diff --git a/opsec/tailsqemuvm/21.png b/opsec/tailsqemuvm/21.png index 57dd804..e051e0f 100644 Binary files a/opsec/tailsqemuvm/21.png and b/opsec/tailsqemuvm/21.png differ diff --git a/opsec/tailsqemuvm/30.png b/opsec/tailsqemuvm/30.png new file mode 100644 index 0000000..03699c3 Binary files /dev/null and b/opsec/tailsqemuvm/30.png differ diff --git a/opsec/tailsqemuvm/31.png b/opsec/tailsqemuvm/31.png new file mode 100644 index 0000000..5e9aace Binary files /dev/null and b/opsec/tailsqemuvm/31.png differ diff --git a/opsec/tailsqemuvm/32.png b/opsec/tailsqemuvm/32.png new file mode 100644 index 0000000..6bc7559 Binary files /dev/null and b/opsec/tailsqemuvm/32.png differ diff --git a/opsec/tailsqemuvm/33.png b/opsec/tailsqemuvm/33.png new file mode 100644 index 0000000..03699c3 Binary files /dev/null and b/opsec/tailsqemuvm/33.png differ diff --git a/opsec/tailsqemuvm/34.png b/opsec/tailsqemuvm/34.png new file mode 100644 index 0000000..a2daa7f Binary files /dev/null and b/opsec/tailsqemuvm/34.png differ diff --git a/opsec/tailsqemuvm/35.png b/opsec/tailsqemuvm/35.png new file mode 100644 index 0000000..e03f6f5 Binary files /dev/null and b/opsec/tailsqemuvm/35.png differ diff --git a/opsec/tailsqemuvm/36.png b/opsec/tailsqemuvm/36.png new file mode 100644 index 0000000..6eb5690 Binary files /dev/null and b/opsec/tailsqemuvm/36.png differ diff --git a/opsec/tailsqemuvm/37.png b/opsec/tailsqemuvm/37.png new file mode 100644 index 0000000..058c517 Binary files /dev/null and b/opsec/tailsqemuvm/37.png differ diff --git a/opsec/tailsqemuvm/40.mp4 b/opsec/tailsqemuvm/40.mp4 new file mode 100644 index 0000000..89f1a33 Binary files /dev/null and b/opsec/tailsqemuvm/40.mp4 differ diff --git a/opsec/tailsqemuvm/index.html b/opsec/tailsqemuvm/index.html index d17d75c..69a1390 100644 --- a/opsec/tailsqemuvm/index.html +++ b/opsec/tailsqemuvm/index.html @@ -63,21 +63,17 @@ Previous Page

nihilist@mainpc - 2024-10-03

Tails OS QEMU VM for Temporary Sensitive Use

-

In this tutorial we're going to look at how you can run Tails OS (The Amnesic Incognito Linux System) in a QEMU VM, following the official documentation here.

+

In this tutorial we're going to look at how you can run Tails OS (The Amnesic Incognito Linux System) on a USB Stick, and also on a QEMU VM, following the official documentation here.

Tails OS is suitable for Short Term Sensitive Use due to it's default live-mode feature, where upon shutting down the OS, every forensic trace of what you were doing is completely erased from memory, where the entire OS is loaded into. There are no disk-writes at all by default. (Unless if you use the persistent storage, which is not suitable for sensitive use, due to not being deniable encryption like Veracrypt ).

- - -

OPSEC Recommendations:

+ +

OPSEC Recommendations (for the live USB setup):

    -

  1. Hardware : (Personal Computer / Laptop)

    2. +

  2. Hardware : (Personal Computer / Laptop) and a USB stick (with at least 2GB)

  3. Host OS: Linux

    4. -

  4. Hypervisor: libvirtd QEMU/KVM

    5. -

  5. Application: Host-based VPN (if your ISP doesn't allow Tor traffic)

-

I recommend using this setup for Anonymous use if you store anything into the persistent storage, or for short-term Sensitive use if you are not storing anything sensitive in the persistent storage, as per the 4 basic OPSEC levels.

-

Sidenote: If your ISP does not allow Tor traffic, make sure that you route the QEMU VMs traffic through a VPN, to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup

+

I recommend using this setup for Anonymous use if you store anything into the persistent storage, or for short-term Sensitive use if you are not storing anything sensitive in the persistent storage, as per the 4 basic OPSEC levels.

@@ -89,7 +85,7 @@
-

Tails Setup

+

Tails live USB Setup

First we download Tails OS as a USB image here:

Then we resize the image size to be able to contain persistent storage (in this case, i'll make it 8Gbs):

@@ -102,7 +98,55 @@ → truncate -s 8192M tails-amd64-6.3.img -

And now we can create the VM in virt-manager like so:

+

Now here we can use balenaetcher to flash the tails OS image onto a usb stick that we plug in on our computer:

+ +

+nihilist@mainpc:~$ lsblk
+NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
+
+[...]
+sdc           8:32   1  14.6G  0 disk  
+[...]
+
+nihilist@mainpc:~$ cd .mullvad-browser/Downloads/
+nihilist@mainpc:~/.mullvad-browser/Downloads$ unzip balenaEtcher-linux-x64-1.19.25.zip 
+nihilist@mainpc:~/.mullvad-browser/Downloads$ cd balenaEtcher-linux-x64/
+nihilist@mainpc:~/.mullvad-browser/Downloads/balenaEtcher-linux-x64$ ./balena-etcher
+
+
+ + + +

Now that the Tails OS image has been flashed onto the usb stick, you can simply reboot your computer, and then enter the boot menu to choose to boot onto the USB rather than onto your host OS. In this example i need to press ESC, but depending on your motherboard you may need to press F2, or F11, or another key.

+ +

Then after entering the boot options by pressing ESC, we press 1 to choose to boot onto the USB key, rather than booting on the system drive.

+ + +

And you've just booted in Tails OS from your usb key!

+ +
+
+
+ + + +
+
+
+
+

Tails QEMU VM Setup

+ +

OPSEC Recommendations (for the QEMU setup):

+
    +

  1. Hardware : (Personal Computer / Laptop)

    2. +

  2. Host OS: Linux

    3. +

  3. Hypervisor: libvirtd QEMU/KVM

    4. +

  4. Application: Host-based VPN (if your ISP doesn't allow Tor traffic)

    5. +
+

Sidenote: If your ISP does not allow Tor traffic, make sure that you route the QEMU VMs traffic through a VPN, to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup

+ + +

Now in the same way (even though it is a less-popular setup) we can also we can create a Tails OS QEMU VM in virt-manager like so:

@@ -125,12 +169,12 @@
-
+
-

Persistent Storage Setup



-

Next, if you want to enable the persistent storage go there:

+

Persistent Storage Setup (warning, this is not deniable encryption!)



+

Next, if you want to enable the persistent storage (which uses regular encryption, do not store anything sensitive in it!) go there:

make sure you enter a strong password that can't be bruteforced easily:

@@ -185,16 +229,22 @@ Nsyh+-..+y+- yMMMMd :mMM+ DE: GNOME 43.9
-
+

Deniability Context



Now suppose you are living in a country where using Tails OS and Tor is not going to be a reason to immediately throw you in jail, the adversary is busting down your door, while you are browsing a sensitive website with it, and you want to make sure that there is no incriminating evidence to be found against you when the adversary seizes your computer.

Reminder, this is only for temporary sensitive use, do not save anything sensitive in the persistent storage because otherwise the adversary can force you to unlock it to reveal the contents.

+

If you have a regular live usb tails os setup, all you need to do is to simply unplug or disconnect the USB stick to shutdown the system and wipe off all forensic trace of what you were doing:

+ + +

And If you have a Tails OS VM, you can simply hit the shutdown button to erase what you were doing in the VM:

All you need is to shutdown the VM, and everything forensic trace of what you were doing in it gets immediately erased from memory, as if there was nothing there to begin with. Effectively leaving the adversary empty-handed with no incriminating evidence to use against you in court.

-

And that's it! You now have a dedicated VM for your temporary sensitive uses.

+

And that's it! You now have a dedicated live OS for temporary sensitive use.