summaryrefslogtreecommitdiffstats
path: root/wiki/src/doc/encryption_and_privacy/encrypted_volumes.mdwn
blob: 48f9494d13c39039ceeafc58ad1c5370d4df6fbd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
[[!meta title="Create and use encrypted volumes"]]

The simplest way to carry around the documents you want to use with Tails and
make sure that they haven't been accessed or modified is to store them in an
encrypted volume: a dedicated partition on a USB stick or external hard-disk.

Tails comes with utilities for LUKS, a standard for disk-encryption under Linux. 

  - <span class="application">GNOME Disks</span> allows you to
    create encrypted volumes.
  - The GNOME desktop allows you to open encrypted volumes.

<div class="tip">

<p>To store encrypted files on a Tails USB stick, it is recommended to create a
[[persistent volume|first_steps/persistence]] instead.</p>

</div>

[[!toc levels=2]]

Create an encrypted partition
=============================

To open <span class="application">GNOME Disks</span> choose
<span class="menuchoice">
  <span class="guimenu">Applications</span>&nbsp;▸
  <span class="guisubmenu">Utilities</span>&nbsp;▸
  <span class="guimenuitem">Disks</span></span>.

Identify your external storage device
-------------------------------------

<span class="application">Disks</span> lists all the current storage
devices on the left side of the screen.

  1. Plug in the external storage device that you want to use.

  1. A new device appears in the list of storage devices. Click on it:

     [[!img storage_devices_after.png link=no alt=""]]

  1. Check that the description of the device on the right side of the screen
  corresponds to your device: its brand, its size, etc.

Format the device
-----------------

  1. Click on the <span class="guimenu">[[!img lib/open-menu.png alt="Menu" class="symbolic" link="no"]]</span> button
     in the titlebar and choose <span class="guilabel">Format Disk…</span>
     to erase all the existing partitions on the device.

  1. In the <span class="guilabel">Format Disk</span> dialog:

     - If you want to erase all data securely, choose to
       <span class="guilabel">Overwrite existing data with zeroes</span> in the
       <span class="guilabel">Erase</span> drop-down list.

     - Choose <span class="guilabel">Compatible with all
       systems and devices (MBR/DOS)</span> in the <span class="guilabel">Partitioning</span>
       drop-down list.

     Then click <span class="button">Format…</span>.

  1. In the confirmation dialog, make sure that the device
     is correct. Click <span class="button">Format</span> to confirm.

Create a new encrypted partition
--------------------------------

Now the schema of the partitions in the middle of the screen shows an empty
device:

[[!img empty_device.png link=no alt="Free Space 8.1 GB"]]

  1. Click on the <span class="guimenu">[[!img lib/list-add.png alt="Create partition" class="symbolic" link="no"]]</span>
     button to create a new partition on the device.

  1. In the <span class="guilabel">Create Partition</span> dialog:

     - <span class="guilabel">Partition Size</span>: you can create a partition
       on the whole device or only on part of it. In this example we are
       creating a partition of 4.0 GB on a device of 8.1 GB.

     - <span class="guilabel">Type</span>: choose
       <span class="guilabel">Encrypted, compatible with Linux systems (LUKS + Ext4)</span>
       from the drop-down list.

     - <span class="guilabel">Name</span>: you can set a name for the partition.
       This name remains invisible until the partition is open but can help
       you to identify it during use.

     - <span class="guilabel">Passphrase</span>: type a passphrase for the
       encrypted partition and repeat it to confirm.

     Then click <span class="button">Create</span>.

     <div class="bug">
     <p>If an error occurs while creating the new partition, try to unplug the
     device, restart <span class="application">GNOME Disks</span>,
     and follow all steps again from the beginning.</p>
     </div>

  1. Creating the partition takes from a few seconds to a few minutes. After
     that, the new encrypted partition appears in the volumes on the device:

     [[!img encrypted_partition.png link="no" alt="Partition 1 4.0 GB LUKS / secret 4.0 GB Ext4"]]

  1. If you want to create another partition in the free space on the
     device, click on the free space and then click on the
     <span class="guimenu">[[!img lib/list-add.png alt="Create partition" class="symbolic" link="no"]]</span>
     button again.

Use the new partition
---------------------

You can open this new partition from the sidebar of the file browser with the
name you gave it.

After opening the partition with the file browser, you can also access it
from the <span class="guimenu">Places</span> menu.

Open an existing encrypted partition
====================================

When plugging in a device containing an encrypted partition, Tails does not open the partition
automatically but you can do so from the file browser.

1. Choose
   <span class="menuchoice">
     <span class="guimenu">Places</span>&nbsp;▸
     <span class="guisubmenu">Computer</span></span>
   to open the file browser.

1. Click on the encrypted partition that you want to open in the sidebar.

   [[!img nautilus_encrypted.png link="no" alt="File browser with '4.0 GB Encrypted' entry in the sidebar"]]

1. Enter the passphrase of the partition in the password prompt and
   click <span class="button">Unlock</span>.

   If you choose the option <span class="guilabel">Remember Password</span> and have
   the <span class="guilabel">[[GNOME Keyring|first_steps/persistence/configure#gnome_keyring]]</span>
   persistence feature activated, the password is stored in the persistent storage and remembered across multiple
   working sessions.

1. After opening the partition with the file browser, you can also access it
   from the <span class="guimenu">Places</span> menu.

1. To close the partition after you finished using it, click on the
   <span class="guimenu">[[!img lib/media-eject.png alt="Eject" class="symbolic" link="no"]]</span>
   button next to the partition in the sidebar of the file browser.

Storing sensitive documents
===========================

Such encrypted volumes are not hidden. An attacker in possession of
the device can know that there is an encrypted volume on it. Take into consideration
that you can be forced or tricked to give out its passphrase.

Opening encrypted volumes from other operating systems
======================================================

It is possible to
open such encrypted volumes from other operating systems. But, doing so might
compromise the security provided by Tails.

For example, image thumbnails might be created and saved by the other
operating system. Or, the contents of files might be indexed by the other
operating system.

<a id="change"></a>

Change the passphrase of an existing encrypted partition
========================================================

To open <span class="application">GNOME Disks</span> choose
<span class="menuchoice">
  <span class="guimenu">Applications</span>&nbsp;▸
  <span class="guisubmenu">Utilities</span>&nbsp;▸
  <span class="guimenuitem">Disks</span></span>.

1. Plug in the external storage device containing the encrypted partition that you
want to change the passphrase for.

1. The device appears in the list of storage devices. Click on it:

   [[!img storage_devices_after.png link=no alt=""]]

1. Check that the description of the device on the right side of the screen
corresponds to your device: its brand, its size, etc.

1. Click on the partition displaying a [[!img lib/network-wireless-encrypted.png alt="padlock" class="symbolic" link="no"]] at the bottom-right corner.

1. Click on the <span class="guimenu">
   [[!img lib/system-run.png alt="Additional partition options" class="symbolic" link="no"]]
   </span> button and choose <span class="guimenu">Change Passphrase…</span>