Tails and Qubes OS are two Linux-based operating systems (OS’s) that will be examined in this article. The aim is to better understand what they are all about, their installation and use, plus compare how they address concerns such as anonymity, privacy and security.
Tails is a portable operating system that protects against surveillance and censorship.tails.boum.org
The Amnesic Incognito Live System (Tails) has 4 main features:
- Avoid surveillance, censorship, advertising & viruses:
- Use of the Tor network to help protect online privacy.
- Your secure computer anywhere:
- Runs from a USB stick leaving no trace on the computer.
- Digital security toolbox:
- Includes applications for working on sensitive documents and communicating securely.
- Free software:
- Is Debian-based and hence open source so is free to download and be verified by independently.
How Tails works
Tails has 3 key aims regarding how it works:
- Leave no trace on the computer.
- Leave no trace on the internet.
- Software for freedom.
Each of these will be expanded in the following sections.
1) Leave no trace on the computer
Your secure computer anywhere
Tails runs from a USB stick or thumb drive plugged into a computer. When the computer boots up it runs the operating system on the plug-in device rather than the one installed on the hard drive. This effectively means you can carry your desktop around with you and plug it into any computer that you wish to use securely.
When Tails starts it loads from the same ‘clean slate’ each and every time. Upon shutdown no trace is left on the computer itself. This is due to Tails never writing anything to the hard disk and running purely from computer memory which is wiped upon shutdown.
Encrypted Persistent Storage
Some files and configuration information can be stored on the USB stick for persistence but these are encrypted. These can include documents, browser bookmarks, emails, and some software.
Digital security toolbox
A selection of apps are included with Tails for working on sensitive documents and to enable secure communications:
- Tor Browser + uBlock – for secure browsing & blocking ads.
- Thunderbird – for encrypted emails.
- KeePassXC – for password management.
- LibreOffice – word processor, spreadsheet, presentation, diagram and database apps.
- OnionShare – for secure file sharing.
2) Leave no trace on the internet
Tor for everything
All Internet interaction is carried out via the Tor network whilst using Tails. This means that the connection is both encrypted and made anonymous. Tor works by relaying traffic via 3 relay servers spread around the world and via different providers.
Avoid online surveillance & censorship
Tor prevents monitoring of your Internet connection and hides the websites you visit hence being unable to censor your activity.
Avoid tracking & change identity
Websites are prevented by Tor from learning your identity or location and can be accessed either anonymously or via a changed identity.
3) Software for freedom
Transparency to build trust
All of Tails’ code is open to public scrutiny and independent verification through it being open source.
Top security for free
Tails is a non-profit and open community which removes any barrier to take-up of their free software for safe use of a computer.
Sharing to be stronger
Tails’ foundations are solid due to being made up of Tor, Debian, GNOME desktop and more.
This section outlines some basic information and links regarding the installation and use of Tails.
Below is the minimum specification needed to run Tails:
- USB stick 8Gb or higher or recordable DVD.
- CMOS that supports boot from USB device or DVD drive.
- x86-64 compatible processor.
- 2 Gb or higher RAM.
Tails can be installed from macOS, Linux and Windows platforms either from scratch or by cloning another trusted installation. There are various methods and options for downloading the right image, using your chosen installation method, and performing an upgrade. Click here for details.
Installation instructions are available in English, German, Spanish, Farsi, Italian and Portuguese from the online Documentation. This document includes additional general information plus sections on:
- First steps with Tails
- Anonymous Internet
- Encryption & privacy
- Working on sensitive documents
- Advanced topics
Qubes OS is a free and open-source, security-oriented operating system for single-user desktop computing. Qubes OS leverages Xen-based virtualization to allow for the creation and management of isolated compartments called qubes.qubes-os.org
Here are some of the key features of Qubes:
- Strong isolation:
- Isolates individual programs using virtualization so that they behave as if installed on separate physical machines.
- Multiple OS’s:
- Support for using different platforms at the same time including Debian, Fedora & MS Windows.
- Whonix integration:
- Run Tor system-wide using Whonix to provide anonymity.
- Open Source:
- Enables users to freely use, copy or modify Qubes OS.
How Qubes works
Qubes utilizes Virtual Machines (VM’s) or Qubes, which are powered by Xen, to run software programs. The programs are then isolated from each other which provides protection. Individual Qubes need permissions to access hardware such as cameras, microphones etc.
TemplateVM’s are created based on your chosen operating system. These are then used to create AppVM’s in which programs can run. The use of TemplateVM’s allows changes to settings or permissions to be made in one place then propagated to their AppVM’s.
Each Qube is protected by its own security and collectively they are controlled using the Qube Manager. From a security perspective the Qubes approach means that a virus, malware, hacking or exploit attack is limited to a single VM which significantly limits its scope. Once a Qube is closed then any traces of data or activity disappear.
In addition to the key features listed in the previous section, here are some more features of Qubes OS:
- Template system:
- The root file system is shared without sacrificing security using Templates that utilize VM’s.
- Disposable VM’s:
- Create disposable VM’s (Qubes) that self-destruct when shutdown to erase data from each session.
- Device isolation:
- Network cards and USB controllers are isolated for security purposes.
- Split GPG (GnuPG):
- Secure communication is facilitated by utilizing Split GPG to keep Private Keys safe.
- U2F proxy:
- Qubes “Universal 2nd Factor” proxy enables private use of your Two-Factor Authentication (2FA) devices.
Qubes brings all these features together to enable users to compartmentalize their online activity in a secure manner.
This section outlines some basic information and links regarding the installation and use of Qubes including software development.
Below is the minimum and recommended specifications needed to run Qubes OS:
- 64-bit Intel or AMD processor (aka x86_64, x64, AMD64).
- 4 Gb or higher RAM, ideally 16 Gb.
- 32 Gb or more free storage, ideally 128 Gb.
- Intel Integrated Graphics Processor (IGP) is recommended.
- Non-USB keyboard.
See here for more details.
Qubes has very specific notes and warnings that must be read prior to performing an installation. These can be found by referring to the Installation Guide.
The installation process involves the following main steps:
- Pre-installation – checking the hardware requirements and copying the downloaded ISO onto the installation medium.
- Installation – going through the GUI installation wizard steps:
- Boot screen
- Home screen
- Installation summary
- Software selection
- Installation destination
- Creating a user account
- Post-installation – this involves carrying out the initial setup.
- Next Steps – performing regular updates, monitoring Qubes Security Bulletings (QSB’s), and making regular backups.
Comprehensive documentation can be found here in English and covers the following topics:
- Product description, video tours, screenshots, FAQ’s, bug reporting, support & more.
- Project Security:
- Security alerts, FAQ’s, pack, bulletins, PGP keys & more.
- User Documentation:
- Choosing your hardware.
- Downloading, installing & upgrading Qubes.
- Common tasks.
- Managing operating systems within Qubes.
- Security in Qubes.
- Advanced configuration.
- Reference pages.
- Developer Documentation:
- General – FAQ’s, guidelines, feature tracker & more.
- Code – source, license, guidelines & signing.
- System – architecture, admin, networking & more.
- Services – file copying memory management, DisposableVM’s, secure comms & more.
- Debugging – Python code, test environment & more.
- Building – development workflow, building ISO’s, template configuration files & more.
- Releases – release notes, schedules & checklists.
- External Documentation:
- Operating system guidelines.
- Security guidelines.
- Privacy guidelines.
- Configuration guides.
- Customization guides.
- Building guides.
Tails vs Qubes OS
Both these operating systems share similar aims in providing anonymity, privacy and security to their users. They do however go about this using very different approaches.
Tails uses the live operating system approach in that nothing is installed on the host machine. The key advantage of this method is providing portability so that the user can be secure anywhere there is a computer. All the user needs to do is plug in the USB device or load the recordable DVD into the drive and boot up the computer.
Qubes takes the approach of installing an environment on a single machine which sacrifices portability unless the computer is a laptop. What it does gain, however, is allowing the user to access to software programs from different operating systems within the same desktop.
Tails focuses on all apps being secure and private whilst working with documents, accessing the Internet, and communicating with others. Qubes ensures that different apps or documents cannot interfere with each other in the event of them containing bugs, viruses, malware, being hacked or exploited. Tails is effectively more about prevention whilst Qubes is more about damage limitation.
Both operating systems ensure that no traces of activity remain on the computer once the user finishes using it or ends their task:
- Tails removes all traces from memory and leaves no data on the computer hard drive when shutdown.
- Qubes OS removes all traces from memory and the hard-drive when the AppVM is closed or disposed of.
Both operating systems do have the capability to provide some degree of secure data persistence.
Additionally both OS’s will be susceptible to performance issues unless run on computers with fast processors and plenty of RAM. With Tails this is due to being run from a USB stick or DVD whilst with Qubes this is due to the virtualization overhead of Xen.
Tails and Qubes OS are free so why not give both a test drive and see which you prefer and better meets your specific needs?
Do you have experience of using Tails or Qubes? Do you have a preference? If so please comment below.