Commit bf3ebbe2 authored by sajolida's avatar sajolida
Browse files

Apply style guide

parent 866a2e59
...@@ -166,7 +166,7 @@ using the usual communication channels. ...@@ -166,7 +166,7 @@ using the usual communication channels.
- Documentation: BitingBird, sajolida - Documentation: BitingBird, sajolida
- *Onion Circuits* (Python): alan - *Onion Circuits* (Python): alan
- *OpenPGP Applet* (Perl): nodens - *OpenPGP Applet* (Perl): nodens
- Persistence setup (Perl): intrigeri, kurono - Persistent Storage (Perl): intrigeri, kurono
- Sysadmin: [[contact|contribute/how/sysadmin/#contact]] - Sysadmin: [[contact|contribute/how/sysadmin/#contact]]
- Welcome Screen (Python): alan, intrigeri - Welcome Screen (Python): alan, intrigeri
- *Tails Installer* (Python): alan, kurono, u - *Tails Installer* (Python): alan, kurono, u
......
...@@ -56,13 +56,13 @@ If you are in Tails, see the [[dedicated instructions|website#tails]]. ...@@ -56,13 +56,13 @@ If you are in Tails, see the [[dedicated instructions|website#tails]].
Build the website in Tails Build the website in Tails
========================== ==========================
1. [[Create and configure|doc/first_steps/persistence/configure]] a persistent volume and activate the following features: 1. [[Create and configure|doc/first_steps/persistence/configure]] a Persistent Storage and turn on the following features:
- Personal Data - Personal Data
- APT Packages - APT Packages
- APT Lists - APT Lists
2. Restart Tails, [[enable the persistence|doc/first_steps/persistence/use]], and [[set up an administration password|doc/first_steps/welcome_screen/administration_password]]. 2. Restart Tails, [[unlock the Persistent Storage|doc/first_steps/persistence/use]], and [[set up an administration password|doc/first_steps/welcome_screen/administration_password]].
3. Update the list of available packages: 3. Update the list of available packages:
......
...@@ -66,7 +66,7 @@ For example, derivatives could: ...@@ -66,7 +66,7 @@ For example, derivatives could:
Tails. Tails.
- Document how to use specific applications in Tails. - Document how to use specific applications in Tails.
- Rely on the customizations mechanisms already available in Tails - Rely on the customizations mechanisms already available in Tails
(additional software packages and persistent storage). (Additional Software and Persistent Storage features).
- Help us build in Tails other mechanisms that derivatives might need to - Help us build in Tails other mechanisms that derivatives might need to
adapt Tails to their needs (for example to have persistent DConf adapt Tails to their needs (for example to have persistent DConf
settings or additional APT sources). settings or additional APT sources).
......
...@@ -273,12 +273,12 @@ Configuration files, temporary files, user home directories and ...@@ -273,12 +273,12 @@ Configuration files, temporary files, user home directories and
similar files that most likely need to be modifiable during operation similar files that most likely need to be modifiable during operation
MUST only be saved temporarily in memory (e.g. by use of something MUST only be saved temporarily in memory (e.g. by use of something
like tmpfs or unionfs) unless the user explicitly enables some like tmpfs or unionfs) unless the user explicitly enables some
persistence feature. features of the Persistent Storage.
It is tempting to use the possibility to write back data when running It is tempting to use the possibility to write back data when running
from USB in order to allow user settings to be persistent. If this is from USB in order to allow user settings to be persistent. If this is
considered, this feature MUST be optional and offer the possibility considered, this feature MUST be optional and offer the possibility
to use strong encryption for the persistent storage. to use strong encryption for the Persistent Storage.
### 2.4.3 Virtual machines ### 2.4.3 Virtual machines
...@@ -1122,7 +1122,7 @@ disregard the preferred keyserver assigned to specific keys. ...@@ -1122,7 +1122,7 @@ disregard the preferred keyserver assigned to specific keys.
- [[!tails_gitweb config/chroot_local-includes/etc/skel/.gnupg/dirmngr.conf]] - [[!tails_gitweb config/chroot_local-includes/etc/skel/.gnupg/dirmngr.conf]]
- [[!tails_gitweb config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults]] - [[!tails_gitweb config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults]]
### 3.6.17 Persistence feature ### 3.6.17 Persistent Storage
An opt-in data persistence feature is available in Tails 0.11 and An opt-in data persistence feature is available in Tails 0.11 and
newer. See [[contribute/design/persistence]] for details. newer. See [[contribute/design/persistence]] for details.
...@@ -1255,7 +1255,7 @@ default configuration tells it to use the default of Tor's ...@@ -1255,7 +1255,7 @@ default configuration tells it to use the default of Tor's
SOCKSPort:s, and sync the necessary parts of the Bitcoin blockchain SOCKSPort:s, and sync the necessary parts of the Bitcoin blockchain
(as a lightweight client) from the default server pool using SSL. (as a lightweight client) from the default server pool using SSL.
There is also a persistence preset for the live user's `.electrum` There is also a feature of the Persistent Storage for the live user's `.electrum`
configuration folder, which stores the Bitcoin wallet, application configuration folder, which stores the Bitcoin wallet, application
preferences and the cached Bitcoin blockchain. preferences and the cached Bitcoin blockchain.
......
...@@ -58,7 +58,7 @@ detecting an encrypted Debian Live persistent volume). This is why we ...@@ -58,7 +58,7 @@ detecting an encrypted Debian Live persistent volume). This is why we
have decided, back when we were implementing persistence support and have decided, back when we were implementing persistence support and
a graphical USB installer in 2012, to initialize Tails boot devices a graphical USB installer in 2012, to initialize Tails boot devices
with a GPT. Since then, we have made great use of this feature in with a GPT. Since then, we have made great use of this feature in
Tails Persistent Volume Assistant, Incremental Upgrader and the Welcome Screen. for the Persistent Storage, Upgrader, and Welcome Screen.
Despite a few painful consequences we discovered along the way, all Despite a few painful consequences we discovered along the way, all
caused by buggy firmware implementations, we think that picking GPT at caused by buggy firmware implementations, we think that picking GPT at
......
...@@ -10,8 +10,8 @@ amnesic, new software packages for Debian can be installed in a working ...@@ -10,8 +10,8 @@ amnesic, new software packages for Debian can be installed in a working
session but they are not reinstalled at next reboot. session but they are not reinstalled at next reboot.
Additional Software Packages is a feature to remember a set of Debian Packages Additional Software Packages is a feature to remember a set of Debian Packages
to be installed automatically from [[persistent to be installed automatically from the [[Persistent
storage|contribute/design/persistence]] each time Tails is started. Storage|contribute/design/persistence]] each time Tails is started.
Use cases Use cases
========= =========
...@@ -20,7 +20,7 @@ Alice is a geographer working for an NGO in an unstable country. They need ...@@ -20,7 +20,7 @@ Alice is a geographer working for an NGO in an unstable country. They need
to use Tails but needs the QGis SIG to work. It would make little sense to use Tails but needs the QGis SIG to work. It would make little sense
to add such a specific software in Tails. But thanks to Additional to add such a specific software in Tails. But thanks to Additional
Software Packages, Alice can have QGis installed every time when they boot Software Packages, Alice can have QGis installed every time when they boot
Tails with persistent storage enabled. Tails with the Persistent Storage unlocked.
Bob is a journalist and wants to publish videos made by other Bob is a journalist and wants to publish videos made by other
colleagues. Bob needs to convert these videos and is used to the open colleagues. Bob needs to convert these videos and is used to the open
...@@ -40,7 +40,7 @@ Goals ...@@ -40,7 +40,7 @@ Goals
- Integrate this in: - Integrate this in:
- The usual installation and removal process of a package (through - The usual installation and removal process of a package (through
Synaptic, another graphical tool, or APT on the command line). Synaptic, another graphical tool, or APT on the command line).
- The persistent storage configuration. - The Persistent Storage settings.
- Ensure packages are installed even offline. - Ensure packages are installed even offline.
...@@ -153,7 +153,7 @@ installed or removed. ...@@ -153,7 +153,7 @@ installed or removed.
<img src="https://redmine.tails.boum.org/code/attachments/download/1925/asp-flow-installed.svg" height="auto" /> <img src="https://redmine.tails.boum.org/code/attachments/download/1925/asp-flow-installed.svg" height="auto" />
#### With persistent storage unlocked: #### With the Persistent Storage unlocked:
<img src="https://git.tails.boum.org/ux/plain/additional software/png/notification - add.png"/> <img src="https://git.tails.boum.org/ux/plain/additional software/png/notification - add.png"/>
...@@ -165,14 +165,14 @@ atomically to the `live-additional-software.conf` configuration file ...@@ -165,14 +165,14 @@ atomically to the `live-additional-software.conf` configuration file
(this logic is handled by (this logic is handled by
<https://git-tails.immerda.ch/pythonlib/plain/tailslib/additionalsoftware.py>) <https://git-tails.immerda.ch/pythonlib/plain/tailslib/additionalsoftware.py>)
#### Without persistent storage #### Without a Persistent Storage
<img src="https://git.tails.boum.org/ux/plain/additional software/png/notification - add without persistent storage.png"/> <img src="https://git.tails.boum.org/ux/plain/additional software/png/notification - add without persistent storage.png"/>
When *Add To Persistent Storage* is clicked, When *Add To Persistent Storage* is clicked,
`/usr/bin/tails-persistence-setup` is started as `/usr/bin/tails-persistence-setup` is started as
`tails-persistence-setup` with a GUI to lead the user through the process `tails-persistence-setup` with a GUI to lead the user through the process
of creating a persistent storage. The `AdditionalSoftware` preset is of creating a Persistent Storage. The `AdditionalSoftware` preset is
automatically enabled. The new additional packages are then added to the automatically enabled. The new additional packages are then added to the
`live-additional-software.conf` configuration file, which is in this `live-additional-software.conf` configuration file, which is in this
case mounted to `/media/tails-persistence-setup/TailsData` instead of case mounted to `/media/tails-persistence-setup/TailsData` instead of
...@@ -182,18 +182,18 @@ case mounted to `/media/tails-persistence-setup/TailsData` instead of ...@@ -182,18 +182,18 @@ case mounted to `/media/tails-persistence-setup/TailsData` instead of
The systemd service The systemd service
[[!tails_gitweb config/chroot_local-includes/lib/systemd/system/tails-synchronize-data-to-new-persistent-volume-on-shutdown.service]] [[!tails_gitweb config/chroot_local-includes/lib/systemd/system/tails-synchronize-data-to-new-persistent-volume-on-shutdown.service]]
is used to synchronize APT data (lists and cached packages) to the newly is used to synchronize APT data (lists and cached packages) to the newly
created persistent storage on Tails shutdown. created Persistent Storage on Tails shutdown.
#### With persistent storage locked #### With the Persistent Storage locked
No notification is displayed as people who have a persistent storage but No notification is displayed as people who have a Persistent Storage but
don't unlock it, probably do this only sometimes and for a reason. They don't unlock it, probably do this only sometimes and for a reason. They
probably otherwise unlock their persistent storage most of the time. If probably otherwise unlock their Persistent Storage most of the time. If
they install packages with their persistent storage locked, they they install packages with their Persistent Storage locked, they
probably do it with their persistent storage unlock as well and would probably do it with their Persistent Storage unlocked as well and would
learn about this feature when it's most relevant for them. learn about this feature when it's most relevant for them.
#### When it's impossible to have persistent storage #### When it's impossible to have a Persistent Storage
This happens when running from a DVD, virtual machine, or intermediary This happens when running from a DVD, virtual machine, or intermediary
Tails. Tails.
...@@ -223,7 +223,7 @@ The list of additional software can be opened from: ...@@ -223,7 +223,7 @@ The list of additional software can be opened from:
- **Applications**&nbsp;▸ **System Tools**&nbsp;▸ **Additional Software** - **Applications**&nbsp;▸ **System Tools**&nbsp;▸ **Additional Software**
- **Applications**&nbsp;▸ **Tails**&nbsp;▸ **Additional Software** - **Applications**&nbsp;▸ **Tails**&nbsp;▸ **Additional Software**
- a click on the gear button next to the **Additional - a click on the gear button next to the **Additional
Software** feature in the persistent storage settings Software** feature in the Persistent Storage settings
This application is implemented in the following files: This application is implemented in the following files:
...@@ -231,9 +231,9 @@ This application is implemented in the following files: ...@@ -231,9 +231,9 @@ This application is implemented in the following files:
- [[!tails_gitweb config/chroot_local-includes/usr/share/applications/org.boum.tails.additional-software-config.desktop.in]] - [[!tails_gitweb config/chroot_local-includes/usr/share/applications/org.boum.tails.additional-software-config.desktop.in]]
- [[!tails_gitweb config/chroot_local-includes/usr/share/tails/additional-software/configuration-window.ui]] - [[!tails_gitweb config/chroot_local-includes/usr/share/tails/additional-software/configuration-window.ui]]
If there is no persistent storage or before any package is added, if the If there is no Persistent Storage or before any package is added, if the
persistent storage is locked, or if it is impossible to have a persistent Persistent Storage is locked, or if it is impossible to have a Persistent
storage (for example, when running from a DVD or a virtual machine) the window Storage (for example, when running from a DVD or a virtual machine) the window
shows an explanation text with appropriate pointers: shows an explanation text with appropriate pointers:
<img src="https://git.tails.boum.org/ux/plain/additional software/png/additional software - without persistent storage.png"/> <img src="https://git.tails.boum.org/ux/plain/additional software/png/additional software - without persistent storage.png"/>
......
...@@ -117,7 +117,7 @@ Tor Browser ...@@ -117,7 +117,7 @@ Tor Browser
As of Tails 1.3, the Tor Browser is somewhat confined with AppArmor. As of Tails 1.3, the Tor Browser is somewhat confined with AppArmor.
Given we cannot seriously allow the Tor Browser to read and write Given we cannot seriously allow the Tor Browser to read and write
everywhere in the home and persistent directory, we had to allow it to everywhere in the home and *Persistent* folder, we had to allow it to
read/write files from/to one specific directory, and make it so the read/write files from/to one specific directory, and make it so the
user experience is not hurt too much. user experience is not hurt too much.
...@@ -139,10 +139,10 @@ store it entirely, so this problem is not specific to downloading to ...@@ -139,10 +139,10 @@ store it entirely, so this problem is not specific to downloading to
an amnesiac directory. an amnesiac directory.
Still, we thought it would be good to allow users to download large Still, we thought it would be good to allow users to download large
files from Tor Browser to their persistent volume, so we have files from Tor Browser to their Persistent Storage, so we have
introduced a second downloads/uploads directory: `~/Persistent/Tor introduced a second downloads/uploads directory: `~/Persistent/Tor
Browser/`, that is created whenever the "Personal data" (aka. Browser/`, that is created whenever the "Personal data" (aka.
`~/Persistent/`) persistence feature is activated. In that case, if `~/Persistent/`) feature is turned on. In that case, if
persistence was activated read-write, another GTK bookmark pointing to persistence was activated read-write, another GTK bookmark pointing to
that directory is created at login time. that directory is created at login time.
......
...@@ -13,7 +13,7 @@ this [[flowchart of the installation process as of ...@@ -13,7 +13,7 @@ this [[flowchart of the installation process as of
The objective was to make this a linear process, to be follow step-by-step, and The objective was to make this a linear process, to be follow step-by-step, and
that would take the user from our homepage up to starting on a Tails USB stick that would take the user from our homepage up to starting on a Tails USB stick
with a persistent volume. But this process has to be adapted to the base with a Persistent Storage. But this process has to be adapted to the base
operating system of the user or their technical expertise. operating system of the user or their technical expertise.
We decided to optimize it for first time and less technical users, while still We decided to optimize it for first time and less technical users, while still
...@@ -151,7 +151,7 @@ Notes: ...@@ -151,7 +151,7 @@ Notes:
2015). 2015).
- DVD do not benefit from automatic upgrades, so people might be more - DVD do not benefit from automatic upgrades, so people might be more
quickly out-of-date. quickly out-of-date.
- DVD does not allow creating a persistent volume, so people cannot - DVD does not allow creating a Persistent Storage, so people cannot
rely on long lasting cryptographic keys to secure their rely on long lasting cryptographic keys to secure their
communication and might use weaker techniques. communication and might use weaker techniques.
- For these same reasons we only provide a download and links to Ubuntu - For these same reasons we only provide a download and links to Ubuntu
...@@ -162,7 +162,7 @@ Notes: ...@@ -162,7 +162,7 @@ Notes:
2015). 2015).
- VMs are less secure because the host operating system can monitor - VMs are less secure because the host operating system can monitor
them. them.
- VMs make it harder to create a persistent volume, so people might - VMs make it harder to create a Persistent Storage, so people might
not rely on long lasting cryptographic keys to secure their not rely on long lasting cryptographic keys to secure their
communication and might use weaker techniques. communication and might use weaker techniques.
- For these same reasons we only provide a download and then point to the - For these same reasons we only provide a download and then point to the
......
...@@ -58,31 +58,31 @@ wants to have persistent. This is the `~/Persistent/` directory. ...@@ -58,31 +58,31 @@ wants to have persistent. This is the `~/Persistent/` directory.
If a user needs software that is not included in Tails by default it can be If a user needs software that is not included in Tails by default it can be
quite annoying to fetch the APT information and download it (slow over quite annoying to fetch the APT information and download it (slow over
Tor) every time. Therefore, APT packages lists and cache can easily be Tor) every time. Therefore, APT packages lists and cache can easily be
made persistent. It's also possible to store in persistence a list of made persistent. It's also possible to store in the Persistent Storage a list of
additional software packages to be automatically reinstalled on boot. additional software packages to be automatically reinstalled on boot.
Persistence storage location Persistence storage location
---------------------------- ----------------------------
The Tails persistent volume is a LUKS-encrypted GPT partition, labeled The Tails Persistent Storage is a LUKS-encrypted GPT partition, labeled
`TailsData`, stored on a removable storage device. `TailsData`, stored on a removable storage device.
Specifications Specifications
============== ==============
Once a persistent volume is enabled, changes to persistent files are saved. Once a Persistent Storage is enabled, changes to persistent files are saved.
Moreover: Moreover:
* Read-write access to a persistent data store is not the default: it * Read-write access to the Persistent Storage is not the default: it
requires a voluntary user action such as choosing enabling requires a voluntary user action such as unlocking the Persistent
a *persistence* option in the boot menu. Storage in the Welcome Screen.
* The persistent data is stored using strong, well-known, Free * The Persistent Storage uses strong, well-known, Free
Software, peer-reviewed encryption tools (`dm-crypt` and LUKS) Software, peer-reviewed encryption tools (`dm-crypt` and LUKS)
* Fixed storage devices are be blacklisted by default from the search * Fixed storage devices are be blacklisted by default from the search
for persistent volumes. Rationale: preventing the risk of using for a Persistent Storage. Rationale: preventing the risk of using
a malicious persistent volume seems more important than supporting a malicious Persistent Storage seems more important than supporting
the rare "I want to store my persistent volume on a fixed hard-disk" the rare "I want to store my Persistent Storage on a fixed hard-disk"
use-case. use-case.
Current state of things Current state of things
...@@ -138,7 +138,7 @@ User interface ...@@ -138,7 +138,7 @@ User interface
A *Configure persistent storage* menu entry is the entry point to the A *Configure persistent storage* menu entry is the entry point to the
*bootstrap persistent storage* UI. This UI allows the user to set up *bootstrap persistent storage* UI. This UI allows the user to set up
a persistent storage container in the free space left on the USB stick a Persistent Storage in the free space left on the USB stick
by [[Tails Installer|installation]]. by [[Tails Installer|installation]].
Choosing persistence is something *activelly* opt-in, i.e. "I want Choosing persistence is something *activelly* opt-in, i.e. "I want
...@@ -151,14 +151,14 @@ own [[contribute/Git]] (gbp-style) repository. ...@@ -151,14 +151,14 @@ own [[contribute/Git]] (gbp-style) repository.
#### Design #### Design
Setting up a Tails persistent volume means: Setting up a Persistent Storage means:
* detect the device Tails is running from * detect the device Tails is running from
* error out if not running from USB * error out if not running from USB
* error out unless Tails was installed using Tails Installer (i.e. * error out unless Tails was installed using Tails Installer (i.e.
unless it's running from a GPT partition labeled `Tails`) unless it's running from a GPT partition labeled `Tails`)
* error out if the device Tails is running from already has * error out if the device Tails is running from already has
a persistent volume a Persistent Storage
* ask the user an encryption passphrase (welcome bonus: pointing to * ask the user an encryption passphrase (welcome bonus: pointing to
the relevant documentation about choosing a *strong* passphrase) the relevant documentation about choosing a *strong* passphrase)
* create a LUKS-encrypted partition on the Tails USB stick * create a LUKS-encrypted partition on the Tails USB stick
...@@ -174,14 +174,15 @@ Setting up a Tails persistent volume means: ...@@ -174,14 +174,15 @@ Setting up a Tails persistent volume means:
system is booting for the first time or not, every first boot must system is booting for the first time or not, every first boot must
change something on the Tails system partition. We don't change something on the Tails system partition. We don't
want to do this, hence the `tails-persistence-setup` will be run want to do this, hence the `tails-persistence-setup` will be run
from the Applications menu by users who decide they want persistence. from the Applications menu by users who decide they want a Persistent
Storage.
* **Storage location**: To keep the GUI and documentation simple, we * **Storage location**: To keep the GUI and documentation simple, we
only support setting up a persistent volume *on the USB stick Tails only support setting up a Persistent Storage *on the USB stick Tails
is running from*. **Note**: the underlying tools (live-boot backend, is running from*. **Note**: the underlying tools (live-boot backend,
tails-greeter) will support storage on whatever relevant device, tails-greeter) will support storage on whatever relevant device,
though; moreover, `tails-persistence-setup` actually knows how to though; moreover, `tails-persistence-setup` actually knows how to
set up persistence on arbitrary devices, thanks to command-line set up a Persistent Storage on arbitrary devices, thanks to command-line
options. Therefore, brave and advanced users can prepare their store options. Therefore, brave and advanced users can prepare their store
their persistent data wherever they want, but this is not something their persistent data wherever they want, but this is not something
we will actively support and document beyond the bare minimum we will actively support and document beyond the bare minimum
...@@ -215,13 +216,13 @@ Setting up a Tails persistent volume means: ...@@ -215,13 +216,13 @@ Setting up a Tails persistent volume means:
### Configure which bits are persistent ### Configure which bits are persistent
This is automatically run right after the persistent storage bootstrap This is automatically run right after the Persistent Storage bootstrap
step. The user is enabled to change the configuration later. step. The user is enabled to change the configuration later.
Persistence settings changes are taken into account at next boot. Changes to the Persistent Storage settings are taken into account at next boot.
#### Design #### Design
* either persistence is currently enabled in read-write mode, and thus * either the Persistent Storage is currently unlocked in read-write mode, and thus
the persistence partition is already mounted; or the user is the persistence partition is already mounted; or the user is
directly coming from bootstrap, and then we must mount the partition directly coming from bootstrap, and then we must mount the partition
ourselves ourselves
...@@ -248,7 +249,7 @@ Persistence settings changes are taken into account at next boot. ...@@ -248,7 +249,7 @@ Persistence settings changes are taken into account at next boot.
custom* button allows to enter custom source, destination (and custom* button allows to enter custom source, destination (and
comma-separated list of options?) comma-separated list of options?)
### Enable persistence at boot time ### Unlock the Persistent Storage at boot time
Choosing between various persistence modes is one of the reasons why Choosing between various persistence modes is one of the reasons why
we've written a graphical [[!tails_ticket 5528 desc="boot menu"]]: we've written a graphical [[!tails_ticket 5528 desc="boot menu"]]:
...@@ -256,14 +257,14 @@ the [[!tails_ticket 5496 desc="Welcome Screen"]] (aka. *tails-greeter*). ...@@ -256,14 +257,14 @@ the [[!tails_ticket 5496 desc="Welcome Screen"]] (aka. *tails-greeter*).
#### Design #### Design
* asks whether to enable persistence at all; * asks whether to unlock the Persistent Storage at all;
* ask list of possibly valid persistent containers to `live-persist` * ask list of possibly valid Persistent Storages to `live-persist`
* initial implementation (MVC -speak): the model (`live-persist` and * initial implementation (MVC -speak): the model (`live-persist` and
tails-greeter code that runs it) supports enabling multiple tails-greeter code that runs it) supports enabling multiple
persistence containers, but the view (tails-greeter GUI) only Persistent Storages, but the view (tails-greeter GUI) only
supports *one* persistence container supports *one* Persistent Storage
* ask LUKS passphrase, deals with errors * ask LUKS passphrase, deals with errors
* for a given persistent container, it's all or nothing: all bits of * for a given Persistent Storage, it's all or nothing: all bits of
persistence configured in its `live.persist` are to be set up persistence configured in its `live.persist` are to be set up
* runs `live-persist` to set up persistent data where it belong * runs `live-persist` to set up persistent data where it belong
* pass information to the user session (at least * pass information to the user session (at least
...@@ -275,9 +276,10 @@ backend / tails-greeter interface ...@@ -275,9 +276,10 @@ backend / tails-greeter interface
### Long story short ### Long story short
0. The user chooses to toggle persistence on in `tails-greeter`. 0. The user chooses to unlock the Persistent Storage in the Welcome
Screen, aka. `tails-greeter`.
0. `tails-greeter` asks `live-boot` the list of possibly valid 0. `tails-greeter` asks `live-boot` the list of possibly valid
persistent containers. Persistent Storages.
0. For each such volume, `tails-greeter` asks the user to enter the 0. For each such volume, `tails-greeter` asks the user to enter the
passphrase or to skip it, and tries to unlock. `tails-greeter` passphrase or to skip it, and tries to unlock. `tails-greeter`
deals with error catching, retrying, etc. as appropriate. deals with error catching, retrying, etc. as appropriate.
...@@ -298,7 +300,7 @@ as: ...@@ -298,7 +300,7 @@ as:
well-behaved synchronously-called shell script, that is: with well-behaved synchronously-called shell script, that is: with
appropriate exit codes and `STDERR`. appropriate exit codes and `STDERR`.
### Possibly valid persistent containers ### Possibly valid Persistent Storages
In our case, that is quite simple: it means removable LUKS encrypted In our case, that is quite simple: it means removable LUKS encrypted
filesystem, stored on GPT partitions labeled `Tails-persistence` (or filesystem, stored on GPT partitions labeled `Tails-persistence` (or
...@@ -315,7 +317,7 @@ labeled with `live-rw` or `home-rw`, but if they're on encrypted ...@@ -315,7 +317,7 @@ labeled with `live-rw` or `home-rw`, but if they're on encrypted
device, then `live-boot` has to unlock the parent device them to see device, then `live-boot` has to unlock the parent device them to see
the label; also, in non-Tails usecases, any encrypted filesystem may the label; also, in non-Tails usecases, any encrypted filesystem may
contain a `*-rw` file, and must be unlocked to know too; so any contain a `*-rw` file, and must be unlocked to know too; so any
encrypted device may be a valid persistent container that is worth encrypted device may be a valid Persistent Storage that is worth
passing to `tails-greeter`; . `live-persist` will support non-Tails passing to `tails-greeter`; . `live-persist` will support non-Tails
usecases on a best-effort basis, leaving room for improvement in case usecases on a best-effort basis, leaving room for improvement in case
other developers want to add support for their preferred usecases. other developers want to add support for their preferred usecases.
...@@ -332,7 +334,7 @@ Additional software packages ...@@ -332,7 +334,7 @@ Additional software packages
---------------------------- ----------------------------
The `tails-additional-software` script installs a list of The `tails-additional-software` script installs a list of
additional software packages stored in persistence. additional software packages stored in the Persistent Storage.
For details see [[additional_software_packages]]. For details see [[additional_software_packages]].
<a id="security"></a> <a id="security"></a>
...@@ -340,7 +342,7 @@ For details see [[additional_software_packages]]. ...@@ -340,7 +342,7 @@ For details see [[additional_software_packages]].
Security Security
-------- --------
The root directory of the persistent volume filesystem root is created The root directory of the Persistent Storage is created
by the persistence configuration assistant, owned by `root:root`, with by the persistence configuration assistant, owned by `root:root`, with
permissions 0775: permissions 0775:
...@@ -358,17 +360,17 @@ by `tails-persistence-setup:tails-persistence-setup`, with permissions ...@@ -358,17 +360,17 @@ by `tails-persistence-setup:tails-persistence-setup`, with permissions
0600 and no ACLs. It refuses to read configuration files with 0600 and no ACLs. It refuses to read configuration files with
different permissions. different permissions.
`live-persist` checks these permissions on the persistence root `live-persist` checks these permissions on the root directory of the
directory, on `persistence.conf` and on Persistent Storage, on `persistence.conf` and on
`live-additional-software.conf`. Then, `live-persist` disables every `live-additional-software.conf`. Then, `live-persist` disables every
such file, and refuses to set up any persistence feature, if the such file, and refuses to set up any feature of the Persistent Storage, if the
persistent volume has wrong permissions. It also disables every such Persistent Storage has wrong permissions. It also disables every such
file that has wrong permissions itself. file that has wrong permissions itself.
Migration from pre-0.21 persistent volumes