AdHocSecurebox (formerly TailsOS-for-non-whistleblowers) is an opinionated collection of public domain scripts/docs to deal with sensitive data with average hardware and open source software. Does not aim to be perfect: just to be less wrong when you have to do it.
How to do it on an Tails live USB right now?
git clone https://github.com/fititnt/AdHocSecurebox.git /tmp/bootstrap-tails
# mv /home/amnesia/bin /home/amnesia/bin.bkp
cp -r /tmp/bootstrap-tails/bin /home/amnesia/bin
/home/amnesia/bin/tails-do-it[issue#34] The initial target audience of this project
TODO: add description of the initial reasons for this project. But definitely mention about Domestic Violence survivors (fititnt, 2020-11-07 21:11 BRT)
Table of Contents
Tails, without any extra, already is a great start for an ad hoc secure box (and is much simpler to get it working than Qubes OS / Whonix). But by design Tails ("The Amnesic Incognito Live System") is not an average OS for daily usage in special for who is not the target audience.
This GitHub project have tested scripts to use on Tails (with special care about how to backup/restore) when you have to deal with, for example:
- On Tails: create SSH private keys, generate PGP keys for your Yubikey, use an OS as fallback mechanism to log on your servers when your main computer has issues (or you are on-the-go and your company/government would not allow you use any friends hardware). Etc.
- Beyond Tails: even if you already have full-disk encryption we document potential tips for how to deal with you daily Desktop workstation to not leave all the time either encryption/authentication keys accessible or the data itself open for any random software (think your Zoom, Skype, Spotify, etc) that could scan your disks for such contents. We here also enforce you to use strategies that could be resilient to ransomware like do remote backups without fear because they're encrypted.
As a rule of thumb: you can use Tails to access other disks, but avoid using your main workstation to access TailsData (encrypted by default). Also keep in mind that Tails by default starts without internet access (and has assistive technology to help you with potential hardware keyloggers) so it's actually a perfect quick to use OS for offline ad hoc cryptography operations.
AdHocSecurebox v3.0 (and likely future versions) do not have any particular suggested reading order.
See bin/
Look at the folder bin/ for inspirational scripts to add to your
/home/amnesia/binAmnesic /
/live/persistence/TailsData_unlocked/dotfiles/binPersistent.
If you don't plan to read the documentation at docs/ and is just browsing this repository, this is the folder you look around to see potential examples.
These folders are not used for copy or automation (like bin/ is). This is just an documental syntactic sugar.
Look at the folder docs/ for POSIX scripts and markdown files mean to be read.
The folder dotfiles/example/ contain examples of dotfiles.
Some, like the dotfiles/example/rocha/.curlrc that help with curl be able to proxy via Tor, may be pertinent to reduce extra parameters.
git clone https://github.com/fititnt/AdHocSecurebox.git /tmp/bootstrap-tails
# mv /home/amnesia/bin /home/amnesia/bin.bkp
cp -r /tmp/bootstrap-tails/bin /home/amnesia/bin
/home/amnesia/bin/tails-do-itAdapt this to your needs. This is how the author would do after already have his /home/amnesia/.ssh/id_rsa autorized to connect GitHub.
# From an already running TailsOS with persistence enabled, run:
mkdir /home/amnesia/Persistent/git ; mkdir /home/amnesia/Persistent/git/fititnt/ ; cd /home/amnesia/Persistent/git/fititnt
git clone https://github.com/fititnt/AdHocSecurebox.git
cd /home/amnesia/Persistent/git/fititnt/AdHocSecurebox- Tails Official documentation: https://tails.boum.org/doc/
- This is less wrong than this repository.
If you know other references for scripts, send a PR or an e-mail.
- Tails Reddit: https://www.reddit.com/r/tails/
- @ChristopherA Tails Dotfiles: https://github.com/ChristopherA/bash-dotfiles-for-tails
See docs/beyond-tails/.
The initial author also took care to make the public domain individual scripts as portable as possible <3.
Be warned: even the average, non state-sponsored cyber attacks, cannot be protected by firewalls because something on your computer collect data and upload (or ask instructions from something outside). (... continue ...)
If you are not using Tails, but still using Linux, AppArmor can be reused
to protect inside threats. One typical example is deny access to
very private folders (like ~/.ssh, ~/.gnupg) (... continue ...)
This is an draft. See YubiKey on Tails #28.
TODO: write something more explicitly about allow reuse of this work, even without credit. (fititnt, 2020-10-26 20:36 UTC)
To the extent possible under law, Emerson Rocha has waived all copyright and related or neighboring rights to this work to Public Domain.