Tails OS (The Amnesic Incognito Live System) is a security-focused operating system designed for maximum anonymity and privacy. Unlike VPNs or encrypted messaging apps, Tails isolates your entire operating environment—every network connection routes through Tor, all data is encrypted, and no traces remain on disk after shutdown. It’s built for journalists, activists, and security researchers who need operational security stronger than standard consumer software.
What Tails OS Actually Does
Tails is a Linux distribution that boots from USB and runs entirely in RAM. Key differences from Windows/macOS:
- Network isolation: Every connection forced through Tor (no way to accidentally leak IP)
- No disk persistence by default: Everything erased on shutdown
- Full disk encryption option: Persistent volume encrypts any saved data
- Sandboxed browser: Tor Browser pre-configured and hardened
- No identifying metadata: Clocks synchronized to prevent timing attacks
- No pre-installed tracking: No telemetry, no analytics, no ads
When you shut down, Tails erases RAM and leaves no forensic traces.
Tails vs Other Privacy Approaches
Tails vs VPN
| Aspect | Tails | VPN |
|---|---|---|
| IP leak prevention | Complete (no way to leak) | Possible if misconfigured |
| Tor anonymity | Yes, forced | No (unless you add Tor) |
| Metadata leakage | Minimal | Can leak DNS, timing |
| Disk traces | None by default | Browser history, files, etc. |
| Browser fingerprinting | Hardened | Standard risks apply |
| Cost | Free | $5-15/month |
| Operational difficulty | Medium | Low |
Use VPN for: Privacy from ISP, bypassing geo-blocking, general daily browsing Use Tails for: High-threat scenarios, whistleblowing, activism, evidence gathering
Tails vs Whonix
Whonix is another Tor-focused OS but requires VirtualBox. Tails is simpler:
| Feature | Tails | Whonix |
|---|---|---|
| Installation | USB, simple | Requires VirtualBox |
| Boot time | 2-3 minutes | 5-10 minutes (VM overhead) |
| Native support | Yes | Virtualized |
| Persistence | Easy encryption | Possible but complex |
| Portability | Boot on any computer | Limited to VM host |
| Learning curve | Lower | Higher |
Use Tails if: Portability and simplicity matter, you move between computers Use Whonix if: Segmented threat model (separate Workstation/Gateway), advanced users
Installation: Creating a Tails USB
Step 1: Download Tails OS
- Visit tails.boum.org on a trusted device
- Download the latest stable version (~1.3 GB)
- Download the cryptographic signature (.sig file)
- Verify the signature (prevents tampering during download):
# On macOS or Linux
gpg --verify tails-amd64-*.iso.sig
If GPG verification passes, the download is authentic.
Step 2: Create Bootable USB
Requirements:
- USB drive, 8GB minimum (will be formatted, loses all data)
- Mac/Linux or Windows computer
- 15 minutes
On macOS/Linux:
# List USB drives
diskutil list
# Find your USB (e.g., /dev/disk2, NOT /dev/disk0)
# Unmount it (don't eject)
diskutil unmountDisk /dev/disk2
# Write Tails ISO to USB (takes 5-10 minutes)
dd if=/path/to/tails-amd64-*.iso of=/dev/rdisk2 bs=4m
# Eject
diskutil ejectDisk /dev/disk2
On Windows:
- Download Balena Etcher (balena.io/etcher)
- Select Tails ISO file
- Select USB drive
- Click Flash (takes 10 minutes)
Important: You need a separate USB drive. Tails won’t run from the same drive you’re installing to.
Step 3: First Boot
- Shut down your computer completely
- Insert Tails USB
- Power on and hold the boot menu key:
- Mac: Hold Option/Alt during startup
- Windows PC: Usually F12 or Del (varies by manufacturer)
- Select USB drive
- Tails boots to a “Welcome” screen (takes 2-3 minutes)
On first boot, you’ll see:
Tails Greeter
- Language: [English]
- Keyboard: [US English]
- Show Passphrases: [unchecked]
- Start Tails
Click “Start Tails” to continue.
Core Configuration: Tor, Network, Persistence
Setting Up Tor Connection
When Tails boots, it automatically connects to Tor:
[Tails Tor Connection]
Connecting to the Tor network...
[●●●●●●●●●●] 10%
Status: Connecting to Tor...
Wait for full connection. This typically takes 30-60 seconds. You’ll see:
Successfully connected to the Tor network.
Never use Tails if Tor fails to connect. Disconnect from network if connection hangs.
Tor Browser Launch
Applications > Internet > Tor Browser
Tor Browser opens with onion icon visible. This is your primary web browsing tool—it’s hardened against fingerprinting and attacks.
What Tor Browser does:
- Routes all traffic through 3 relay nodes
- Disables JavaScript (can leak identity)
- Blocks WebRTC leaks (can leak real IP)
- Clears cookies/history on exit
What it doesn’t do:
- Prevent you from logging into identifying accounts
- Keep you safe from malware if you run executables
- Prevent DNS leaks (Tails handles this)
Rule: Never mix anonymous and identified activities in same Tor Browser session. If you log into your real Gmail, you’ve broken anonymity.
Persistent Storage Setup
By default, Tails erases everything on shutdown. For journalists/activists keeping research files, set up encrypted persistent storage:
First time only:
- Open Applications > System Tools > Disks
- Select the Tails USB drive in left panel
- Click “+” to add partition
- Name: “TailsData”
- Type: LUKS Encrypted
- Size: Leave remaining space
- Create
This prompts for an encryption passphrase. This passphrase:
- Encrypts the persistent volume
- Must be strong (20+ characters recommended)
- Write it down offline (but NOT on computer)
- If you forget it, data is unrecoverable
On subsequent boots:
Tails Greeter shows:
Persistent Storage
[X] Turn on persistent storage
Passphrase: [enter passphrase]
Check the box, enter passphrase, then boot. Your encrypted files survive shutdown.
Persistence options to enable:
- Personal Documents: Your Downloads/Documents folders
- System Settings: Network, language, keyboard
- Tor Browser Bookmarks: Reappear on next boot
- SSH Client Key: If you use SSH (rare, security risk)
Persistence options to disable:
- Browser Cache: Already disabled by Tor Browser
- Intel/Nvidia Driver: Unnecessary for most users
- Cups Printing System: Unless you need printer access
Practical Use Cases
Case 1: Secure Research on Sensitive Topics
Goal: Research government surveillance without ISP logging
Setup:
1. Boot Tails from USB
2. Turn off persistent storage
3. Connect to network (auto-Tor connection)
4. Open Tor Browser
5. Research sensitive topics
6. Shut down (all evidence erased)
Tools available:
- OnionShare for anonymous file sharing
- Jami (formerly GNU Ring) for secure calling
- Thunderbird with ProtonMail bridge for email
Security principle: No persistent storage = no logs. ISP sees USB created network connection, but nothing about what you accessed.
Case 2: Journalist Receiving Tips
Goal: Securely receive and protect leaked documents
Setup:
1. Boot Tails with persistent storage enabled
2. Create folder: TailsData/Leaks
3. Install SecureDrop Proxy (if whistleblower provided)
4. Receive documents through encrypted channel
5. Process documents in Tails
6. Export to encrypted backup USB
7. Shut down Tails
Encrypted backup:
# Create another USB with encrypted partition
# Inside Tails Disks app, add LUKS partition to backup USB
# Mount persistent volume
# Copy files to backup drive
# Backup drive now encrypted with same passphrase
Case 3: Activist Operating in Hostile Country
Goal: Communicate without government surveillance
Setup:
1. Boot Tails (USB physically smuggled across border)
2. Enable persistent storage
3. Use Tor Browser to access secure communication:
- Ricochet IM (decentralized messaging)
- Jami (P2P calling)
- ProtonMail (encrypted email)
4. Coordinate with organizations
5. Shut down and store USB safely
Threat model: Government surveillance, border searches How Tails helps: Even if USB confiscated, encrypted storage requires passphrase. Tails itself leaves no traces on any computer you boot.
Advanced Configuration
Setting Clock Manually (Prevent Timing Attacks)
In Greeter, before “Start Tails”:
Language > Advanced Settings > Set Time to [manual]
Enter current UTC time to prevent timing attacks (rare but possible).
Using Whonix Bridge for Censorship
If ISP blocks Tor, use Tor bridges (relay servers not publicly listed):
Tails Greeter > Add a Tor bridge
[Enter bridge address from torproject.org/bridges]
Bridges relay your traffic through a non-public server, making it harder to detect Tor use.
Disable Javascript Entirely
Tor Browser blocks JavaScript by default. To be extra safe:
Tor Browser > Hamburger Menu > Preferences > Privacy & Security
[Disable JavaScript completely]
This breaks some sites but eliminates JS-based attack surface.
SSH Access from Tails
If you need to SSH to a remote server:
# SSH keys stored in persistent storage
ssh -i ~/.ssh/id_rsa user@remote.server.com
All SSH traffic routes through Tor automatically. Be aware: even over Tor, a compromised remote server learns your activity.
Common Mistakes and How to Avoid Them
Mistake 1: Identifying Yourself Over Tor
Wrong:
Open Tor Browser
Log into Gmail as alice.smith@gmail.com
Search for "Alice Smith whistleblower"
You’ve completely broken anonymity. The Gmail account is tied to your real identity. ISP, Gmail, and Google know everything.
Right:
Open Tor Browser
Use anonymous email service (ProtonMail with new account)
Search for topics without personal info
Rule: Compartmentalize. If you use your real account, don’t expect anonymity.
Mistake 2: Assuming Full Anonymity
Tails provides anonymity from network-level observation (ISP, government) but not from:
- Malicious websites: A hacked site could try browser exploits
- Metadata: Your writing style can identify you (linguistics)
- Microphone/Camera: Tails doesn’t disable hardware
- Your own actions: Sharing too many details can deanonymize you
Anonymity comes from Tails + careful operational security, not Tails alone.
Mistake 3: Forgetting Physical Security
Scenario: You boot Tails, someone sees your screen over your shoulder and reads an URL.
Prevention:
- Privacy screen protector on laptop
- Boot Tails in private physical location
- Cover cameras and microphones
- Never screenshot sensitive content
Tails is software; physical security is your responsibility.
Mistake 4: Losing Your Passphrase
You set persistent storage passphrase: "MySecurePass123!"
Six months later: You forget it
You boot Tails and enter wrong passphrase
Encrypted partition inaccessible forever
Prevention:
- Write passphrase on paper stored offline
- Use password manager on a different device (not Tails)
- Test passphrase monthly
Mistake 5: Reusing the Same USB Everywhere
Bad practice:
Boot Tails in cybercafe
Boot same USB at home
Boot same USB at library
Physical USB can be traced if confiscated and pattern-matched to your movements.
Better:
- Keep Tails USB hidden/safe
- Create multiple Tails USBs if crossing borders
- Destroy USB if confiscated
Mistake 6: Thinking Persistent Storage Is Backup
You enable persistent storage
Store documents on Tails USB
Never create backup
USB fails or is lost
Documents gone forever
Persistent storage is not backup. Create encrypted backups on separate USB drives.
Persistence Storage Encryption Commands
For advanced users, manual persistence setup:
# List disks in Tails terminal
sudo blkid
# Create LUKS partition
sudo cryptsetup luksFormat /dev/sdb1
# Open encrypted partition
sudo cryptsetup luksOpen /dev/sdb1 tails_data
# Create filesystem
sudo mkfs.ext4 /dev/mapper/tails_data
# Mount
sudo mount /dev/mapper/tails_data /mnt/persistent
# Add files
cp /home/amnesia/Documents/* /mnt/persistent/
# Unmount
sudo umount /mnt/persistent
sudo cryptsetup luksClose tails_data
Tools Available in Tails
| Category | Tools |
|---|---|
| Browsing | Tor Browser, Thunderbird with Onion routing |
| Communication | Jami, Ricochet IM |
| File encryption | LUKS, GnuPG |
| File sharing | OnionShare |
| Text editors | gedit, vim |
| Terminal | Xfce Terminal |
| PDF tools | LibreOffice Draw |
| Media | VLC |
All tools route through Tor by default.
Operational Security Checklist
Before using Tails for high-stakes work:
- Verify Tails ISO signature (prevents tampering)
- Create Tails USB on trusted computer
- Test boot in private physical location
- Set strong persistent storage passphrase (20+ chars)
- Backup persistent storage to encrypted USB
- Never mix identified and anonymous activity
- Keep USB hidden or encrypted
- Test Tor connection before sensitive work
- Never assume you’re 100% anonymous
- Use additional OPSEC based on threat model
Exit Tails Safely
Applications > Logout
Or: Ctrl+Alt+Delete, then Shutdown
On shutdown, Tails:
- Erases RAM
- Wipes all temporary files
- Closes all connections
- Turns off computer
This takes 10-15 seconds. Wait for complete shutdown.
After shutdown:
- Remove USB and store safely
- Computer shows no traces of Tails use
- Physical USB is only evidence of usage
When to Use Tails vs Other Tools
| Scenario | Tool | Why |
|---|---|---|
| Daily privacy from ISP | VPN | Simpler, faster |
| Casual anonymity | Tor Browser | Works on regular OS |
| High-threat activism | Tails | Complete anonymity |
| Receiving leaked docs | Tails + SecureDrop | Secure isolation |
| Border crossing | Tails USB | Plausible deniability, no hard drive |
| Government resistance | Tails | No forensic traces |
| Whistleblowing | Tails + ProtonMail | Complete isolation |
Related Articles
- Use Tor With Encrypted Email for Maximum Sender Anonymity
- How to Use Tails OS for Maximum Privacy Complete Setup Guide
- Tor vs VPN vs I2P: Anonymity Network Comparison 2026
- How to Use Tails Operating System for Extreme Privacy Daily
- Tails Persistent Storage Setup Guide What To Save And What S
Built by theluckystrike — More at zovo.one