Last updated: March 16, 2026

Tails is a privacy-focused operating system that runs from an USB stick, routing all traffic through the Tor network. By default, Tails leaves no trace on the computer you use, but this anonymity comes with a trade-off: every shutdown wipes your session clean. The persistent storage feature solves this problem by creating an encrypted volume on your USB drive that survives reboots. This guide explains how to set it up, what belongs in persistent storage, and what data should remain ephemeral for maximum security.

Table of Contents

Prerequisites

Before you begin, make sure you have the following ready:

Step 1 - How Persistent Storage Works in Tails

When you activate persistent storage, Tails creates an encrypted partition alongside the operating system on your USB stick. This partition uses LUKS (Linux Unified Key Setup) encryption, protected by a passphrase you choose during setup. The encryption key is derived from your passphrase using PBKDF2, making it resistant to brute-force attacks.

The persistent volume mounts automatically when you enter your passphrase at the Tails welcome screen. Files you save to specific directories (/home/amnesia/Persistent and others you configure) persist across sessions. Everything else, browser history, temporary files, system logs, disappears when you shut down.

To verify persistent storage is available on your Tails USB, check for the “Persistent” folder in your home directory:

ls -la /home/amnesia/Persistent

If the folder exists and contains your files after a restart, your persistent storage is working correctly.

Step 2 - Set Up Persistent Storage

Setting up persistent storage requires administrative access within Tails and takes approximately 10-15 minutes. Follow these steps:

  1. Boot into Tails and select your language and keyboard layout
  2. From the desktop, open “Applications” → “Utilities” → “Configure Persistent Volume”
  3. Enter a strong passphrase (use a password manager to generate 20+ random characters)
  4. Select which directories to persist, you can choose from

The configuration tool offers these persistent directory options:

Enable only the directories you need. Each enabled directory increases your attack surface if the USB is compromised.

Step 3 - What Belongs in Persistent Storage

Certain data should survive reboots because recreating it manually each session is impractical or impossible. For developers and power users, these categories make sense in persistent storage:

GnuPG and SSH Keys

Your PGP keys and SSH credentials must persist, without them, you cannot decrypt messages or authenticate to servers. Store them in their respective persistent folders:

Verify GnuPG key persistence
gpg --list-secret-keys

Check SSH agent for loaded keys
ssh-add -l

Regenerating PGP keys frequently raises suspicion and breaks existing trust relationships. Keep your master keys in persistent storage with backups in a secure location.

Development Environment Configuration

Dotfiles, shell configurations, and development tool settings belong in persistent storage:

Common persistent configuration paths
/home/amnesia/Persistent/dotfiles/
/home/amnesia/Persistent/.config/
/home/amnesia/Persistent/.ssh/

Create symlinks from your home directory to the persistent versions:

ln -s /home/amnesia/Persistent/dotfiles/.bashrc ~/.bashrc
ln -s /home/amnesia/Persistent/dotfiles/.gitconfig ~/.gitconfig

Encrypted Password Databases

If you use a password manager like Bitwarden, KeePassXC, or 1Password, store the encrypted vault in persistent storage. The encryption protects the data even if someone obtains your USB stick:

KeePassXC database location
/home/amnesia/Persistent/keepass/Database.kdbx

Source Code and Work Files

Active development projects should persist between sessions. Clone repositories to the persistent directory:

cd /home/amnesia/Persistent
git clone git@github.com:yourusername/project.git

Step 4 - What Must Remain Ephemeral

Some data should never persist for security reasons. Understanding what Tails intentionally wipes protects your anonymity.

Browser Session Data

All browser data, history, cookies, cache, and local storage, should remain ephemeral. This prevents correlation attacks where an adversary analyzes your browsing patterns across sessions. The Tor Browser isolates tabs and clears data on exit by design; enabling persistent cookies defeats this protection.

Temporary Files and Clipboard

Any file in /tmp or /var/tmp gets wiped automatically. The clipboard contents also clear on shutdown. If you’re copying sensitive data, expect it to disappear when you reboot.

System Logs

Tails does not write persistent system logs for good reason, logs contain timestamps, connection metadata, and system events that could compromise your anonymity. Do not redirect logs to persistent storage.

Swap Data

Linux swap partitions can contain sensitive data from memory. Tails disables swap by default, but verify this setting if using advanced configurations:

Check swap status
swapon --show

If swap is active, disable it - swapoff -a

Security Trade-offs and Best Practices

Persistent storage creates a trade-off between convenience and security. The more data you persist, the more information exists for an adversary to analyze if your USB is seized or compromised.

Follow these hardening practices:

  1. Use separate USB drives for different personas or activities
  2. Encrypt sensitive files within persistent storage using GPG or age
  3. Rotate passphrases periodically, especially after crossing borders
  4. Enable the “Eraser” feature in Tails to securely wipe unused persistent space
  5. Never store plaintext credentials, always use encrypted vaults

For additional protection, consider using LUKS metadata randomization or plausible deniability tools, though these advanced techniques require careful configuration.

Advanced Persistent Storage Encryption

For sensitive files in persistent storage, apply additional encryption layers:

Create encrypted vault within persistent storage
mkdir -p /home/amnesia/Persistent/.vaults

Generate random encryption key
openssl rand -base64 32 > /home/amnesia/Persistent/.vault-key

Create encrypted volume with cryptsetup
sudo cryptsetup luksFormat --type luks2 /home/amnesia/Persistent/.vaults/sensitive.img

Mount encrypted volume
sudo cryptsetup luksOpen /home/amnesia/Persistent/.vaults/sensitive.img vault
sudo mount /dev/mapper/vault /mnt/vault

Unmount and close when done
sudo umount /mnt/vault
sudo cryptsetup luksClose vault

This nested encryption ensures that even if someone accesses your persistent storage, the most sensitive data remains protected.

Persistent Storage File Organization Best Practices

Structure your persistent directory for efficiency and security:

/home/amnesia/Persistent/
 .config/           # Application configurations (hidden)
 .ssh/              # SSH keys (hidden)
 .gnupg/            # GPG keys (hidden)
 projects/          # Work files
    client-a/
    client-b/
 documents/         # Writing and notes
 backups/           # Encrypted backups
 temp/              # Temporary files (not critical)

Keep sensitive files in hidden directories (prefixed with dot) and use restrictive permissions:

Restrict access to sensitive directories
chmod 700 /home/amnesia/Persistent/.ssh
chmod 700 /home/amnesia/Persistent/.gnupg

Verify permissions
ls -la /home/amnesia/Persistent/

Step 5 - Monitor Persistent Storage Usage

Track how much persistent storage you’re using to avoid filling the USB drive:

#!/bin/bash
Monitor persistent storage space
echo "=== Persistent Storage Analysis ==="

Show total and used space
du -sh /home/amnesia/Persistent

Show breakdown by directory
du -sh /home/amnesia/Persistent/* | sort -rh | head -10

Show what changed in last 7 days
find /home/amnesia/Persistent -type f -mtime -7 -exec ls -lh {} \;

Estimate storage efficiency
total=$(du -sb /home/amnesia/Persistent | cut -f1)
largest=$(du -sb /home/amnesia/Persistent | cut -f1)
echo "Total storage used: $((total / 1024 / 1024))MB"

Threat Models for Persistent Storage Configuration

Different threat levels require different strategies:

threat_models = {
    "low_threat": {
        "scenario": "General privacy, casual Tor browsing",
        "persist": [
            "SSH keys for personal servers",
            "Browser bookmarks",
            "Project files"
        ],
        "ephemeral": [
            "Browser history",
            "Cache",
            "Temporary work files"
        ]
    },
    "medium_threat": {
        "scenario": "Journalist, activist in moderately hostile environment",
        "persist": [
            "GPG keys (encrypted)",
            "SSH keys (encrypted)",
            "Important documents (encrypted)"
        ],
        "ephemeral": [
            "All communications",
            "Research notes",
            "Contact information"
        ]
    },
    "high_threat": {
        "scenario": "Dissident in repressive regime, targeted by state actors",
        "persist": [
            "Only absolutely critical keys",
            "All data deeply encrypted"
        ],
        "ephemeral": [
            "Everything except essential keys",
            "Rotate USB keys frequently",
            "Use separate USB for separate personas"
        ]
    }
}

Step 6 - Backup Strategy for Persistent Storage

While Tails provides no internet by default, backups of persistent storage are essential:

Create encrypted backup of persistent storage
Use only on external USB drive in secure location

1. Insert external USB drive
2. Mount it securely
sudo mount /media/backup-drive

3. Create encrypted tar backup
tar --exclude='.*' \
    --exclude='temp/*' \
    -czf - /home/amnesia/Persistent | \
    openssl enc -aes-256-cbc -salt \
    > /media/backup-drive/tails-persistent-backup-$(date +%Y%m%d).tar.gz.enc

4. Verify backup size
ls -lh /media/backup-drive/*.enc

5. Securely unmount
sudo umount /media/backup-drive

To restore from backup:

Decrypt and extract backup
openssl enc -aes-256-cbc -d -salt \
    -in /media/backup-drive/tails-persistent-backup-20260316.tar.gz.enc | \
    tar -xzf - -C /home/amnesia/

Step 7 - Recovery Scenarios and Persistent Storage

Understanding recovery options helps inform your persistent storage decisions:

Recovery scenarios and implications
recovery_scenarios = {
    "lost_passphrase": {
        "status": "Permanent loss of data",
        "prevention": "Store passphrase in password manager with offline backup",
        "recovery": "None, USB becomes unusable"
    },
    "corrupted_persistent_volume": {
        "status": "Potential data loss",
        "prevention": "Regular encrypted backups",
        "recovery": "Restore from backup if available"
    },
    "device_seized": {
        "status": "Depends on encryption and threat model",
        "prevention": "Never carry sensitive data across borders",
        "recovery": "Device is lost; focus on other devices"
    },
    "accidental_deletion": {
        "status": "Data lost unless encrypted backup exists",
        "prevention": "Regular backups, immutable storage",
        "recovery": "Restore from recent backup"
    }
}

Persistent Storage Performance Optimization

Encrypted persistent storage is slower than regular storage. Optimize performance:

Move frequently-accessed files to RAM tmpfs
sudo mount -t tmpfs -o size=512M tmpfs /mnt/ramdisk

Copy working directory to RAM
cp -r /home/amnesia/Persistent/projects /mnt/ramdisk/

Work from RAM, then copy back
cp -r /mnt/ramdisk/projects /home/amnesia/Persistent/

This improves responsiveness while keeping persistent copy encrypted

Understanding what persists and what disappears is fundamental to using Tails effectively. By strategically selecting what survives reboots, you maintain both operational convenience and the strong anonymity guarantees that make Tails valuable.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

How long does it take to guide what to save and what?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles

Built by theluckystrike. More at zovo.one