Commit 2dc64638 authored by Tails developers's avatar Tails developers

doc: Create and use encrypted volumes

parent 8c5b9ab8
[[!meta title="Create and use encrypted volumes"]]
The simplest way to carry around the documents you want to use with Tails and
make sure that they haven't been accessed nor modified is to store them in an
encrypted volume: a dedicated partition on a USB stick or an external hard-disk.
Tails comes with utilities for LUKS, a standard for disk-encryption under Linux.
- The Gnome Disk Utility, allows you to create encrypted volumes
- The Gnome Desktop, allows you to open encrypted volumes
[[!toc levels=2]]
Create an encrypted partition
<h2 class="bullet-number-one">Open the Gnome Disk Utility</h2>
From the menu **Applications** → **System Tools** → **Disk Utility**.
[[!img disk_utility.png link=no alt="Disk Utility"]]
<h2 class="bullet-number-two">Identify your external storage device</h2>
The disk utility will list all the current storage devices on the left side of
the screen:
[[!img storage_devices_before.png link=no alt="List of storage devices"]]
**Plug in the external storage device** that you want to use.
A new device should appear in the list of storage devices. Click on it with the
[[!img storage_devices_after.png link=no alt="A new storage device appeared in
the list"]]
<h2 class="bullet-number-three">Format the device</h2>
Check that the description of the device on the right side of the screen
corresponds to your device: its brand, its size, etc.
[[!img device_info.png link=no alt="Drive description"]]
Click on **Format Drive** to erase all the existing partitions on the device.
If you're not sure, don't change the default option: *Master Boot Record*.
[[!img format_drive.png link=no alt="Format drive"]]
You will be prompted with a confirmation message.
[[!img are_you_sure.png link=no alt="Are you sure you want to format the
<h2 class="bullet-number-four">Create a new encrypted partition</h2>
Now the schema of the partitions in the middle of the screen shows an empty
[[!img empty_device.png link=no alt="Free 3.9 GB"]]
Click on **Create Partition**.
A window with options to configure the new partition will appear.
[[!img create_partition.png link=no alt="Create partition on…"]]
- **Size**: you can decide to create a partition on the whole device or just on
part of it. In this example we are creating a partition of 2.0 GB on a device
of 3.9 GB.
- **Type**: you can change the filesystem type of the partition. If you are not
sure you can leave the default value: *Ext4*.
- **Name**: you can set a name for the partition. This name will remain
invisible until the partition is open but will help you to identify it during
- **Encrypt underlying device**: check this box to encrypt the partition!
Then click on **Create**.
You will be asked to enter a passphrase for the new partition.
[[!img enter_passphrase.png link=no alt="Enter Passphrase"]]
Then click on **Create**.
Creating the partition might take a few seconds after which the schema of
the device will display the new encrypted partition:
[[!img encrypted_partition.png link=no alt="Encrypted 2.0 GB / secret 2.0 GB
At this point you can create other partitions in the free space left on the
device, if you want, by clicking on it and doing again *Create Partition*.
<h2 class="bullet-number-five">Use the new partition</h2>
Now you can access this new volume from the **Places** menu with the name you
gave it. You won't be asked for its passphrase unless you unplug it and plug it
[[!img places_secret.png link=no alt="Places → secret"]]
Open an existing encrypted partition
When plugging a device containing an encrypted partition, Tails won't mount it
automatically but it will appear in the **Places** menu. If several partitions
appear as **Encrypted**, like in the example, you can use its size to guess
which one is the one you want to open.
[[!img places_encrypted.png link=no alt="Places → 2.0 GB Encrypted"]]
You will be asked to enter the passphrase to unlock the volume.
[[!img unlock_the_volume.png link=no alt="Enter a password to unlock the
In case you get it wrong, you will be warned with an error message. You can try
to open the partition as before and as many times as you want.
[[!img error.png link=no alt="Unable to mount 2.0 GB Encrypted"]]
In case you get it right, it will open a file browser in this partition.
[[!img nautilus.png link=no alt="secret - File Browser"]]
Once you are done, you can close the encrypted partition by right clicking on it
from the desktop and selecting **Safely Remove Drive**.
[[!img safely_remove_drive.png link=no alt="Safely Remove Drive"]]
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment