tails

Restart on your Tails USB stick

Make the computer start on the USB stick

  1. Make sure that you have installed Tails using either:

  2. Click on the Start button.

  3. Press and hold the Shift key while you choose Power ▸ Restart.

  4. In the Choose an option screen, choose Use a device.

    If the Choose an option screen does not appear, refer to the instructions on starting Tails using the Boot Menu key.

  5. In the Use a device screen, choose Boot Menu.

    Windows shuts down, the computer restarts, and a Boot Menu appears.

    Plug in your Tails USB stick shortly after choosing Boot Menu and while Windows is shutting down.

    In the future, we We recommend that you only plug in your Tails USB stick while Windows is shutting down. Otherwise, a virus in Windows could infect your Tails USB stick and break its security.

    Such an attack is possible in theory but very unlikely in practice. We don't know of any virus capable of infecting Tails. See our warning on plugging Tails in untrusted systems.

    The Boot Menu is a list of possible devices to start from. The following screenshot is an example of a Boot Menu:

  6. In the Boot Menu, select your USB stick and press Enter.

  7. If the computer starts on Tails, the Boot Loader appears and Tails starts automatically after 4 seconds.

    Black screen ('GNU GRUB') with Tails logo and 2 options: 'Tails' and 'Tails (Troubleshooting Mode)'.

Most computers do not start on the Tails USB stick automatically but you can press a Boot Menu key to display a list of possible devices to start from.

If Windows 8 or 10 is also installed on the computer, you can refer instead to the instructions on starting Tails from Windows 8 or 10. Starting Tails from Windows is easier than using the Boot Menu key.

The following screenshot is an example of a Boot Menu:

This animation summarizes how to use the Boot Menu key to start on the USB stick:

The following instructions explain in detail how to use the Boot Menu key to start on the USB stick:

  1. Make sure that you have installed Tails using either:

  2. Shut down the computer while leaving the USB stick plugged in.

    Shut down the computer and plug in the Tails USB stick.

    Shut down the computer.

    Plug in the other Tails USB stick that you want to install upgrade from.

    Unplug your Tails USB stick while leaving the intermediary USB stick plugged in.

  3. Identify the possible Boot Menu keys for the computer depending on the computer manufacturer in the following list:

    ManufacturerKey
    AcerF12, F9, F2, Esc
    AppleOption
    AsusEsc
    ClevoF7
    DellF12
    FujitsuF12, Esc
    HPF9
    HuaweiF12
    IntelF10
    LenovoF12
    MSIF11
    SamsungEsc, F12, F2
    SonyF11, Esc, F10
    ToshibaF12
    others…F12, Esc

    On many computers, a message is displayed very briefly when switching on that also explains how to get to the Boot Menu or edit the BIOS settings.

  4. Schalten Sie den Computer ein.

    Immediately press several times the first possible Boot Menu key identified in step 2.

  5. If the computer starts on another operating system or returns an error message, shut down the computer again and repeat step 3 for all the possible Boot Menu keys identified in step 2.

    If a Boot Menu with a list of devices appears, select your USB stick and press Enter.

  6. If the computer starts on Tails, the Boot Loader appears and Tails starts automatically after 4 seconds.

    Black screen ('GNU
GRUB') with Tails logo and 2 options: 'Tails' and 'Tails (Troubleshooting
Mode)'.

  1. Make sure that you have installed Tails using either:

  2. Shut down the computer.

    Shut down the computer while leaving the USB stick plugged in.

    Plug in the other Tails USB stick that you want to install from.

  3. Plug in your Tails USB stick.

  4. Switch on the computer.

    Immediately press-and-hold the Option key (Alt key) when the startup chime is played.

    Hold the key pressed until a list of possible startup disks appears.

    'Option' or
'alt' key in the bottom left of Mac keyboard

  5. Choose the USB stick and press Enter. The USB stick appears as an external hard disk and might be labeled EFI Boot or Windows like in the following screenshot:

    Screen
with the logo of an internal hard disk labeled 'Macintosh HD' and an
external hard disk labelled 'Windows' (selected)

    If the USB stick does not appear in the list of startup disks:

    1. Make sure that you have installed Tails using either:

    2. Make sure that you have verified your download of Tails.

    3. Make sure that you are running the latest version of macOS.

    4. Make sure that you have verified your download.

    5. Try installing again on the same USB stick.

    6. Try installing on a different USB stick.

    7. Try using the same USB stick to start on a different computer.

    If your computer still does not display the Boot Loader, it might currently be impossible to start Tails on your computer.

  6. If your Mac displays the following error:

    Security settings do not allow this Mac to use an external startup disk.

    Then you have to change the settings of the Startup Security Utility of your Mac to authorize starting from Tails.

    To open Startup Security Utility:

    1. Turn on your Mac, then press and hold Command(⌘)+R immediately after you see the Apple logo. Your Mac starts up from macOS Recovery.

    2. When you see the macOS Utilities window, choose Utilities ▸ Startup Security Utility from the menu bar.

    3. When you are asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.

    Startup Security Utility

    In the Startup Security Utility:

    • Choose No Security in the Secure Boot section.

    • Choose Allow booting from external media in the External Boot.

    To still protect your Mac from starting on untrusted external media, you can set a firmware password, available on macOS Mountain Lion or later. A firmware password prevents users who do not have the password from starting up from any media other than the designated startup disk.

    If you forget your firmware password you will require an in-person service appointment with an Apple Store or Apple Authorized Service Provider.

    Read more on Apple Support about:

  7. If the computer starts on Tails, the Boot Loader appears and Tails starts automatically after 4 seconds.

    Black screen ('GNU
GRUB') with Tails logo and 2 options: 'Tails' and 'Tails (Troubleshooting
Mode)'.

Troubleshooting

Starting the computer using a Boot Menu key can be faster than starting the computer on Windows first and then on Tails. We recommend you learn how to start Tails using the Boot Menu key if you use Tails regularly.

Apple does not prioritize collaborating with Free Software projects. Their newest hardware is usually very hard for Free Software developers to get working with Linux, and thus Tails. PC hardware tends to be more open and work better with Linux.

Welcome to Tails!

Starting Tails

  1. After the Boot Menu, a loading screen appears.

  2. One to two minutes after the Boot Loader and the loading screen, the Welcome Screen appears.

    Welcome to Tails!

  3. In the Welcome Screen, select your language and keyboard layout in the Language & Region section. Click Start Tails.

    If your keyboard, touchpad, or mouse doesn't work:

    • Please let us know.
    • Try using an external keyboard and mouse.
  4. After 15–30 seconds, the Tails desktop appears.

    Tails desktop

Welcome to your new Tails!

Test your Wi-Fi

Problems with Wi-Fi are unfortunately quite common in Tails and Linux in general. To test if your Wi-Fi interface works in Tails:

  1. Open the system menu in the top-right corner:

  2. Choose Wi-Fi Not Connected and then Select Network.

  3. After establishing a connection to a local network, the Tor Connection assistant appears to help you connect to the Tor network.

If your Wi-Fi interface is not working, for example:

  • There is no Wi-Fi option in the system menu:

  • You receive the notification Connection failed: Activation of network connection failed.

  • The interface is disabled when starting Tails or when plugging in your USB Wi-Fi adapter:

    Notification about network card being disabled

    In this case, you can disable MAC address anonymization to get your Wi-Fi interface to work in Tails. Disabling MAC address anonymization has security implications, so read carefully our documentation about MAC address anonymization before doing so.

To connect to the Internet, you can try to:

  • Use an Ethernet cable instead of Wi-Fi if possible. Wired interfaces work much more reliably than Wi-Fi in Tails.

  • Share the Wi-Fi or mobile data connection of your phone using a USB cable. Sharing a connection this way is called USB tethering.

    See instructions for:

    Tails cannot hide the information that identifies your phone on the local network. If you connect your phone to:

    • A Wi-Fi network, then the network will know the MAC address of your phone. This has security implications that are discussed in our documentation on MAC address anonymization. Some phones have a feature to hide the real MAC address of the phone.

    • A mobile data network, then the network will be able to know the identifier of your SIM card (IMSI) and also the serial number of your phone (IMEI).

  • Buy a USB Wi-Fi adapter that works in Tails:

    VendorModelSizeSpeedPriceBuy offlineBuy online
    Panda WirelessUltraNano150 Mbit/s$12NoAmazon
    Panda WirelessPAU05Small300 Mbit/s$14NoAmazon
    ThinkPenguinTPE-N150USBNano150 Mbit/s$54NoThinkPenguin

    If you find another USB Wi-Fi adapter that works in Tails, please let us know. You can write to sajolida@pimienta.org (private email).

Yay, you managed to start your new Tails on your computer!

If you want to save some of your documents and configuration in an encrypted storage on your new Tails USB stick, follow our instructions until the end. Otherwise, have a look at our final recommendations. final recommendations. final recommendations. final recommendations. final recommendations. final recommendations.

Create a Persistent Storage (optional)

You can optionally create an encrypted Persistent Storage in the remaining free space on your new Tails USB stick to store any of the following:

  • Personal files
  • Some settings
  • Additional software
  • Encryption keys

The data in the Persistent Storage:

  • Remains available across separate working sessions.
  • Is encrypted using a passphrase of your choice.

The Persistent Storage is not hidden. An attacker in possession of your USB stick can know that there is a Persistent Storage on it. Take into consideration that you can be forced or tricked to give out its passphrase.

It is possible to unlock the Persistent Storage from other operating systems. But, doing so might compromise the security provided by Tails.

For example, image thumbnails might be created and saved by the other operating system. Or, the contents of files might be indexed by the other operating system.

Other operating systems should probably not be trusted to handle sensitive information or leave no trace.

Create the Persistent Storage

  1. Choose Applications ▸ Tails ▸ Configure persistent volume.

  2. Specify a passphrase of your choice in both the Passphrase and Verify Passphrase text boxes.

    We recommend choosing a long passphrase made of five to seven random words. See this article about memorizable and secure passphrases.

  3. Click on the Create button.

  4. Wait for the creation to finish.

  5. The list of features of the Persistent Storage appears. Each feature corresponds to a set of files or settings that can be saved in the Persistent Storage.

    We recommend you to only turn on the Personal Data feature for the time being. You can turn on more features later on according to your needs.

  6. Click Save.

Restart and unlock the Persistent Storage

  1. Shut down the computer and restart on your new Tails USB stick.

  2. In the Welcome Screen:

    Welcome to Tails!

    • Select your language and keyboard layout in the Language & Region section.

    • In the Encrypted Persistent Storage section, enter your passphrase and click Unlock to unlock the Persistent Storage for the current working session.

    • Click Start Tails.

  3. After 15–30 seconds, the Tails desktop appears.

  4. You can now save your personal files and working documents in the Persistent folder. To open the Persistent folder choose Places ▸ Persistent.

Tails USB stick with Persistent Storage

You now have a complete Tails, congrats!

Final recommendations

You should regularly make a backup of your Persistent Storage in case your Tails USB stick becomes lost or damaged.

We hope you enjoy using Tails :)