Tails: The Amnesic Machine
A live OS that forgets on purpose. When you need to do one thing and leave no trace, this is the tool.
TL;DR
A live OS that boots from USB, routes everything through Tor, and forgets the session at shutdown. Tails is not a daily driver, it's the scalpel for the narrow class of tasks where leaving any trace is the threat. Verified install, minimal Persistent Storage, and three real playbooks.
What you'll be able to do
- ▸A GPG-verified Tails USB on a reputable USB 3 stick.
- ▸Persistent Storage configured for only the features that need to survive reboot.
- ▸A first-boot procedure that leaves the venue with zero forensic timeline.
- ▸Three credible playbooks: travel, one-shot anonymity, source comms via OnionShare.
- ▸A discipline for not defeating Tails through your own habits.
Prerequisites
- ·A reputable USB 3 stick ≥ 32 GB (and a second identical one as backup).
- ·A x86-64 laptop, ideally a dedicated burner, capable of USB boot.
- ·A Linux box to GPG-verify the image before writing.
Threat model
Hostile networks, one-shot pseudonymous activity, suspected device compromise, and sensitive comms with sources. Not a global passive adversary doing Tor end-to-end correlation, and not firmware/hardware implants, those are different guides and harder problems.
Every persistent operating system is a forensic timeline. Logs, journals, swap, hibernation files, browser history, thumbnail caches, recent-documents lists, font caches that record which sites you visited because they pulled a custom webfont, a thousand little records you never asked to keep, sitting on disk, waiting for the next person who has access to the device. For most of what you do, that's fine. For a narrow class of tasks, that timeline is the threat.
Sometimes the only safe state is no state. A laptop that boots clean, does one thing, and forgets it ever happened the moment you pull the USB. That is what Tails is for. Not your daily driver, your daily driver is in the Qubes guide, but the specific tool for the specific job of leaving no trace.
Tails is Debian, plus Tor as the default network, plus an aggressively amnesic boot model that keeps everything in RAM and wipes that RAM at shutdown. Used correctly it does exactly what it promises. Used incorrectly, the way most people first use it, it leaks like any other OS. This guide is about using it correctly.
Persistent storage is a forensic timeline. Sometimes the right answer is no timeline at all.
By the end of this guide you will have a GPG-verified Tails USB, persistent storage configured for only the things that actually need to survive a reboot, and a clear playbook for the three real Tails use-cases: hostile-network travel, one-shot anonymous account creation, and sensitive source-comms via OnionShare.
§ 01
What Tails is, and what it isn't.
Three properties, stacked. Each buys you something specific.
DEBIAN UNDERNEATH
Boring, audited, well-understood. No surprise stack - the same packages you'd run on a server.
TOR BY DEFAULT
Every connection that leaves the box routes through Tor. Apps that try to bypass it are blocked at the network stack.
AMNESIC
Filesystem changes live in RAM. Shutdown wipes RAM. Nothing about this session exists tomorrow unless you explicitly opted in.
Tails is not a daily driver. It's not Qubes. It's not faster than your normal OS, it doesn't run modern games, it isn't supposed to. It is the tool you reach for when the cost of leaving a trace is higher than the cost of inconvenience.
§ 02
When to actually reach for Tails.
| Use case | Why Tails fits | Alternative |
|---|---|---|
| Travel through hostile networks | Coffee-shop / airport / hotel Wi-Fi, boot clean, Tor by default, throw away on landing | Personal VPN on hardened laptop (less paranoid but lighter) |
| One-shot anonymous account | New identity, fresh circuit, no prior browser fingerprint, no persistent cookie pool | Qubes DispVM through sys-whonix (similar, more friction) |
| Suspected device compromise | Boot from external media, perform tasks without trusting the installed OS | Bootable rescue USB (less full-featured) |
| Sensitive comms (source ↔ journalist) | OnionShare baked in, GPG ready, no chat history afterwards | Signal on a burner phone (different threat model) |
| Daily driver (NOT a use case) | It's amnesic on purpose, running it daily defeats the purpose | Qubes OS |
§ 03
Hardware.
Samsung Bar Plus or SanDisk Extreme USB 3 (32 GB+)
USB stick · the actual Tails device
Reputable brand, USB 3 for speed, 32 GB so persistent storage has room. Avoid no-name sticks; they fail.
A second identical stick
Backup · always have two
Tails sticks die. Re-create the backup whenever you change persistent storage settings.
A x86-64 burner laptop
Boot target · UEFI capable
An old ThinkPad off eBay for $150 is the ideal pairing. Macs work but need rEFInd; not worth it for sensitive tasks.
An ethernet adapter (optional)
Network · for venues with broken Wi-Fi
USB-C / USB-A gigabit adapters work out of the box. Useful in hotels with captive portals from hell.
§ 04
Verify the ISO. Then write it.
Tails is exactly the kind of project whose download is worth substituting on a hostile CDN. Verify with GPG against the Tails signing key, published with a fingerprint you can cross-reference from multiple independent sources, before writing it to a USB.
- STEP 01
Download the image and the signature.
From tails.net/install only. Grab both the
.imgand the.img.sigfile. - STEP 02
Import and verify the Tails signing key.
The Tails signing key fingerprint is published in multiple places (project site, Debian keyservers, archive.org mirrors of past releases). Check at least two before trusting.
▌ verify-tails.sh# Get the key wget https://tails.net/tails-signing.key gpg --import tails-signing.key # Print and CROSS-CHECK the fingerprint against tails.net/doc/about/openpgp_keys gpg --fingerprint tails@boum.org # Verify the image gpg --verify tails-amd64-X.Y.img.sig tails-amd64-X.Y.img # Expect: "Good signature from Tails developers"
↳ Run from any Linux machine, not from a previous Tails session. - STEP 03
Write to USB.
From Linux:
ddis the most direct path. On Windows or macOS, use the installer Tails ships with, it handles the device details for you.▌ dd.shlsblk # confirm which device is the USB sudo umount /dev/sdX* 2>/dev/null sudo dd if=tails-amd64-X.Y.img of=/dev/sdX bs=16M oflag=direct status=progress sync
↳ Triple-check the device name. dd with the wrong target erases the wrong disk.
§ 05
First boot and Tor.
- STEP 01
Boot the USB.
Reboot the laptop, hit the BIOS boot-menu key (F12 on most ThinkPads, F9/F10 on others), select the USB. If it's not listed: enter BIOS, disable Secure Boot, ensure USB boot is enabled, retry.
- STEP 02
Welcome Screen, set language and additional settings.
Language + keyboard, then click "+" for Additional Settings. Three switches that matter:
§ CHECKLIST, Welcome-Screen toggles
- STEP 03
Wait for Tor.
The Tor Connection assistant appears. Direct connection usually completes in 15–60 seconds. Watch the indicator in the top bar, green onion means you're up. Don't open anything until then.
§ 06
Persistent Storage, only what you must keep.
Tails will offer to set up Persistent Storage on the USB. The temptation is to enable everything; the discipline is to enable nothing you don't need. Every feature you turn on is a thing about you that survives the next reboot, a small defeat of the entire point.
- STEP 01
Create with a strong passphrase.
Applications → Tails → Persistent Storage. Choose a passphrase you can type from memory; you'll enter it at every boot. A long passphrase (5+ random words) beats a short complex one.
- STEP 02
Enable only what you actually need.
The default is everything off. Add features one at a time, with a reason.
Feature Enable when Cost Persistent Folder You need to bring files across sessions Files persist; treat them as compromising amnesia Tor Bridges You live somewhere that blocks Tor Bridge configuration is recoverable from the stick GnuPG You sign or encrypt with a stable key Your keyring is persistent; protect the passphrase Pidgin / Thunderbird / Electrum You operate a stable identity in those apps Account state is persistent and recoverable from the stick Additional Software You need a package not shipped by default Each added package is a thing that survives reboot ↳ Default to off. Each switch you flip is a piece of state that survives.
§ 07
Operational discipline.
§ CHECKLIST, Habits that keep Tails honest
§ 08
The three credible playbooks.
- STEP 01
The travel pass.
You're on a hostile network, airport Wi-Fi, hotel captive portal, conference LAN. Boot Tails on the burner laptop. MAC spoofing on. No Persistent Storage for this trip. Do the work, checking email, reading docs, posting updates, entirely from this session. Shut down before leaving the venue. Nothing about your session remains on the laptop, the stick, or the network's records beyond "a random MAC showed up for an hour".
- STEP 02
The one-shot anonymous account.
You need an identity with no link to your real one, a research persona, a whistleblower handle, a one-time registration. Boot fresh. New Tor circuit (the onion menu → "New Identity"). Create the account from the Tor Browser. Save credentials to a password manager off-device if you need them again. Do not let this persona use the same Tails USB as any other.
- STEP 03
Source comms via OnionShare.
OnionShare ships in Tails. Generate a one-time Onion address for the file or chat. Share the URL through a channel the recipient already trusts (Signal, etc.). They receive over Tor. You close OnionShare; the address ceases to exist. Both ends used Tor end-to-end, neither of you ran a server you have to take down later.
§ 09
Updates.
Tails ships with its own updater. Run it whenever the bubble appears in the top bar; ignore the urge to "skip just this once", every Tails release has security fixes that the previous one didn't.
# GUI: Applications → System Tools → Tails Upgrader # CLI fallback (only when the upgrader refuses): tails-upgrade-frontend-wrapper # After upgrade, REBOOT and verify version in the top-bar 'About Tails'. # If the upgrader can't apply an incremental update, follow the manual # upgrade instructions on tails.net, DO NOT skip versions.
§ 10
Verification.
§ CHECKLIST, Per-session verification
§ 11
What Tails does NOT do.
✓ PROTECTS AGAINST
- +Local forensic traces, no logs, no history, no swap, no journal after shutdown.
- +Network-layer identification, Tor masks your IP from the destination and most network observers.
- +MAC-address logging by the venue's Wi-Fi (with MAC spoofing on).
- +Account-cookie persistence between sessions, every session starts cookie-clean.
- +Browser-fingerprint stability between sessions, Tor Browser deliberately fingerprints identically across users.
✗ DOES NOT PROTECT AGAINST
- −Anonymize anything that leaves Tor, clearnet apps, BitTorrent over Tails, etc.
- −Protect against a compromised laptop firmware or a hardware keylogger.
- −Survive a global passive adversary correlating Tor entry and exit traffic.
- −Stop you from doxxing yourself, logging into your real-name account inside Tails defeats the entire point.
- −Protect stylometry, behavioural biometrics, typing cadence, or anything about how you write.
- −Replace operational discipline, Tails is a tool; the user makes the choices that compromise it.
§ 12
Going further.
DAILY DRIVER
Qubes OS →For the work Tails is too amnesic for.
RECON
Self-OSINT →Run the wide pass from a Tails session.
IDENTITY HARDENING
YubiKeys & Hardware 2FA →Carry one factor that survives the amnesia.
§ REFERENCES