In this guide I’ll explain how you can run Tails as a VM in Proxmox while retaining the persistence feature, and keeping support for Proxmox backups and snapshots.
Firstly, note that running Tails as a VM defeats a lot of the security features it offers, since you now need to trust the hypervisor to be secure. The VM’s memory could be swapped to disk in the host’s swapfile or persisted in a guest snapshot (if the “include RAM” option is ticked), which will leak the contents of the guest onto the host’s persistent storage, including secret encryption key material.
Consider your threat model carefully. If you don’t mind if the guest’s secrets are leaked to the host, and you just want to use Tails for its secure Tor browser environment, running it as a VM may be a reasonable choice. For me I consider this setup to be useful for e.g. submitting anonymous bug reports to companies that may not be thankful for them.
Create the VM
Create a new VM. During creation, set the CD to “do not use any media”. On the System tab, set the BIOS to OVMF (UEFI) and the Machine to Q35 (this is just my preference), add an EFI disk, and set SCSI Controller to VirtIO SCSI.
Once the VM is created, detach and delete its empty root disk, since we’ll be replacing it with a Tails USB image.
From the Tails website, download a USB stick image (e.g. using
Expand the size of that image to suit your needs for persistent storage space, but it should be at least 8GB:
truncate -s 16G tails-amd64-4.14.img
Now import it as a disk to your VM:
# Like so: qm importdisk <vmid> tails-amd64-*.img <storage name> # e.g.: qm importdisk 108 tails-amd64-4.14.img local-lvm
This will add it to your VM’s “hardware” tab as an “unused disk”. Click that unused disk and then click the “Edit” button at the top of the page. Set it to be attached to SCSI 0:
Tails only wants to boot from a USB flash drive, so we need to replace this SCSI drive with a USB flash drive. Since Proxmox doesn’t support this natively, we need to do it using the VM “args” instead.
qm showcmd 1xx --pretty (replace 1xx with your VM ID) to see the command Proxmox will use to launch the VM. In that output, find the definition Proxmox created for the SCSI drive, specifically these two
qm showcmd 108 --pretty ... -drive 'file=/dev/zvol/rpool/vms/vm-108-disk-0,if=none,id=drive-scsi0,format=raw,cache=none,aio=native,detect-zeroes=on' \ -device 'scsi-hd,bus=scsihw0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0,id=scsi0' \
Now edit your VM’s config file (in
/etc/pve/qemu-server/1xx.conf), and add a new “args:” line to it.
Firstly we’ll mark the original SCSI disk as read-only so the guest doesn’t accidentally try to modify it simultaneously with the USB version of the same backing file:
Now we’ll add a
-drive argument that mimics the original
-drive argument we got from
showcmd. We just need to change the “id” argument of the original to “drive-usb0”:
Finally, we attach this drive as a new “usb-storage” removable flash drive. This has “bootindex” set to 1 so it’ll become the new default boot drive:
Put those all together on one line like so:
args: -set drive.drive-scsi0.readonly=on -drive 'file=/dev/zvol/rpool/vms/vm-108-disk-0,if=none,id=drive-usb0,format=raw,cache=none,aio=native,detect-zeroes=on' -device 'usb-storage,drive=drive-usb0,bootindex=1,removable=on'
Tails should now boot successfully!
The partition table of the root disk needs to be extended to fill the disk before Tails will be able to set up the persistent volume. When booting Tails, choose the Additional Setting to set an administration password:
Then once Tails boots, go to Applications > System Tools > Root Terminal.
Run ” gdisk /dev/sdb “, then type “w” and press enter, and answer “Y” when it asks you “Secondary header is placed too early on the disk! Do you want to correct this problem?”, and “Y” again to confirm:
Now you can use the wizard in Applications > Tails > Configure Persistent Volume to set up persistence.