Featured image of post Running Tails OS with Encrypted Persistence on Unraid as a virtual machine

Running Tails OS with Encrypted Persistence on Unraid as a virtual machine

This guide explains how to set up a Tails OS virtual machine (VM) within Unraid, enabling the persistent storage feature.

Important Considerations Before Starting

While running Tails in a VM isn’t generally advised due to potential security compromises, certain situations might justify it. However, it’s crucial to understand the security implications involved. Virtualization necessitates trusting the hypervisor, which possesses elevated privileges that could impact the security and privacy of your VM.

For a comprehensive understanding of virtualization-related security concerns, refer to Tails’ official documentation: https://tails.boum.org/doc/advanced_topics/virtualization/

Situations where this setup might be advantageous include tasks requiring heightened anonymity. Examples include managing cryptocurrency wallets or minimizing your digital footprint across the internet.

Creating a Bootable Tails USB Drive

The first step involves creating a bootable Tails USB drive. This drive needs to be connected to your Unraid server whenever you intend to use the Tails VM. If persistence isn’t a requirement, you can bypass this step.

Detailed instructions on creating a bootable Tails USB drive can be found on the official Tails website: https://tails.boum.org/install/index.en.html

This guide utilizes a Sony USB drive, specifically chosen from the list of recommended drives by Unraid developers (https://wiki.unraid.net/USB_Flash_Drive_Preparation). Additionally, this guide uses Tails version 4.26.

Connecting the USB Drive to Unraid

After connecting the USB drive to your Unraid server, access your Unraid server through SSH or the Unraid GUI’s terminal. Execute the command ls -lha /dev/disk/by-id/ to list connected drives.

Locate your USB drive’s full path from the output, ensuring you select the entry without “-PART” or similar suffixes. It should resemble: /dev/disk/by-id/usb-_USB_DISK_3.0_xxxxxxxxxxxxxxxxxx-0:0.

In cases where multiple USB drives are connected (including the one Unraid boots from), use contextual clues like brand names or unplug the Tails USB temporarily to pinpoint the correct drive.

Creating the Tails VM

Navigate to Unraid’s VM manager and select “ADD VM.” Choose “Linux” as the operating system. Configure the core distribution and RAM allocation according to your needs. Set the “Machine” to “i440fx-6.1”, “Bios” to “SeaBIOS”, and “USB Controller” to “2.0 (EHCI).”

For the “Primary vDisk Location,” choose “Manual” and input the USB path identified earlier (e.g., /dev/disk/by-id/usb-_USB_DISK_3.0_xxxxxxxxxxxxxxxxxx-0:0). The “2nd vDisk Location” represents your persistent storage disk; either let Unraid manage it (“Auto”) or define it yourself. Set the “2nd vDisk BUS” to “VirtIO.” For networking, select a suitable Network Bridge. Routing this bridge through a VPN for enhanced anonymity is recommended. Save the VM configuration, but do not start it yet.

Launching the VM

From Unraid’s VM Manager, start your newly created VM. As soon as it becomes available, swiftly select “VNC Remote.” Once the VM starts loading, press the “Tab” key to access boot options.

In the boot options menu, delete the “live-media=removable” and “nopersistence” options using the arrow keys, Backspace, or Delete. This step needs to be repeated every time the VM restarts. While permanent solutions likely exist, they are beyond this guide’s scope.

After removing the boot options, press “Enter” twice to boot into Tails.

Setting Up Persistence

On the Tails welcome screen, choose “Start Tails,” followed by “Applications” > “Configure persistent volume.” The 2nd vDisk you defined earlier should be automatically selected. Proceed with the on-screen instructions to format the volume, create a strong encryption password, and save your settings.

Restart Tails, ensuring you repeat the steps to remove the specific boot options as outlined earlier. Upon successful boot, the welcome screen will now feature an “Encrypted Persistent Storage” section. Enter your encryption password and click “Unlock” to access your persistent Tails environment within Unraid.

Conclusion

With these steps, you’ve successfully configured a Tails VM on your Unraid server with encrypted persistent storage. Remember that while this setup offers enhanced privacy and anonymity, it’s crucial to be aware of the security considerations inherent in running Tails within a virtualized environment.

Licensed under CC BY-NC-SA 4.0