Tails OS Guide: Install, Configure, and Use It

For a session that must vanish on shutdown, an amnesic live OS is the practical default. Tails routes every connection through Tor, boots from read-only media, and scrubs RAM on power-off. Nothing else mainstream matches that ephemeral threat model.

This guide covers Tails 6.x (released January 2024), the current stable release as of this writing. The process takes under 30 minutes if you have the hardware ready.

What Tails Is — Amnesic Live OS Routed Through Tor

Tails stands for "The Amnesic Incognito Live System." It runs entirely from a USB drive, leaving no forensic trace on the host machine. RAM is wiped on shutdown (via an emergency wipe procedure that overwrites memory before power-off). All internet traffic — including DNS — routes through the Tor network, by design and by default. There's no configuration switch that accidentally bypasses Tor.

The amnesic property is Tails' core security guarantee. Any documents you open, sites you visit, accounts you access, and files you create during a session don't exist after you shut down — unless you explicitly save them to Persistent Storage (covered in Step 4).

Tails is built on Debian GNU/Linux. It ships with Tor Browser, Thunderbird (pre-configured with Enigmail for PGP), KeePassXC, OnionShare, and a handful of other privacy tools. Everything that isn't essential is stripped out to reduce the attack surface.

We recommend Tails for ephemeral high-risk sessions: contacting sources, accessing sensitive documents, operating a pseudonymous identity from an untrusted machine, or any task where leaving no trace is the priority.

Step 1: Verify the Download from tails.net

Go to tails.net — this is the official domain. Not tails.boum.org (the old domain, now redirects), not any mirror you haven't verified.

Download the USB image (.img file) for your architecture (x86-64 for most hardware). The current size is approximately 1.4 GB.

PGP signature verification is not optional. Tails provides a signing key and a .sig file alongside every release. The verification process confirms you downloaded the real Tails image and not a tampered substitute.

# Import the Tails signing key
gpg --import tails-signing.key

# Verify the image
gpg --verify tails-amd64-6.x.img.sig tails-amd64-6.x.img

A valid signature returns: Good signature from "Tails developers tails at boum.org". If you see any other result, stop and re-download from the official site.

Tails also offers a browser extension that automates this check. Either method works; manual PGP verification is more instructive and teaches a process you'll reuse for PGP encryption generally.

Step 2: Flash a USB Stick (8 GB Minimum)

You need a USB stick of at least 8 GB. USB 3.0 sticks boot noticeably faster than USB 2.0; the difference is several minutes on a cold boot.

The recommended flashing tools are:

Etcher (Balena Etcher) — cross-platform GUI, difficult to misuse
dd on Linux/macOS — faster, command-line only

# macOS/Linux dd method (replace /dev/disk2 with your actual device)
sudo dd if=tails-amd64-6.x.img of=/dev/disk2 bs=16M status=progress

On Windows, use Rufus in DD image mode (not ISO mode — that will not work for Tails).

The flash takes 5–15 minutes depending on USB speed. Once done, don't copy anything to the USB while booted into your normal OS — the Tails partition layout is not a standard filesystem and modifications can corrupt the installation.

Step 3: Boot from USB and First-Launch Checklist

Shut down the host machine. Insert the Tails USB. Boot from it via the BIOS/UEFI boot menu — typically F12, F2, Esc, or Del on startup depending on the manufacturer.

Tails will present a Greeter screen before the desktop loads. From here you can:

Set a temporary administrator password (optional, needed for some advanced tasks)
Enable a MAC address spoof (on by default — keeps your hardware identifier from appearing on the local network)
Connect to Wi-Fi (or Tor bridges if direct Tor is blocked)

First-launch checklist:

Tor is connected (check the onion icon in the top bar)
Tor Browser opens and displays the Tor check page (check.torproject.org)
No personal accounts logged in anywhere
You're aware that anything not saved to Persistent Storage will not exist after shutdown

Step 4: Persistent Storage — When and Why (and When Not)

Tails' amnesic nature is its strongest security property. Persistent Storage weakens it deliberately, in exchange for usability.

You can create an encrypted Persistent Storage partition on the Tails USB for:

Saved files and documents
Browser bookmarks
PGP keys (Kleopatra/GnuPG)
Wi-Fi passwords
Additional software installed via APT

The encryption is strong (LUKS with a passphrase you set). If your USB is seized, the Persistent Storage content is inaccessible without the passphrase.

When not to use Persistent Storage: if your threat model includes an adversary who could compel you to unlock the volume (rubber-hose cryptanalysis), or if the session is truly one-time and ephemeral. For one-off source-contact sessions, don't create Persistent Storage at all — there's nothing to compel.

Enable Persistent Storage via: Applications → Tails → Persistent Storage. Set a strong passphrase. Select which categories to persist (we recommend starting with just "Personal Data" and adding others only as needed).

Step 5: Working Without Trace

Everything in a Tails session that isn't saved to Persistent Storage disappears on shutdown. That's the point. But "without trace" requires a few additional habits:

Use only Tor Browser for web access. Opening Firefox or another browser (if somehow available) can bypass Tor.
Don't open documents in network-connected applications. LibreOffice can be set to call home or phone out for templates. Open documents from Persistent Storage offline, or use the Metadata Cleaner built into Tails.
Use OnionShare for file transfer. Tails includes OnionShare, which creates a temporary .onion address to share files without a third-party server.
Disable JavaScript where the threat model requires it. Tor Browser's safest security level disables JavaScript entirely. High-risk users (especially those worried about browser exploits) should default to this.
Sign and encrypt communications. Tails includes Thunderbird with OpenPGP support. For high-sensitivity email, use it.

Step 6: Update Tails (In-Place Upgrade Flow)

Tails checks for updates automatically each time you connect to Tor. When an update is available, a notification appears in the top bar. Apply it.

Updates in Tails 6.x use an automatic incremental upgrade mechanism — you don't need to re-flash the USB for minor updates. The process takes a few minutes and requires a working Tor connection.

For major version upgrades (e.g., Tails 5.x → 6.x), a manual reflash from a new image download may be required. Verify the new image with the same PGP process as the initial install.

Running an outdated Tails is a real risk. The OS is specifically designed to be updated regularly — security patches are the entire point.

When Tails Is Wrong

Tails is not the right tool for every situation. It's a poor fit when:

You need persistent state across sessions. Tails is designed to forget. If your work requires long-running processes, saved configurations, or persistent anonymous identities, Whonix or Whonix-on-Qubes is better suited.
You're storing large files. Persistent Storage on a USB drive is slow and size-limited. For large research archives, a dedicated encrypted drive or a vault qube in Qubes is more practical.
You need software not in Tails' repository. Additional packages can be installed per-session or persisted, but Tails' APT access is limited to its own curated repo plus Debian Stable. Specialized tools may not be available or may not play well with Tails' security configurations.
Your hardware doesn't support USB booting. Some enterprise machines and locked-down corporate laptops restrict USB boot. Check this before relying on Tails for a high-stakes session.

Threat Model — Tails OS

Tails addresses a specific and well-defined threat model: an adversary who has physical access to your hardware after the session, or forensic access to your machine. The amnesic property means there's nothing to find.

It also addresses network-level adversaries who monitor traffic — all connections go through Tor, so an ISP or local network observer sees Tor traffic, not clearnet destinations.

Tails does not protect against: an adversary who controls the Tor exit node and the destination server simultaneously (end-to-end correlation), a compromised BIOS or hardware-level implant, or mistakes made by the user (logging into a real-identity account, leaving metadata in files).

Your threat model determines whether those residual risks are acceptable.

Frequently Asked Questions

Can Tails be detected on a network?

An observer watching your network traffic can see that you're connecting to Tor (unless you use Tor bridges to obfuscate this). They can't see what you're doing inside Tor. If "connecting to Tor" is itself a problem in your jurisdiction, use bridges — Tails supports obfs4 and Snowflake bridge protocols from the Tor Connection assistant at startup.

Is Tails safe on a computer I don't own?

Largely yes, which is part of its value. Tails doesn't write to the host machine's disk or memory (beyond RAM used during the session, which is wiped). A keylogger or screen recorder running on the host OS would not be running in Tails — Tails replaces the running OS for the duration of the session. Hardware keyloggers (physical devices between keyboard and machine) remain a risk.

Do I need to be a Linux expert to use Tails?

No. The Tails desktop is GNOME, with a standard taskbar and application menu. Tor Browser works like any browser. The installation process is straightforward with Etcher. Advanced use — configuring bridges, managing PGP keys, using the command line — requires more technical knowledge, but basic anonymous browsing doesn't.

Can Tails be used alongside a VPN?

Tails deliberately routes through Tor and is designed to make VPN use complex by design. Adding a VPN before Tor (VPN → Tor) changes what your ISP sees; adding one after (Tor → VPN) defeats much of Tor's anonymity for the VPN provider. The Tor Project explicitly doesn't recommend VPNs with Tor for most use cases. Trust Tails' default routing.