Previous Page

nihilist@mainpc - 2024-10-03

Tails OS QEMU VM for Temporary Sensitive Use

In this tutorial we're going to look at how you can run Tails OS (The Amnesic Incognito Linux System) in a QEMU VM, following the official documentation here.

Tails OS is suitable for Short Term Sensitive Use due to it's default live-mode feature, where upon shutting down the OS, every forensic trace of what you were doing is completely erased from memory, where the entire OS is loaded into. There are no disk-writes at all by default. (Unless if you use the persistent storage, which is not suitable for sensitive use, due to not being deniable encryption like Veracrypt ).

OPSEC Recommendations:

1. Hardware : (Personal Computer / Laptop)

2. Host OS: Linux

3. Hypervisor: libvirtd QEMU/KVM

4. Application: Host-based VPN (if your ISP doesn't allow Tor traffic)

I recommend using this setup for Anonymous use if you store anything into the persistent storage, or for short-term Sensitive use if you are not storing anything sensitive in the persistent storage, as per the 4 basic OPSEC levels.

Sidenote: If your ISP does not allow Tor traffic, make sure that you route the QEMU VMs traffic through a VPN, to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup

Tails Setup

First we download Tails OS as a USB image here:

Then we resize the image size to be able to contain persistent storage (in this case, i'll make it 8Gbs):

[ nowhere ] [ /dev/pts/8 ] [nihilist/VAULT/Isos]
→ ls tails-amd64-6.3.img -lash
1.4G -rw-r--r-- 1 nihilist nihilist 1.4G Jun 14 10:15 tails-amd64-6.3.img

[ nowhere ] [ /dev/pts/8 ] [nihilist/VAULT/Isos]
→ truncate -s 8192M tails-amd64-6.3.img 	

And now we can create the VM in virt-manager like so:

Then press enter to launch tails:

(wait a few seconds for it to load)

Once in there, depending on your use, you can select to have an admin password and a persistent storage if you need it. Otherwise everything you do in the VM will be wiped clean upon shutdown (hence the word amnesic).

Then we select connect to tor automatically:

And here we click start the Tor browser to browse the web anonymously, and if you're curious and want to see the tor Circuits you can view them also:

Persistent Storage Setup

Next, if you want to enable the persistent storage go there:

make sure you enter a strong password that can't be bruteforced easily:

then hit "create persistent storage" and wait a bit for the operation to complete:

Then adjust the settings as per your liking, if you want the persistent storage to store more than it does by default:

Then if you want to install additional software you can launch a terminal:

Then from there you can use sudo because you enabled the administrator password, and install software:

amnesia@amnesia:~$ sudo apt update -y ; sudo apt install neofetch -y 
[sudo] password for amnesia:          
Get:1 tor+https://cdn-fastly.deb.debian.org/debian bookworm InRelease [151 kB] 
Get:2 tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bookworm InRelease [3,526 B]
Get:3 tor+https://cdn-fastly.deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]

[...]

Then once the software installed, you have the possibility to store it in the persistent storage as well, so that it can be available when you launch tails again:

amnesia@amnesia:~$ neofetch
      ``                        amnesia@amnesia 
  ./yhNh                        --------------- 
syy/Nshh         `:o/           OS: Tails x86_64 
N:dsNshh  \u2588   `ohNMMd           Host: KVM/QEMU (Standard PC (Q35 + ICH9, 2009) pc-q35-9.0) 
N-/+Nshh      `yMMMMd           Kernel: 6.1.0-21-amd64 
N-yhMshh       yMMMMd           Uptime: 13 mins 
N-s:hshh  \u2588    yMMMMd so//.     Packages: 1854 (dpkg) 
N-oyNsyh       yMMMMd d  Mms.   Shell: bash 5.2.15 
N:hohhhd:.     yMMMMd  syMMM+   Resolution: 1280x800 
Nsyh+-..+y+-   yMMMMd   :mMM+   DE: GNOME 43.9 
+hy-      -ss/`yMMMM     `+d+   WM: Mutter 
  :sy/.     ./yNMMMMm      ``   WM Theme: Adwaita 
    .+ys- `:+hNMMMMMMy/`        Theme: Adwaita [GTK2/3] 
      `hNmmMMMMMMMMMMMMdo.      Icons: Adwaita [GTK2/3] 
       dMMMMMMMMMMMMMMMMMNh:    Terminal: gnome-terminal 
       +hMMMMMMMMMMMMMMMMMmy.   CPU: 11th Gen Intel i7-11700K (2) @ 3.600GHz 
         -oNMMMMMMMMMMmy+.`     GPU: 00:01.0 Red Hat, Inc. Virtio 1.0 GPU 
           `:yNMMMds/.`         Memory: 1313MiB / 3915MiB 
              .//`
                                                        

And that's it! We managed to run tails OS from a QEMU VM and install some software into the persistent storage.

Deniability Context

Now suppose you are living in a country where using Tails OS and Tor is not going to be a reason to immediately throw you in jail, the adversary is busting down your door, while you are browsing a sensitive website with it, and you want to make sure that there is no incriminating evidence to be found against you when the adversary seizes your computer.

Reminder, this is only for temporary sensitive use, do not save anything sensitive in the persistent storage because otherwise the adversary can force you to unlock it to reveal the contents.

All you need is to shutdown the VM, and everything forensic trace of what you were doing in it gets immediately erased from memory, as if there was nothing there to begin with. Effectively leaving the adversary empty-handed with no incriminating evidence to use against you in court.

And that's it! You now have a dedicated VM for your temporary sensitive uses.