Tails OS: The Amnesic Incognito Live System Complete Guide
Tails (The Amnesic Incognito Live System) is a portable operating system designed to protect your privacy and anonymity. It is a complete Linux-based operating system that you can boot from a USB stick on virtually any computer, leaving no trace on the host machine when you shut down. Every internet connection is forced through the Tor network, and the system is designed to leave no digital footprint -- when you remove the USB stick and shut down the computer, it is as though you were never there. Tails has been used by journalists, whistleblowers, activists, and privacy-conscious individuals around the world, and it was notably one of the primary tools used by Edward Snowden when communicating with journalists about NSA surveillance programs.
This article provides a thorough, expert-level guide to Tails OS, covering its architecture, installation process, persistent storage configuration, built-in security features, known limitations, and a detailed comparison with Whonix -- another privacy-focused operating system that takes a fundamentally different approach to achieving similar goals.
How Tails Works: Architecture and Design Principles
Tails is built on Debian GNU/Linux and designed around two core principles: amnesia and forced anonymity. The amnesia principle means that Tails runs entirely in RAM and does not use the host computer's hard drive (unless you explicitly configure persistent storage on the USB stick). When the computer is shut down, everything in RAM is lost. Tails also overwrites RAM on shutdown to prevent cold boot attacks, where an attacker could potentially recover data from memory chips that retain information briefly after power loss.
The forced anonymity principle means that all network traffic from every application on the system is routed through the Tor network. This is enforced at the operating system level through iptables firewall rules that block any non-Tor traffic. Unlike simply using the Tor Browser on a regular operating system, where other applications might bypass Tor and leak your real IP address, Tails ensures that every network connection -- whether from the browser, email client, instant messenger, or any other application -- goes through Tor without exception.
The system is configured as a live operating system, meaning it boots directly from the USB stick into a fully functional desktop environment without installing anything to the host computer. The entire operating system, including all applications, is contained on the USB stick. This makes Tails extremely portable -- you can carry your secure computing environment in your pocket and use it on any computer that supports USB booting.
Tails is developed as a free and open-source project. All source code is publicly auditable, and the project has undergone multiple security audits. The official project website at tails.net provides documentation, download links, and community resources. The source code is available on the project's GitLab repository.
System Requirements
Tails has modest hardware requirements, but there are some important considerations. You will need a computer with at least 2 GB of RAM (4 GB or more is recommended for comfortable use), a 64-bit x86 processor (most computers manufactured after 2006), and the ability to boot from USB. You will also need a USB stick with at least 8 GB of storage capacity. Tails does not support ARM processors, so it cannot run on devices like Raspberry Pi or most Chromebooks.
Not all computers boot from USB by default. You may need to enter the BIOS or UEFI settings (typically by pressing F2, F12, Delete, or Escape during boot) to change the boot order or select USB as the boot device. Some newer computers with Secure Boot enabled may require you to disable Secure Boot before Tails will boot, although recent versions of Tails include support for Secure Boot on many systems.
Installation Process
Downloading and Verifying Tails
Download the Tails USB image from the official website at tails.net/install. The installation page provides detailed, step-by-step instructions tailored to your current operating system (Windows, macOS, or Linux). The Tails team takes verification seriously and provides multiple methods to verify your download.
The recommended verification method uses the Tails Verification extension for your browser, which automatically checks the downloaded image against the Tails signing key. For manual verification using GPG, you can download the OpenPGP signature and verify it:
# Import the Tails signing key
gpg --keyserver hkps://keys.openpgp.org --recv-keys A490D0F4D311A4153E2BB7CADBB802B258ACD84F
# Verify the downloaded image
gpg --verify tails-amd64-VERSION.img.sig tails-amd64-VERSION.imgFor detailed information on GPG verification, refer to our comprehensive PGP Encryption guide.
Writing Tails to USB
On Linux, you can write the Tails image to a USB stick using the dd command or the GNOME Disks utility. On Windows, the Tails team recommends using balenaEtcher, a free and open-source USB image writing tool. On macOS, you can use either balenaEtcher or the command line.
# Linux: Write Tails image to USB (CAUTION: verify the correct device name)
# Use lsblk to identify your USB device
lsblk
# Write the image (replace /dev/sdX with your actual USB device)
sudo dd if=tails-amd64-VERSION.img of=/dev/sdX bs=16M oflag=direct status=progressBe extremely careful with the dd command -- writing to the wrong device will irrecoverably destroy its contents. Always double-check the target device name before executing the command.
First Boot
After writing the image, reboot your computer from the USB stick. You will be presented with the Tails Greeter, a welcome screen that allows you to configure initial settings before the desktop loads. The Greeter allows you to set an administration password (needed for tasks that require root privileges, such as configuring persistent storage), configure MAC address anonymization, and set up network connection options including bridges for censored networks.
If you do not set an administration password, you will not be able to perform administrative tasks during that session. This is a deliberate security measure -- it prevents malware from gaining root access if no administration password is set.
Persistent Storage
By default, Tails stores nothing between sessions. Every time you shut down, all data is lost. While this is excellent for security, it is impractical for many use cases. The Persistent Storage feature allows you to create an encrypted partition on the same USB stick that Tails boots from, where you can store selected types of data between sessions.
To create Persistent Storage, boot into Tails with an administration password, then navigate to Applications > Tails > Persistent Storage. You will be prompted to create a passphrase that will encrypt the persistent partition. Choose a strong passphrase -- this is the only protection between an attacker with physical access to your USB stick and your stored data. The encryption uses LUKS (Linux Unified Key Setup) with strong defaults.
What You Can Persist
Tails allows you to selectively persist the following categories of data:
Personal Data: A dedicated folder in your home directory for storing files between sessions. This is accessible at /home/amnesia/Persistent.
Browser Bookmarks: Your Tor Browser bookmarks can be preserved between sessions, saving you from manually re-entering frequently visited addresses.
Network Connections: Saved Wi-Fi passwords and network configurations so you do not have to re-enter them each time you boot.
GnuPG Keys: Your PGP key pairs and keyring, which is essential if you use PGP regularly. Without this, you would need to re-import your keys every session.
SSH Client: Your SSH keys and known hosts file, useful if you connect to remote servers.
Thunderbird Email: Your email account configuration and local mail storage for the Thunderbird email client.
Electrum Bitcoin Wallet: Your Electrum wallet data, including transaction history and keys.
Additional Software: The ability to automatically install additional Debian packages on each boot. This is useful for tools that are not included in the default Tails installation.
Dotfiles: Configuration files from your home directory, allowing you to customize application settings that persist between sessions.
Built-in Security Features
Tails includes a comprehensive suite of pre-installed security and privacy tools, all configured with security-first defaults.
Tor Browser
The Tor Browser is the default and only web browser in Tails. It is pre-configured with the security settings recommended by the Tor Project, and its traffic is guaranteed to flow through Tor by the system-level firewall rules. The browser includes NoScript and other privacy extensions configured for maximum protection.
Thunderbird with Enigmail/OpenPGP
Tails includes Mozilla Thunderbird for email, with built-in OpenPGP support for encrypting, decrypting, signing, and verifying email messages. This allows you to communicate securely via email without installing any additional software.
KeePassXC
KeePassXC is a cross-platform password manager that stores your passwords in an encrypted database. When used with Persistent Storage, your password database is preserved between sessions, providing a convenient and secure way to manage authentication credentials.
OnionShare
OnionShare allows you to securely and anonymously share files, host websites, and receive files using Tor onion services. When you share a file through OnionShare, it creates a temporary onion service that the recipient can access through the Tor Browser, without the data ever passing through a third-party server.
Metadata Removal
Tails includes MAT2 (Metadata Anonymisation Toolkit), which strips identifying metadata from files before you share them. Digital photographs, PDF documents, office files, and many other formats contain metadata that can reveal information about the device that created them, the software used, timestamps, GPS coordinates, and more. MAT2 removes this metadata to prevent inadvertent information disclosure.
Secure Memory Wiping
When you shut down Tails (or remove the USB stick), the system overwrites the computer's RAM to prevent cold boot attacks. This is implemented through a dedicated shutdown script that fills memory with random data before the system powers off. This is a critical security feature that protects against forensic recovery of data from the computer's memory.
MAC Address Anonymization
Tails automatically randomizes the MAC (Media Access Control) address of your network interfaces on each boot. Your MAC address is a hardware identifier that is unique to your network card and can be used to track your physical location as you connect to different networks. By randomizing it, Tails prevents this form of tracking.
Known Limitations
Despite its robust security design, Tails has several important limitations that users must understand to maintain realistic expectations about their security posture.
The Host Hardware Problem
Tails runs on whatever computer you boot it from, and it must trust that hardware to some extent. A compromised BIOS/UEFI firmware, a hardware keylogger, or a malicious Thunderbolt/USB device could potentially compromise Tails regardless of its software-level protections. If you are facing an adversary capable of hardware-level attacks, you should use dedicated, trusted hardware for your Tails sessions.
No Protection Against Targeted Firmware Attacks
If an adversary has previously compromised the BIOS or firmware of the computer you are using, Tails cannot protect you. Firmware-level malware can survive reboots, operate below the operating system level, and potentially exfiltrate data in ways that Tails cannot detect or prevent. For high-risk users, this means you should not use Tails on computers that may have been physically accessed by an adversary.
Tor Network Limitations
Tails inherits all the limitations of the Tor network itself. Tor exit nodes can potentially observe unencrypted traffic (always use HTTPS). Global passive adversaries with the ability to observe traffic at both the entry and exit of the Tor network can potentially perform timing correlation attacks. Tor is also slower than a direct internet connection, which can impact usability.
Persistent Storage Risks
While the Persistent Storage is encrypted, enabling it reduces Tails' amnesia property. Any data stored persistently could potentially be recovered by an adversary who obtains your USB stick and can compel or trick you into revealing the passphrase. Some jurisdictions have laws that can compel disclosure of encryption passwords. For the highest level of security, consider not using Persistent Storage at all.
Tails vs Whonix: A Detailed Comparison
Whonix is another privacy-focused operating system that routes all traffic through Tor, but it takes a fundamentally different architectural approach than Tails. Understanding the differences is crucial for choosing the right tool for your threat model. Comprehensive Whonix documentation is available at whonix.org.
Architecture
Tails is a live operating system that boots from a USB stick and runs directly on the host hardware. Whonix, in contrast, consists of two virtual machines: a Gateway VM that handles all Tor routing, and a Workstation VM where you do your actual work. The Workstation can only connect to the internet through the Gateway, ensuring all traffic passes through Tor.
This architectural difference has profound security implications. Whonix's two-VM design means that even if the Workstation is completely compromised by malware, the attacker cannot discover your real IP address because the Workstation has no direct network access -- it can only communicate through the Gateway, which only routes traffic through Tor. In Tails, a sufficiently sophisticated exploit that gains root access could potentially reconfigure the firewall rules and bypass Tor.
Persistence and Usability
Tails is designed for amnesic sessions with optional limited persistence. Whonix is designed for persistent use -- it runs as a virtual machine on your existing operating system and preserves its state between sessions by default. This makes Whonix more suitable for long-running tasks, development work, and situations where you need to maintain a consistent environment over time.
Tails excels in situations where you need portability and the ability to leave no trace. Carrying a USB stick is far more discreet than carrying a laptop with Whonix installed, and booting Tails on a public or borrowed computer provides security guarantees that Whonix cannot match in that scenario.
Isolation Model
Whonix provides stronger isolation through virtualization. The Workstation VM is completely isolated from the host operating system and the Gateway VM. Even if an attacker compromises the Workstation, they would need to escape the virtual machine (a VM escape exploit) to access the host system or the Gateway. VM escape exploits exist but are rare and valuable.
Tails relies on the Linux kernel and its security features (AppArmor, namespaces, seccomp) for application isolation. While these are effective, they are generally considered a weaker isolation boundary than a full virtual machine hypervisor.
Network Security
Both Tails and Whonix route all traffic through Tor, but their enforcement mechanisms differ. Tails uses iptables firewall rules on a single system. Whonix uses network-level isolation between two separate virtual machines. The Whonix approach is architecturally stronger because the Workstation literally cannot reach the internet without going through the Gateway -- there are no firewall rules to potentially bypass because the Workstation's virtual network adapter is only connected to the Gateway's internal network.
When to Use Each
Use Tails when you need portability, want to leave no trace on the computer you use, are using a borrowed or public computer, or need the amnesia property. Use Whonix when you need stronger application isolation, want a persistent working environment, are doing development or research that requires long-running sessions, or need to run applications that are not included in Tails.
For the highest level of security, some users run Whonix inside Tails -- booting Tails from a USB stick and then running Whonix virtual machines within the Tails session. This combines the amnesia property of Tails with the strong isolation of Whonix, though it requires a computer with substantial RAM (at least 8 GB) and adds significant complexity.
Video Resources
The following video provides an excellent practical introduction to Tails OS:
Mental Outlaw also covers the differences between Tails and Whonix in practical terms:
Advanced Tips and Operational Security
Use a dedicated USB stick: Do not use the same USB stick for Tails and for other data storage. Dedicate a USB stick exclusively to Tails. Some users keep multiple Tails USB sticks -- one primary and one backup -- in case one fails or is lost.
Keep Tails updated: Tails releases updates regularly to patch security vulnerabilities and update the included software. The built-in Tails Upgrader makes this process straightforward. Never skip updates, as running an outdated version exposes you to known vulnerabilities. Check the Tails security page for advisories about known issues.
Be cautious with Persistent Storage: Only enable the persistence features you actually need. Each additional feature that persists data increases the amount of potentially sensitive information stored on your USB stick. If you do not need to persist browser bookmarks, for example, do not enable that feature.
Verify your Tails USB: Periodically verify that your Tails USB has not been tampered with. If you leave your USB stick unattended in a location where someone could access it, consider creating a fresh Tails installation rather than trusting the existing one.
Understand the bridge situation: If you are in an environment where Tor is blocked, configure bridges through the Tails Greeter before connecting to the network. Tails supports obfs4, Snowflake, and meek bridges. For detailed information about bridges and pluggable transports, see our Complete Tor Browser Guide.
Use the unsafe browser judiciously: Tails includes an "Unsafe Browser" that connects directly to the internet without Tor. This is intended solely for logging into captive portals (such as airport or hotel Wi-Fi login pages) that require a direct connection. Never use the Unsafe Browser for any other purpose, as it exposes your real IP address.
Tails represents one of the most carefully designed privacy tools available today. Its combination of forced Tor routing, amnesic design, and portable form factor makes it uniquely suited for situations where leaving no digital trace is paramount. However, like all security tools, it must be used correctly and with a realistic understanding of its limitations. Combined with good operational security practices, strong encryption through PGP, and an understanding of the broader privacy landscape, Tails is an invaluable component of a comprehensive privacy strategy. The Electronic Frontier Foundation continues to advocate for tools like Tails as essential components of digital freedom.