Tails Guide (Part 2): Persistence

13 May 2023 16 minutes Author: D2-R2

Why doesn’t Tails save settings?

We will remind you that Tails is a Live system, that is, it is recorded on a medium in such a way that changes to the file system are not saved. If you make some system settings (you can even update packages), they are all kept in the RAM and completely disappear after the system is restarted. If you are working from an ISO (optical disc), you can use other media to save the files, and the system settings will not be saved. But if you run Tails from a flash drive, you can configure persistence — that is, permanent storage. If you have worked with persistence volumes on other Linux distributions, it happens like this: from a technical point of view, persistence differs from the operation of an operating system installed on a regular disk. In the case of a normal installation, the operating system creates new files and deletes unnecessary ones from the disk. In the case of persistence, the system always remains a Live system – that is, it is recorded on a partition that cannot be changed, that is, it is impossible to write or delete a file.

But a new partition (the same persistence) is connected to which you can write files. Plus, it becomes available to us in principle to save settings and files. Also, the Live section takes up less space than a full-fledged installed system. And also – you can start the system without persistence – the Live system will turn out in its original state. In short: persistence in Tails only stores what the developers intended. While in other Linux distributions, persistence stores almost all changes made in the system, as in a regular Linux installation.

Persistence in Tails

Encrypted persistent storage Tails (persistence)

If you run Tails from a USB flash drive, you can create a volume with permanent storage on the free space of the USB memory card. Files on such a volume are stored encrypted and remain accessible after a system reboot. This can be done only if Tails is installed on a USB flash drive (and not on an optical disc) and if the volume of this flash drive is at least 8 GB.

This persistent volume can be used to store the following:

  • Personal files

  • Settings

  • Additional software

  • Encryption keys

A persistent volume is an encrypted partition protected by a password. After creating a persistent partition, you can choose to activate it or not every time you start Tails. Using persistent storage on a system designed to provide anonymity and leave no traces is a rather complex matter, so let’s start with the caveats.

Persistent storage warning

Storage of sensitive documents

The persistent volume is not hidden. An attacker who takes possession of your USB flash drive can find out that it has permanent storage. Keep in mind that the password can be recognized under duress or deception. Below will also be instructions on how to safely remove a persistent volume.

Browser plugins

The web browser is the central part of systems like Tails. The plugins included in the browser are carefully selected and configured with security in mind. If you install other plugins or change your settings, you may break your anonymity.

Installing additional programs

To protect your anonymity and leave no traces, Tails developers have selected and carefully tuned apps that work well together. Installing additional programs may cause unexpected problems and may break Tails’ built-in protections.

Use at least

Minimize the use of persistent storage, do it only when necessary. You can always run Tails without activating the persistent volume. All permanent volume features are optional and do not require explicit activation. Only the files and folders you specify are saved.

Opening permanent storage from other operating systems

You can open a persistent volume from other operating systems. But doing so could compromise Tails’ security. For example, image thumbnails may be created and saved by other operating systems. Or the contents of the files may be indexed by another operating system. You probably shouldn’t trust other operating systems with sensitive information or leave no traces.

Overwriting configurations

The applications included with Tails are carefully configured with security in mind. If you use a persistence volume to overwrite the configurations of applications included with Tails, this may compromise security or render those applications unusable. Be especially careful when using the capabilities of Dotfiles (more on them below). Moreover, for the anonymity of Tor and Tails, they rely on the fact that all installed systems of different users are identical, that is, it is difficult to distinguish one user from other Tails. Changing the default configurations can break your anonymity — that is, you’ll make your system something more unique, different from other Tails.

Creation of permanent storage

Important: You must be booted from the flash drive for which you want to set up persistent storage. To start the assistant using persistent volume, select Applications → Tails → Configure persistent volume:

A window will open in which you need to enter a password twice – you need to come up with this password and remember it, because if you forget it, you will not be able to decrypt files placed in permanent storage. The longer the password, the harder it is to crack. Developers recommend long passphrases of five to seven random words. Click the Create button:

Wait for the creation to complete. The helper program will show a list of possible persistence functions. Each function corresponds to a set of files or settings for saving encrypted storage.

It is recommended to start by activating only the Personal Data storage. Later you can activate more points according to your needs. When everything is ready, click Save.

Changes will take effect after restarting the computer. So restart the system. When turned on, a new item will be available in the welcome window. If you enter the correct password, the permanent storage will be connected. You can also leave it off, then the regular Live system will boot.

Persistent storage is connected only to the current session (until the computer is restarted). Only files placed in the Persistent folder are saved. To get to this folder, click Places and select Persistent.

Setting up persistent storage

To start the assistant using persistent volume, select Applications → Tails → Configure persistent volume.

Note: Error message Error, Persistence partition is not unlocked. means that persistent has been enabled with Tails Greeter. So you can’t customize it, but you can delete it and create a new one.

Persistence functions and options

Note: Only the features listed here can be saved at this time. Some other features were requested and accepted by the developers, but these features are still waiting to be implemented: browser extensions, wallpapers, default sound card, mouse and touchpad settings, and more. Remember: if you disabled a feature that was previously enabled, it will be disabled after Tails is restarted, but the corresponding files will be stored on the persistent volume.

To delete files that match the function:

  1. Start Tails and set an administrator password.

  2. Select Applications → System Tools → Root Terminal to open a terminal with administrative rights.

  3. Execute the command

to open a file browser with administrative rights. Or just type in a regular terminal:

4. In the file browser, navigate to /live/persistence/TailsData_unlocked.

5. Delete the folder corresponding to the function for which you want to delete the saved files:

When this feature is activated, you can store your personal files and work documents in the Persistent folder. To open the folder, choose Places → Persistent.

When this feature is enabled, Tor Browser bookmark changes are saved on the persistent volume. This does not apply to Unsafe Browser.

When this feature is enabled, the configuration of network devices and connections is stored on the persistent volume.

When this feature is activated, the list of add-ons you’ve selected is automatically installed every time you start Tails. The corresponding program packages are stored on the persistent volume. For security, they are automatically updated after establishing a network connection. The packages included with Tails are thoroughly tested for security. Installing additional packages can break Tails’ built-in security, so be careful what you install.

When this function is activated, the printer configuration is stored on the persistent volume.

When this feature is activated, the configuration and emails are stored by the Thunderbird email client on the persistent volume.

When this feature is enabled, the OpenPGP keys you create or import are stored on the persistent volume. If you manually edit or overwrite the ~/.gnupg/gpg.conf configuration file, you may reduce your anonymity, weaken the default encryption settings, or make GnuPG unusable.

When this feature is activated, the Bitcoin wallet and Electrum Bitcoin client settings are stored on the persistent volume

When this feature is activated, Pidgin Internet Messenger configuration files are placed in persistent storage.

These include:

  • Configuration of your accounts, contact list and chats.

  • Your OTR encryption keys and keyring.

  • Discussion content is not saved unless you specifically configure Pidgin to do so.

All customization options are available from the GUI. There is no need to manually edit or overwrite configuration files.

When this feature is activated, all files belonging to the secure-shell client are stored in persistent:

  • SSH keys you created or imported

  • The public keys of the hosts you connected to

  • SSH configuration file ~/.ssh/config

If you manually edit the ~/.ssh/config configuration file, be sure not to overwrite the default configuration from the /etc/ssh/ssh_config file. Otherwise, you can weaken the default encryption or break SSH.

When this feature is enabled, all files in the /live/persistence/TailsData_unlocked/dotfiles folder are linked to their home folder. Files in subfolders of dotfiles are also linked to corresponding subfolders of the home folder. For example, there are the following files in /live/persistence/TailsData_unlocked/dotfiles:

This results in /home/amnesia:

This option is useful if you want to make some specific files permanent, but not the folder they are located in. A good example of so-called dotfiles (hence the name of this feature) are hidden configuration files in the root of your home directory, such as ~/.gitconfig and ~/.bashrc. As you can see in the previous example, empty folders are ignored. This function only links files, but not folders, from the persistent volume to the Home folder.

Saving monitor configurations

If you have more than one display (for example, two monitors or a projector), you can save the configurations of your displays using the Dotfiles feature.

  1. Activate the Dotfiles feature and restart Tails.

  2. Select System Tools → Settings → Displays.

  3. Adjust the displays.

  4. Open /live/persistence/TailsData_unlocked/dotfiles in the file manager.

  5. Select Menu → Show Hidden Files.

  6. Create a folder called .config (config preceded by a period).

  7. Create a folder called .config/monitors.xml from your home folder in /live/persistence/TailsData_unlocked/dotfiles/.config.

Connecting and using persistent storage

After creating a persistent storage, when you start Tails on the welcome screen (where you can choose a language), a new field “Encrypted Persistent Storage” will appear – you need to enter the password from the persistent section in it and click Unlock:

To use persistent storage, open the Persistent folder and go to Places → Persistent. Here you can save personal folders and work documents – they will be saved after reboot. For advanced users, to access the internal contents of persistent storage, select Places → Computer to open the folders live → persistence → TailsData_unlocked.

Changing the permanent storage password

  1. Start Tails and enter the administrator password. Do not activate the persistent volume in the Tails welcome window.

  2. Open Disks from Applications → Utilities → Disks. Disks Disks will list the current storage devices in the left pane of the window. When you select one of these devices, detailed information about it will be displayed in the right panel: its sections, brand, size, and more.

  3. Locate the device that contains the persistent volume. It should have two partitions, one labeled Tails and the other labeled TailsData, the latter corresponding to persistent storage.

  4. In the right pane, click the persistent storage section labeled TailsData.

  5. Open the context menu in Disks and select Change Passphrase….

  6. Enter the current password from the persistent store and enter the new password twice.

  7. Finally, click Change to confirm.

  8. In the confirmation dialog box, enter the administrator password and click Authenticate.

  9. Now you can restart Tails and try to make it persistent with its new password.

Manual copying of data from permanent storage to a new USB flash drive

Copying old files to a new persistent partition.

Select Applications → System Tools → Root Terminal to open a terminal with administrator privileges.

Run the command:

to open a file browser with administrator rights.
  1. In the left pane, click Other Locations.

  2. In the right pane, go to Computer → media → amnesia → TailsData to open the old persistent volume.

  3. In the title bar, select Menu → New tab to open a new tab.

  4. In the left pane, click Other Locations.

  5. In the right pane, go to Computer → live → persistence → TailsData_unlocked to open the new persistent volume.

  6. Click on the TailsData tab.

  7. To copy a folder containing persistent storage data from an old volume to a new one, drag the folder from TailsData to the TailsData_unlocked tab. When copying the folder, select the Apply this action to all file option and click Merge (Merge) to apply to all subfolders. You may then need to select the Apply this action to all file option and click Replace to apply to all files. Do not copy a folder unless you know what it is used for.

  • The apt file and the live-additional-software.conf file correspond to the function of the Additional Software permanent repository. But they require admin rights to import, and that’s beyond the scope of these instructions. Remember that this folder does not contain personal data.

  • The bookmarks folder corresponds to the function of permanent storage of Browser Bookmarks (Browser Bookmarks).

  • The cups-configuration folder corresponds to the Printers persistent storage function.

  • The dotfiles folder corresponds to the function of a permanent storage of Dotfiles (Дотфайлы).

  • The electrum folder corresponds to the permanent storage function of the Bitcoin Client (Bitcoin Wallet).

  • The gnupg folder corresponds to the GnuPG persistent storage functionality.

  • The thunderbird folder corresponds to Thunderbird’s permanent storage function.

  • The nm-connections folder corresponds to the Network Connections persistent storage function.

  • The openssh-client folder corresponds to the SSH Client persistent storage function.

  • The Persistent folder corresponds to the function of a permanent storage of Personal Data.

  • The pidgin folder corresponds to Pidgin’s permanent storage function.

10. After copying, close the file browser.

11. In the terminal, run the following commands to correct access rights to your personal files:

Створіть нову USB флешку з Tails

  1. Install the latest Tails onto the new USB flash drive using the normal installation instructions. During the new installation process, do not use the Tails USB flash drive if there is reason to think that it is damaged.

  2. Create permanent storage on a new USB flash drive. We recommend using a different password to protect the new persistent volume.

  3. Re-enable the persistence features of your choice on this new USB flash drive.

  4. Restart the new USB flash drive, enable the persistence section and set the administrator password.

But mount the old persistent volume

  1. Connect the old Tails USB flash drive from which you want to save your data.

  2. Choose Applications → Utilities → Disks to open GNOME Disks.

  3. In the left pane, click on the USB flash drive that corresponds to the old Tails USB installation.

  4. In the right pane, click on the section labeled LUKS. The partition name should be TailsData.

  5. Press the button  Unlock  to unlock the old persistent volume. Enter the password of the old persistent volume and click Unlock.

  6. Click on the TailsData section that will appear under the LUKS section.

  7. Click on the button  Mount The old persistent partition is now mounted as /media/amnesia/TailsData.

Persistent storage file system check

Unlocking persistent volume

In rare circumstances, you may need to perform a file system check to fix a defective persistent volume.

  1. Start Tails with persistent storage disabled and set an admin password.

  2. Choose Applications → Utilities → Disks to open GNOME Disks.

  3. In the left pane, click on the device that corresponds to the Tails USB flash drive.

  4. In the right pane, click on the section labeled TailsData LUKS.

  5. Press the button       Unlock to unlock permanent storage. Enter the persistent volume password and click Unlock

  6. In the confirmation dialog box, enter the administrator password and click Authenticate.

  7. Click on the TailsData Ext4 section that will appear under the TailsData LUKS section.

  8. Identify the Device name of your persistent volume that will appear under the list of volumes. It should look like /dev/mapper/luks-xxxxxxxx. Triple click to select and press Ctrl+C to copy it (name) to the clipboard.

Checking the file system using the terminal

  1. Select Applications → System Tools → Root Terminal and enter the administrator password to open the root terminal.

  2. In Terminal, run the following command, replacing [device] with the device name found in step 8:

To do this, you can type fsck -y and press Shift+Ctrl+V to paste the name from the clipboard.

If the file system has no errors, the last line of fsck output starts with TailsData: clean.

If the file system contains errors, fsck will try to fix them automatically. After it finishes, you can try this command again to see if all the errors are fixed.

Deleting persistent storage

  1. Run Tails from the USB flash drive where you want to delete the persistent storage. Don’t enable that persistent in the Tails welcome window.

  2. Select Applications → Tails → Delete persistent volume.

  3. Click Delete.

This can be useful for deleting all files stored on a persistent volume in a single action. Later, you can create a new permanent storage on the same USB flash drive without having to reinstall Tails.

Secure removal of persistent storage

The prior technique does not prevent an attacker from recovering files in the old repository using the data recovery technique. To reliably remove the persistent partition, run Tails from another USB flash drive or DVD and perform the following operations on the USB flash drive with which you want to perform a reliable deletion:

  1. Format the USB flash drive and create a single encrypted partition on the entire USB drive. This step will remove both Tails and persistent.

  2. Safely clean up all available disk space on this new encrypted partition.

  3. Reinstall Tails to this USB drive.

  4. Run Tails from a USB flash drive and create a new persistent volume.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.