Safe System

Posted on 3 2026

Kubuntu is the daily driver. It is well-configured, encrypted, and backed up. For most tasks it is the right tool. But there are a handful of situations where a persistent operating system, however well secured, is not appropriate.

Managing the offline root CA key material. Working with highly sensitive documents on an unfamiliar machine. Accessing accounts from a network you do not control. Situations where you need certainty that nothing persists after the session ends, that all traffic goes through Tor, and that the operating system itself has not been compromised.

For these, Tails is the right tool. It is a complete Linux desktop bootable from a USB drive. Every session starts from a known-good state. Nothing is written to the host machine’s storage. When you remove the USB drive and power off, the session is gone.

What Tails is for in this setup

In the context of this series, Tails has one primary use: managing the offline root CA key material. The root CA private key, generated in the CA section of this series, should never touch a network-connected machine. Tails booted from a USB drive with networking disabled is the correct environment for root CA operations. Sign intermediate CA certificates, generate revocation certificates, update the CRL: do these things in Tails, then power off. The key material stays on the encrypted offline storage. The session leaves no trace.

Secondary uses include accessing accounts from untrusted networks, working with sensitive documents that should not touch persistent storage, and any situation where you want a clean browser session with no history, cookies, or local state.

What this section covers

  • Downloading and verifying the current Tails image
  • Creating a Tails USB drive from Kubuntu
  • First boot and initial configuration
  • Persistent storage (what it is and when to use it)
  • Using Tails for root CA operations

Downloading Tails

Always download Tails from the official website:

https://tails.boum.org/install/

The current stable version as of writing is Tails 6.x. Download the USB image (.img) rather than the ISO. The USB image is the correct format for creating a bootable USB drive on Linux.

Download both the image file and the accompanying signature file from the same page.

Verifying the image

Tails images are signed with a dedicated signing key. Verifying the signature before writing the image confirms it has not been tampered with in transit.

Import the Tails signing key:

wget -q https://tails.boum.org/tails-signing.key -O /tmp/tails-signing.key
gpg --import /tmp/tails-signing.key

The Tails signing key is signed by multiple Debian developers. Since Kubuntu is based on Debian via Ubuntu, you may already have some of those signing keys. Install the Debian keyring for additional trust anchors:

sudo apt install debian-keyring
gpg --import /usr/share/keyrings/debian-keyring.gpg

Verify the Tails signing key is signed by trusted Debian developers:

gpg --keyid-format 0xlong --check-sigs \
    "Tails developers (offline long-term identity key)"

Look for signatures from Debian developers you recognise in the output. The more cross-signatures from trusted parties, the stronger the assurance.

Now verify the image itself:

cd ~/Downloads
gpg --verify tails-amd64-*.img.sig tails-amd64-*.img

A successful verification shows:

gpg: Good signature from "Tails developers (offline long-term identity key)"

Any output other than Good signature means the image should not be used. Download again from a different mirror and verify again before proceeding.

Creating the USB drive

You need a USB drive of at least 8GB. Anything on it will be overwritten. Tails needs the full drive, not a partition.

Identify the USB drive device:

lsblk

Find the device corresponding to your USB drive. It will be something like /dev/sdb or /dev/sdc. Be absolutely certain of the device name before the next step. Writing to the wrong device will overwrite whatever is there.

Write the image to the USB drive:

sudo dd if=tails-amd64-*.img of=/dev/sdX bs=4M conv=fsync status=progress

Replace /dev/sdX with your actual device. Do not use a partition path like /dev/sdb1, use the whole device path /dev/sdb.

The write will take a few minutes depending on USB drive speed. The status=progress flag shows transfer progress.

Alternatively, use GNOME Disks or KDE’s Disk Manager to restore the image to the USB drive if you prefer a graphical approach. Both offer an “Restore disk image” option that does the same thing safely.

First boot

Insert the Tails USB drive and boot from it. Most systems require pressing a key at startup to select the boot device: F12, F10, F2, or Escape are common depending on the manufacturer.

Tails boots into a welcome screen where you set the language, keyboard layout, and optionally configure additional settings before the desktop loads. For root CA operations, set the following before clicking Start Tails:

Under Additional Settings, enable Disable all networking. This ensures no network connectivity is possible during the session, which is the correct state for offline CA operations.

The Tails desktop

Tails runs a modified GNOME desktop. The Tor Browser is the default browser. Thunderbird is included for mail. The desktop is intentionally minimal: it includes what is needed for privacy-sensitive tasks and nothing else.

For CA operations, the tools available are:

  • GnuPG (command line via terminal)
  • Kleopatra is not included, but the command line GPG tools are
  • OpenSSL for certificate operations
  • Nautilus for file management including the encrypted offline storage

Persistent storage

Tails offers an optional encrypted persistent storage partition on the same USB drive. This allows specific data to survive between sessions: GPG keys, browser bookmarks, application settings.

For most uses of Tails in this setup, persistent storage is not needed. The offline CA key material lives on a separate encrypted USB drive, not in Tails persistent storage. For a Tails drive used specifically for CA operations, keeping it entirely amnesic is the cleaner approach.

If you do want persistent storage for other uses, create it from the Tails welcome screen during setup. It is encrypted with a passphrase you set and is never accessible from the host operating system.

Using Tails for root CA operations

The root CA workflow in Tails is straightforward. The CA section of this series covers the actual certificate operations. The Tails-specific process is:

  1. Boot Tails with networking disabled
  2. Insert the encrypted offline storage USB drive containing the root CA key material
  3. Unlock the encrypted volume from Nautilus or the command line
  4. Perform the necessary CA operations: signing an intermediate CA certificate, generating a new CRL, revoking a certificate
  5. Copy the outputs (signed certificates, updated CRL) to a second USB drive for transfer to the network
  6. Unmount and remove the offline storage USB drive
  7. Power off Tails

The network-connected desktop never sees the root CA private key. The Tails session leaves no trace of the operation on the host machine. The key material goes back on the encrypted offline storage which goes back in secure physical storage.

Keeping Tails updated

Tails releases regular updates, typically every four to six weeks. Security updates are critical.

Tails has a built-in upgrade mechanism. If you boot with networking enabled, Tails will notify you when an upgrade is available and can upgrade itself automatically.

For an offline CA Tails drive where networking is always disabled, check the Tails website periodically and recreate the USB drive from the latest image when a new version is released. The verification and dd process above is the same for updates.

Check the installed version from within a Tails session:

cat /etc/os-release | grep TAILS

Tails is a tool for specific tasks, not an alternative to Kubuntu for everyday work. It lacks the configuration, extensions, and integration of a persistent desktop. Its value is precisely in what it does not have: persistent state, network access to untrusted hosts, and any record of what happened during the session. Use it for the tasks it is designed for and return to Kubuntu for everything else.