Basic Tails Setup
The following mini-guide will take you down the path to a basic Tails install with one important extra feature: support for offline USB HSM use.
- An hour or two of free time
- An 8GB+ USB drive
- A working computer
- Internet access
Here you have two choices, which are well described here, but boil down to:
- Clone Tails from someone you trust who already has a Tails install, or
- Download, verify, and flash your own USB drive
Once you have a base Tails install the rest is quite simple.
- Boot your new Tails USB
- Connect to Tor
- Hit Super and start typing "Configure persistent volume"
- Create your passphrase to encrypt the persistent storage volume
- Click the Create button
- When the feature list appears, enable "Additional Software"
- Unlock your persistent storage in the Welcome Screen
- Under "Additional Settings" on the Welcome Screen expand the options and choose "Administration Password"
- Connect to Tor
- Open a terminal and run
sudo apt update && sudo apt --yes install opensc libengine-pkcs11-openssl
- Tails will update and ask if you want to persist this Additional Software. Tell it yes, you want the additional software available every time you unlock your Persistent Storage
At this point, if you reboot and unlock your persistent storage your Tails system will be able to use any USB HSM supported by OpenSC. Installation of software from the persistent storage does not require an administration password, and for added security it is probably best to avoid setting one unless your workflow requires administrative rights for some reason. After your software finishes installing from persistent storage you are ready to use your HSM directly with tools like:
# Here 20 is the key ID of a signing key on a Nitrokey HSM 2 amnesia@amnesia:~$ openssl dgst -engine pkcs11 -keyform e -sign 20 -out special.sig special.img engine "pkcs11" set Enter PKCS#11 token PIN for UserPIN (MY-MAGIC-KEY): # And now to verify the resulting signature amnesia@amnesia:~$ openssl dgst -engine pkcs11 -keyform e -verify 20 -signature special.sig special.img engine "pkcs11" set Verified OK