The Quick Guide to Tails Linux

Installation, persistent storage, cryptocurrency wallets, encrypted messaging, and operational security.

Tails 7.x Series · Current as of March 2026 · tails.net

1. What Tails Is and Is Not

Tails (The Amnesic Incognito Live System) is a Debian-based live operating system designed to be booted from a USB drive where every internet connection is forced through the Tor network. On shutdown, the system wipes RAM and leaves no trace on the host computer. It is built for people who need strong anonymity and anti-forensic properties: journalists, activists, whistleblowers, researchers, and anyone operating in high-surveillance environments.

What Tails Provides

• Amnesia by default. Nothing is written to the host machine's disk. Each session starts clean unless you explicitly unlock Persistent Storage.
• All traffic over Tor. A firewall enforces that every network connection routes through Tor. Direct connections are blocked.
• Pre-configured privacy tools. Tor Browser, Electrum, Pidgin with OTR, Thunderbird, KeePassXC, GnuPG/Kleopatra, OnionShare, and the GNOME desktop are included and configured out of the box.
• MAC address spoofing. Tails randomizes your network adapter's hardware address by default to prevent local network tracking.

What Tails Cannot Protect Against

• Compromised hardware or BIOS/UEFI firmware implants.
• Physical surveillance (cameras, shoulder surfing).
• The fact that you are using Tor. Your ISP and local network administrator can see Tor traffic (though not its content). Use a bridge if this is a concern.
• User error. Logging into personal accounts, reusing identities across contexts, or disabling security features will defeat Tails' protections regardless of how strong the underlying technology is.

Key Principle: Tails provides the tools for anonymity. It does not provide anonymity automatically. The operator's discipline is the most important variable.

2. Requirements

⚠️ Compatibility: Tails does not run on ARM processors. This includes Raspberry Pi devices and all Apple Silicon Macs (M1/M2/M3/M4). Intel Macs can boot Tails but frequently have Wi-Fi driver issues — keep a USB-to-Ethernet adapter as a fallback.

You will also need a second computer (or phone) to download and flash the Tails image. The target computer does not need an internet connection for flashing — only for the first boot.

Choosing a USB Drive

Use a quality USB 3.0 drive from a reputable manufacturer. Cheap drives have higher failure rates, and Tails boots and operates entirely from the drive — speed and reliability matter. Avoid drives with hardware encryption features that may interfere with Tails' own LUKS encryption for Persistent Storage.

3. Download & Verification

Always download Tails from the official website: https://tails.net. The download page provides two image types: a USB image (.img) for flashing directly to a USB drive, and an ISO image (.iso) for DVDs and virtual machines. For physical installation, use the USB image.

Browser-Based Verification

The Tails download page includes a JavaScript-based verification tool. After downloading the image file, the page prompts you to select the file. It computes a cryptographic hash and compares it against the known-good value. This is the simplest method and sufficient for most threat models.

GnuPG Verification (Stronger)

For higher assurance — particularly if you suspect your browser or network may be compromised — verify the image using GnuPG and the detached OpenPGP signature.

ℹ️ Version Note: The file names in the commands below include a version number (7.5 is used as an example). Replace this with whatever version you actually downloaded. The file names are printed on the download page and visible in your Downloads folder.

1. Download the USB image, the OpenPGP signature file (.sig), and the Tails signing key from the download page. All three files should be in the same directory.
2. Confirm the output contains Good signature from "Tails developers" and that the key fingerprint matches what is published on the Tails website. A warning about the key not being certified with a trusted signature is normal if you have not independently verified the signing key through the PGP web of trust.

Verify the image against its signature (substitute your actual file names):

gpg --verify tails-amd64-7.5.img.sig tails-amd64-7.5.img

Replace "7.5" with the version number you downloaded.

Import the signing key:

gpg --import tails-signing.key

⚠️ Warning: If verification fails, do not use the image. Re-download from the official site and verify again. A corrupted or tampered image can completely compromise your security.

4. Flashing to USB

The USB image must be written as a raw disk image, not simply copied as a file. This operation overwrites the entire target drive.

⚠️ Data Loss: Flashing will destroy all existing data on the target USB drive. Double-check you have selected the correct device before proceeding.

From Windows

1. Download and install balenaEtcher from etcher.balena.io (alternatively, use Rufus in DD Image mode).
2. Insert the USB drive.
3. Open Etcher. Click Flash from file and select the Tails .img file.
4. Select the target USB drive. Verify the drive name and size.
5. Click Flash and wait for completion and verification.

From macOS

1. Insert the USB drive. Open Terminal.
2. Identify the device with diskutil list. Look for your USB drive (e.g., /dev/disk2). Confirm by size.
3. Unmount: diskutil unmountDisk /dev/disk2
4. Eject: diskutil eject /dev/disk2

Write the image (note the rdisk prefix for faster writes):

sudo dd if=tails-amd64-7.5.img of=/dev/rdisk2 bs=16m && sync

From Linux

1. Insert the USB drive. Run lsblk to list all block devices. Your USB drive will appear as a device like /dev/sdb, /dev/sdc, or similar — the exact name depends on how many drives are connected to your system. Identify it by its size (it should match your USB drive's capacity). Do not guess. Writing to the wrong device will destroy that drive's data. Use the whole-device path (e.g., /dev/sdb), not a partition path like /dev/sdb1. For the sake of this example, we'll use /dev/sdb.

Write the image (again, substitute your actual device and file name):

sudo dd if=tails-amd64-7.5.img of=/dev/sdb bs=16M status=progress conv=fsync

Replace the .img file name with your version.

Unmount any auto-mounted partitions on the USB drive. Substitute your actual device name:

sudo umount /dev/sdb*

⚠️ Double-Check the Target: The dd command writes raw bytes to a device with no confirmation prompt. If you specify the wrong device — for example, your internal hard drive — it will be irrecoverably overwritten. Run lsblk before and after inserting the USB to confirm which device appeared.

5. First Boot and Tor Connection

1. Insert the Tails USB drive. Power on the computer and enter the boot menu. Common keys: F12, F2, Esc, or Del.
2. Select the USB drive from the boot menu. If UEFI Secure Boot is enabled, disable it in BIOS/UEFI settings first.
3. The Tails Welcome Screen appears. Select your language and keyboard layout.
4. Under Additional Settings, you can set an administration password. This is needed for installing additional software or accessing internal disks. Leave it blank unless you specifically need it.
5. Click Start Tails.
6. The Tor Connection assistant appears. See below for how to choose between a direct connection and a bridge.

⚠️ Wi-Fi Issues: Some Wi-Fi chipsets lack Linux driver support. If your wireless adapter is not recognized, connect via Ethernet or use a USB Wi-Fi adapter with known Linux compatibility (Atheros and Ralink chipsets tend to work). Check tails.net/support/known_issues.

Connecting to Tor Directly

If it is safe for your ISP and local network to know you are using Tor, select Connect to Tor automatically and click Connect to Tor. This is the simplest option and provides a faster connection. In most Western countries, Tor use is legal and unremarkable.

Using Tor Bridges

A Tor bridge is an unlisted entry point to the Tor network. Because bridges are not published in the public Tor directory, they are harder for censors and network monitors to detect and block. If any of the following apply to you, use a bridge:

• You are in a country that actively blocks Tor (China, Iran, Russia, Turkmenistan, Belarus, and others).
• Your ISP, employer, school, or local network blocks Tor connections.
• You do not want your ISP or local network administrator to know you are using Tor — even if Tor is not blocked. The fact that you connected to Tor may itself draw attention.
• You are a journalist, activist, or at-risk person operating in an environment where Tor use could trigger surveillance, interrogation, or worse.

How to Configure a Bridge in Tails

1. In the Tor Connection assistant, select Hide to my local network that I am connecting to Tor.
2. Choose a bridge type. Tails provides three options:
   • Use a default bridge. Tails includes a set of built-in obfs4 bridges. Select this option and Tails will try them automatically. This is the easiest method and works in many censorship environments. If one bridge fails, Tails tries the next.
   • Request a bridge from torproject.org. Tails can request bridge addresses directly. This is useful when the built-in bridges have been blocked. You may need to solve a CAPTCHA.
   • Enter bridge addresses manually. If you have obtained bridge addresses from a trusted source (a contact, the Tor Project's BridgeDB at bridges.torproject.org, or via email to [email protected]), enter them here. This is the most reliable option when default bridges are blocked.
3. Click Connect to Tor. Tails attempts to connect through the bridge. This may take 30 seconds to several minutes depending on network conditions.

Bridge Types Explained

ℹ️ Operational Note: Enable the Tor Bridge feature in Persistent Storage so Tails remembers your last successful bridge configuration. Without this, you must re-enter bridge details on every boot. If you have a working bridge and your environment changes (e.g., travel to a more restrictive network), obtain new bridges in advance before you lose access.

Obtaining Bridge Addresses in Advance

If you are planning to travel to a restrictive environment, obtain bridge addresses before you arrive. You will not be able to access BridgeDB if Tor is already blocked. Methods:

• Visit https://bridges.torproject.org from an uncensored connection and save the addresses.
• Send an email from a Gmail or Riseup address to [email protected] with the body get transport obfs4. The Tor Project will reply with bridge lines.
• Ask a trusted contact in an uncensored country to obtain bridges for you.
• Write the bridge lines on paper or store them in an encrypted note — they are just a few lines of text.

The Unsafe Browser

Tails includes an Unsafe Browser (Apps → Internet → Unsafe Browser) that connects directly to the internet without Tor. Its only intended purpose is to authenticate with captive portals (hotel, airport, café Wi-Fi) that require a login page before granting internet access. Never use the Unsafe Browser for any other purpose. It exposes your real IP address and is completely unprotected. Close it as soon as you have completed the captive portal login.

6. Persistent Storage

By default, Tails forgets everything on shutdown. Persistent Storage creates a LUKS-encrypted partition on the free space of your Tails USB drive, allowing you to retain specific files and settings across sessions.

Creating the Persistent Volume

1. Boot into Tails from your USB drive.
2. Navigate to Apps → Tails → Persistent Storage.
3. Enter a strong passphrase. Use a Diceware passphrase of at least five to seven words. If you forget it, the data is irrecoverable.
4. Click Create Persistent Storage. The partition fills the remaining free space on the drive.
5. Configure features (see table below), then restart Tails.
6. On subsequent boots, the Welcome Screen prompts you to unlock. Enter your passphrase or start without it for a fully amnesic session.

⚠️ Security Consideration: The Persistent Storage partition is not hidden. An adversary who seizes your USB drive can determine that encrypted storage exists. You could be compelled to reveal the passphrase. Factor this into your threat model.

Recommended Features

Each feature can be toggled independently. Only enable what you need — each feature slightly reduces the amnesic property by creating linkable patterns across sessions.

Backup Strategy

Your Persistent Storage lives on a single USB drive that can fail, be lost, or be seized. Create a second Tails USB with its own Persistent Storage and periodically copy critical files between them. For wallet seed phrases and PGP key backups, write them on paper and store in a physically secure location separate from the USB drive. Test your backup by booting from it and confirming access.

7. Bitcoin: Electrum Wallet

Tails ships with the Electrum Bitcoin wallet pre-installed. Electrum is a lightweight wallet that connects to remote servers rather than downloading the full blockchain. All Electrum traffic in Tails is routed through Tor.

First-Time Setup

1. Enable the Electrum Bitcoin Wallet feature in Persistent Storage (Apps → Tails → Persistent Storage).
2. Open Electrum: Apps → Internet → Electrum Bitcoin Wallet.
3. The setup wizard launches. Select Create new wallet, then Standard wallet, then Create a new seed.
4. Electrum displays a 12-word seed phrase. Write this down on paper immediately. Do not store it digitally. Do not screenshot it. This seed is the only way to recover your Bitcoin if the USB drive is lost.
5. Confirm the seed by re-entering it when prompted.
6. Set a wallet password to encrypt the wallet file on the Persistent Storage.
7. Electrum connects to a server through Tor and synchronizes.

⚠️ Privacy Warning: Electrum connects to third-party servers that can see which addresses your wallet queries. For maximum privacy, connect to your own Electrum server or use Tor onion servers exclusively. In Electrum, navigate to Tools → Network and configure the server manually.

Receiving and Sending

The Receive tab generates new addresses. Use a fresh address for each transaction to avoid linking payments. The Send tab constructs transactions — review the fee and destination address carefully before broadcasting.

Hardening for High-Risk Users

• Use onion servers. In Electrum, go to Tools → Network → Server. Enter a Tor onion Electrum server address. This prevents even the server operator from seeing your real IP (which Tor already hides), and ensures you are connecting to a Tor-native service rather than one that could be surveilled at the server's ISP.
• Disable automatic server selection. Uncheck Select server automatically so Electrum does not randomly connect to servers you have not vetted. A malicious server can correlate your addresses and transaction timing.
• Avoid address reuse. Never give the same address to two different parties. Each reuse links those parties to the same wallet on the blockchain permanently.
• Be aware of blockchain analysis. Bitcoin transactions are public. Amounts, addresses, and timing are all visible. Sophisticated adversaries use chain analysis to de-anonymize users. If transaction privacy is critical, consider Monero instead (Chapter Eight).
• Coin control. Advanced users can use Electrum's coin control feature (View → Show Coins) to manually select which UTXOs to spend, preventing accidental merging of coins from different sources that could link identities.

Restoring a Wallet

On a new Tails USB, select I already have a seed during the setup wizard and enter your 12-word seed phrase. The wallet reconstructs from the blockchain.

8. Monero: Feather Wallet

Monero is not included in Tails by default. The recommended wallet is Feather, a lightweight desktop wallet distributed as an AppImage. Because Feather is not in the Debian repositories, it does not receive the same level of review as bundled Tails software and is not auto-updated. You are responsible for verifying and updating it.

Installation

1. Ensure Persistent Storage is created and unlocked.
2. Open Tor Browser and navigate to https://featherwallet.org/download.
3. Download the Linux AppImage (the Tails-compatible version).
4. Download the signature file (.asc) and the release signing key (featherwallet.asc) from the same page.
5. Move all three files to ~/Persistent using the Files browser.
6. In the Persistent folder, right-click empty space → Open in Terminal.
7. Make the AppImage executable: right-click → Properties → Permissions → enable Allow executing file as program.
8. Double-click the AppImage to launch.

Import and verify:

gpg --import featherwallet.ascgpg --verify feather-2.7.0.AppImage.asc

Creating a Wallet

1. On first launch, select Create new wallet.
2. Feather generates a seed phrase (25-word legacy or 16-word Polyseed depending on version). Write it down on paper.
3. Choose a wallet file location inside ~/Persistent.
4. Set a strong password for the wallet file.

ℹ️ Privacy Advantage: Monero provides confidential transactions, stealth addresses, and ring signatures by default — the sender, receiver, and amount are hidden on-chain. Combined with Tor routing in Tails, this provides significantly stronger transaction privacy than Bitcoin.

Updating Feather

Feather is not updated automatically. Periodically check featherwallet.org for new releases. Download, verify, and replace the AppImage in your Persistent folder.

Hardening for High-Risk Users

• Use remote nodes through Tor. Feather connects through Tor automatically in Tails. However, the remote node you connect to can see your transaction when you broadcast it. Go to Settings → Node and select different nodes for different sessions, or use the built-in node rotation.
• Wait for confirmations. Do not consider a transaction received until it has at least 10 confirmations. Monero's default ring size provides plausible deniability, but freshly received outputs are more identifiable.
• Avoid round numbers. When sending, avoid amounts that look like round numbers in any fiat currency (e.g., exactly 0.1 XMR). Round amounts can be a fingerprint.
• Run your own node. For the highest assurance, run a Monero node on a separate machine and connect Feather to it. This is the only way to guarantee that no third party sees your transaction before it propagates to the network.

9. Pidgin with OTR Encryption

Tails includes Pidgin pre-installed with the OTR (Off-the-Record Messaging) plugin. In Tails, Pidgin is restricted to two protocols for security: XMPP (Jabber) and IRC. All traffic routes through Tor.

OTR provides four properties: encryption (nobody else reads your messages), authentication (you verify your contact's identity), deniability (messages cannot be cryptographically attributed after the conversation), and forward secrecy (compromise of keys does not expose past conversations).

⚠️ Important: OTR is off by default. Until you explicitly start a private conversation, messages are sent in plaintext. File transfers are not encrypted by OTR.

Setting Up an XMPP Account

1. Open Pidgin: Apps → Internet → Pidgin.
2. Go to Accounts → Manage Accounts → Add.
3. Set Protocol to XMPP. Enter a username and choose a Tor-friendly XMPP server.
4. Under the Advanced tab, set Connection security to Require encryption.
5. Check Create this new account on the server if registering.
6. Click Add. Pidgin connects through Tor and registers.

Enabling OTR

1. Go to Tools → Plugins. Find Off-the-Record Messaging and check the box.
2. Select the plugin and click Configure Plugin.
3. Select your account and click Generate to create your OTR key.
4. Recommended: enable Automatically initiate private messaging and Don't log OTR conversations.

Starting a Private Conversation

Open a chat with a contact who also has OTR. Click the OTR button in the toolbar and select Start private conversation. The session negotiates automatically. The status changes from "Not private" to "Unverified" (encrypted but identity unconfirmed) or "Private" (encrypted and verified).

Verifying Contacts

An unverified session is encrypted but vulnerable to man-in-the-middle attacks. Click the OTR button → Authenticate buddy and choose a method:

Persisting Configuration

Enable the Pidgin Internet Messenger feature in Persistent Storage. This saves account configuration, buddy list, and OTR keys across sessions. Chat logs are not saved unless you explicitly enable logging (not recommended).

Hardening for High-Risk Users

• Always verify before sharing sensitive information. An unverified OTR session means you have encrypted communications with someone claiming to be your contact. Until verification is complete, treat the session as potentially compromised. Manual fingerprint verification done in person is the gold standard.
• Use Tor-native XMPP servers. Register on XMPP servers that operate as Tor hidden services (.onion addresses). This means the server itself is only reachable through Tor, reducing the attack surface for surveillance.
• Never log conversations. Ensure logging is disabled in Pidgin (Tools → Preferences → Logging → uncheck all boxes). OTR provides deniability, but a log file on your USB drive does not.
• Create single-purpose accounts. Do not reuse an XMPP account across different contexts or for different contacts who should not be linked to each other. Create separate accounts for separate operational purposes.
• Destroy sessions when done. Click the OTR button and select End private conversation when finished. Do not leave encrypted sessions idle — an adversary who seizes your running session can continue it.
• Be aware of metadata. OTR encrypts message content, but the XMPP server can still see who is talking to whom, when, and for how long. Use servers you trust, and be aware that connection timing is itself intelligence.
• Consider Dino with OMEMO. The Tails project is evaluating Dino as a Pidgin replacement. OMEMO supports multi-device encryption and handles offline messages better than OTR. See Chapter Ten.

10. Additional Tools

KeePassXC — Password Manager

Pre-installed. Store all passwords in a KeePassXC database saved to ~/Persistent. Use Argon2id key derivation and a strong master passphrase. Back up the .kdbx database file to a second encrypted USB drive.

• Use a unique, randomly generated password for every account. KeePassXC's password generator should be your default.
• Set the database to lock after 60 seconds of inactivity (Tools → Settings → Security).
• Increase the decryption time to 1–2 seconds (Settings → Encryption → Decryption Time) to make offline brute-force attacks harder.
• Never copy your database to a networked device. Keep it only on encrypted media.

GnuPG / Kleopatra — PGP Encryption

Pre-installed. Enable the GnuPG feature in Persistent Storage to retain your keyring. Generate keys with gpg --full-generate-key or use Kleopatra's graphical interface. Use 4096-bit RSA or Ed25519 for new keys.

• Set an expiration date on your keys (1–2 years). You can always extend it. This ensures that if you lose access, the key eventually becomes invalid.
• Generate a revocation certificate immediately after key creation and store it separately on paper or a second encrypted USB.
• When exchanging keys with contacts, verify fingerprints out-of-band (in person, by phone). Do not trust keys downloaded from the internet without verification.
• Use subkeys for encryption and signing. Keep your master key offline when possible.

OnionShare — Anonymous File Sharing

Pre-installed. Creates a temporary Tor onion service to share files directly. The recipient accesses it through Tor Browser via a .onion address you provide. No third-party server is involved.

• Strip metadata from all files before sharing (see Metadata Cleaner below).
• Use the "Stop sharing after files have been sent" option to ensure the onion service disappears after the recipient downloads.
• Share the .onion address through an encrypted channel (OTR, Signal, or PGP-encrypted email), never over unencrypted channels.
• OnionShare can also host a temporary website or set up an anonymous drop box for receiving files.

Thunderbird — Email

Pre-installed. Supports OpenPGP encryption natively. Enable the Thunderbird feature in Persistent Storage. All connections route through Tor.

• Use email providers that support Tor access and do not require phone number verification. Proton Mail and Riseup are commonly used. Some providers allow registration via Tor.
• Encrypt every email that contains sensitive content. Encrypt by default when possible.
• Be aware that email metadata (To, From, Subject, Date) is never encrypted by OpenPGP. Use generic subject lines.
• Disable remote content loading (it can leak your IP to a surveillance server even over Tor) — this is disabled by default in Tails.
• Do not use your Tails email account from any other device or operating system.

Dino — Modern XMPP (Experimental)

The Tails project is evaluating Dino as a potential replacement for Pidgin. Dino supports OMEMO encryption, a modern multi-device protocol that improves on OTR with better handling of offline messages and group chats. It can be installed via Additional Software but is not yet officially integrated.

Metadata Cleaner

Images, PDFs, and office documents can contain author names, GPS coordinates, timestamps, camera serial numbers, and software versions. Use mat2 from the terminal to strip metadata: mat2 filename.pdf removes metadata in place. Always clean files before sharing, uploading, or transmitting — metadata has been used to identify journalists and their sources.

11. Operational Security Best Practices

Identity Separation

Never log into personal accounts from Tails. One login to a personal email, social media account, or service that knows your real name collapses the separation between your real and anonymous identities — permanently for that session and potentially beyond.

Physical Security

• Keep your Tails USB physically secure. An attacker with access can attempt offline brute-force attacks on the Persistent Storage passphrase.
• When traveling, the USB drive should be on your person, not in checked luggage.
• Shut down Tails before leaving the computer. In an emergency, physically remove the USB drive — Tails shuts down immediately and wipes RAM.

Network Discipline

• Do not use Tails and your regular OS on the same network in the same session for related activities.
• If Tor usage itself is a risk, configure a bridge during the Tor Connection step.
• Avoid public Wi-Fi where you are personally known. MAC spoofing helps but is not a complete defense.

Seed Phrase and Key Management

• Write wallet seed phrases on paper. Store in a fireproof, physically secure location.
• Never store seed phrases digitally — not in KeePassXC, not in a text file, not in a photo.
• Consider splitting seed phrase backups across two separate physical locations.
• Export PGP private key backups to paper via gpg --export-secret-keys --armor.

Behavioral Discipline

• Do not discuss your use of Tails on non-anonymous channels.
• Do not download and open files from untrusted sources. Malicious documents can exploit application vulnerabilities.
• Do not resize the Tor Browser window. The default size makes your browser fingerprint identical to other Tails users; resizing makes you uniquely identifiable.
• Do not install browser extensions or change Tor Browser settings. Every modification distinguishes you from other Tails users.
• Use the on-screen keyboard when entering passwords if you suspect hardware keyloggers.

12. Keeping Tails Updated

Tails releases updates approximately every six weeks. Only the latest version is supported. Running an outdated version exposes you to known security vulnerabilities.

Automatic Upgrades

When Tails detects a new version, it displays a notification and offers to upgrade. The automatic upgrade downloads only the changed components, preserving your Persistent Storage. Accept the upgrade, wait for completion, and restart.

Manual Upgrades

Automatic upgrades can fail if you have skipped several versions. In that case:

1. Back up your Persistent Storage data to a second encrypted USB.
2. Download the latest USB image from tails.net and verify it.
3. Flash the new image to a separate USB drive.
4. Boot from the new drive. Create Persistent Storage and restore your data.

⚠️ Warning: A manual reinstall (re-flashing the image onto the same USB) destroys the Persistent Storage on that drive. Always back up first.

Checking Your Version

Open a terminal and run cat /etc/amnesia/version. Compare the output against the latest release on tails.net.

13. Troubleshooting

14. Quick Reference Card

Application Paths

Key Commands

Essential Links

Emergency Procedures

This guide is provided for educational and operational reference. Verify all procedures against official Tails documentation at tails.net/doc before use in a high-risk environment. Software versions and procedures change; treat this as a starting point, not a substitute for current documentation.