Tail OS, an operating system optimized for privacy and anonymity, has released version 4.5 this week, the first version that supports a crucial security feature named UEFI Secure Boot.
Secure Boot works by using cryptographic signatures to verify that firmware files loaded during a computer’s boot-up process are authentic and have not been tampered.
If any of the firmware checks fail, Secure Boot has the authority to stop the boot process, preventing the operating system from launching.
The feature has been available as part of the UEFI specification for almost two decades but is rarely used. The reason is because not all firmware vendors cryptographically sign their files, leaving the door open to verification errors that — when Secure Boot is enabled — block many operation systems from launching.
Nevertheless, albeit rarely enabled by the end-users, support for Secure Boot has been added to various operating systems, just in case users wanted to use the feature. The list includes Windows, Windows Server, Fedora, Debian, RHEL, CentOS, and openSUSE.
The most notable absence from the list of operating systems supporting Secure Boot has been Tails OS, an operating system designed from the ground up to be private and secure to use, and an OS you’d expect to support Secure Boot.
Launched in 2009, Tails OS is meant to be launched from DVDs or USB thumb drives, operates solely in a computer’s RAM, runs all network traffic through the Tor network, and does not leave artifacts on the hard drive unless specifically configured to do so.
The OS became famous and a lot of users in the mid-2010s when Edward Snowden said he used Tails to securely communicate with journalists while leaking the NSA’s secrets in 2013 and 2014.
However, until today, despite the plethora of security and privacy features it possessed, Tails did not support UEFI Secure Boot setups. Users who wanted to use Tails on a computer had to disable Secure Boot in the computer’s BIOS, leaving their devices vulnerable to firmware tampering that could later compromise the communications carried out through Tails.
According to the Tails website, work began on adding Secure Boot to Tails six years ago, and starting with Tails 4.5, released yesterday, users can now safely enable Secure Boot and run it alongside Tails, out of the box, without having to do anything or run complicated workarounds.