Tails developers maintain several OpenPGP key pairs.

Make sure to verify the keys that you download, because there are several fake and maybe malicious Tails keys on the key servers.

For example, if you first authenticate the Tails signing key through the OpenPGP Web of Trust, then you can verify our others keys as they are all certified by the Tails signing key.

Signing key

Purpose

This key only has the capability to sign and certify: it has no encryption subkey.

Its only purpose is:

  • To sign Tails released images

  • To certify other cryptographic public keys needed for Tails development

Policy

The secret key material will never be stored on an online server or on systems managed by anyone other than Tails core developers.

Primary key

  • Is not owned in a usable format by any single individual. It is split cryptographically using gfshare.

  • Is only used offline, in an air-gapped Tails only communicating with the outside world through:

    • Plugging the Tails flash media in another operating system to install Tails in the first place.

    • Plugging other removable media in the air-gapped Tails to send the public key, secret key stubs, parts of the secret master key, and so on to the outside world.

    • Plugging other removable media in the air-gapped Tails to receive Debian packages, public keys, and so on from the outside world.

  • Expires in less than one year. We will extend its validity as many times as we find reasonable.

  • Has a revocation certificate split amongst different people. See the details of the mechanism.

Signing subkeys

  • Stored on OpenPGP smartcards owned by those who need them. Smartcards ensure that the cryptographic operations are done on the smartcard itself and that the secret cryptographic material is not directly available to the operating system using it.

  • Expiration date: same as the primary key.

Key details

pub   rsa4096/0xDBB802B258ACD84F 2015-01-18 [C] [expires: 2026-01-13]
      Key fingerprint = A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
uid           [  full  ] Tails developers (offline long-term identity key) <tails@boum.org>
uid           [  full  ] Tails developers <tails@boum.org>
sub   rsa4096/0xD21DAD38AF281C0B 2017-08-28 [S] [expires: 2025-01-25]
sub   ed25519/0x90B2B4BD7AED235F 2017-08-28 [S] [expires: 2025-01-25]
sub   rsa4096/0x7BFBD2B902EE13D0 2021-10-14 [S] [expires: 2025-01-25]
sub   rsa4096/0xE5DBA2E186D5BAFC 2023-10-03 [S] [expires: 2025-01-25]
sub   ed25519/0x8E9567D327792707 2024-05-23 [S] [expires: 2026-01-13]
sub   ed25519/0xFE2C600D5BB759B5 2024-05-23 [S] [expires: 2026-01-13]
sub   ed25519/0xC69FF0E4C08F8209 2024-05-23 [S] [expires: 2026-01-13]
sub   ed25519/0xBC8BD3DAC9CD2979 2024-05-23 [S] [expires: 2026-01-13]

How to get the public key?

To get this OpenPGP public key, download it from this website: tails-signing.key.

If you already have Tails signing key but download it again, it can update the list of existing signatures of the key.

User support key

Purpose

Encryption

Policy

The secret key material and its passphrase are stored on the server that runs our encrypted mailing list software and on systems managed by core Tails developers.

Key details

pub   rsa4096 2013-07-24 [SC] [expires: 2025-11-07]
      1F56EDD30741048035DAC1C5EC57B56EF0C43132
uid           [  full  ] Tails bug squad <tails-bugs@boum.org>
uid           [  full  ] Tails bug squad (schleuder list) <tails-bugs-owner@boum.org>
uid           [  full  ] Tails private user support <tails-support-private@boum.org>
uid           [  full  ] Tails bug squad (schleuder list) <tails-bugs-request@boum.org>
uid           [ unknown] Tails user support <support@tails.net>
sub   rsa4096 2013-07-24 [E] [expires: 2025-11-07]

How to get the public key?

There are multiple ways to get this OpenPGP public key:

  • Download it from this website: tails-bugs.key.

  • Fetch it from your favourite key server.

Press team key

Purpose

Encryption

Key details

pub   rsa4096 2024-04-30 [SC]
      C54B2D6C229607035EECE4D83114691BD78DF1ED
uid           [ unknown] press@tails.net <press@tails.net>
uid           [ unknown] press@tails.net <press-request@tails.net>
uid           [ unknown] press@tails.net <press-owner@tails.net>
sub   rsa4096 2024-04-30 [E]

How to get the public key?

There are multiple ways to get this OpenPGP public key:

Board key

Purpose

Encryption

  • Use this key to encrypt private emails sent to the Board.

Key details

pub   rsa4096 2024-04-30 [SC]
      2DC4FED9D88C30D95A92675788E24FE2064F1511
uid           [ unknown] board@tails.net <board@tails.net>
uid           [ unknown] board@tails.net <board-request@tails.net>
uid           [ unknown] board@tails.net <board-owner@tails.net>
sub   rsa4096 2024-04-30 [E]

How to get the public key?

There are multiple ways to get this OpenPGP public key:

Accounting team key

Purpose

Encryption

Key details

pub   rsa4096 2024-04-30 [SC]
      EC58494A6333D0384DD5744DA38F0F6E9A0A234E
uid           [ unknown] accounting@tails.net <accounting@tails.net>
uid           [ unknown] accounting@tails.net <accounting-request@tails.net>
uid           [ unknown] accounting@tails.net <accounting-owner@tails.net>
sub   rsa4096 2024-04-30 [E]

How to get the public key?

There are multiple ways to get this OpenPGP public key:

Fundraising team key

Purpose

Encryption

Key details

pub   rsa4096 2024-04-30 [SC]
      DA1C7908D1C0DC9EAA5915BC3A5B5685A641297B
uid           [ unknown] fundraising@tails.net <fundraising@tails.net>
uid           [ unknown] fundraising@tails.net <fundraising-request@tails.net>
uid           [ unknown] fundraising@tails.net <fundraising-owner@tails.net>
sub   rsa4096 2024-04-30 [E]

How to get the public key?

There are multiple ways to get this OpenPGP public key:

Foundations team key

Purpose

Encryption

Key details

pub   rsa4096 2024-04-30 [SC]
      621609457A166C993245FFCA5F6B02630DDDE331
uid           [ unknown] foundations@tails.net <foundations@tails.net>
uid           [ unknown] foundations@tails.net <foundations-request@tails.net>
uid           [ unknown] foundations@tails.net <foundations-owner@tails.net>
sub   rsa4096 2024-04-30 [E]

How to get the public key?

There are multiple ways to get this OpenPGP public key:

Sysadmins team key

Purpose

Encryption

Key details

pub   rsa4096 2024-04-26 [SC]
      0082D4D63B722D1FA27518A5C8F12D2B1AE1CB26
uid           [ unknown] sysadmins@tails.net <sysadmins@tails.net>
uid           [ unknown] sysadmins@tails.net <sysadmins-request@tails.net>
uid           [ unknown] sysadmins@tails.net <sysadmins-owner@tails.net>
sub   rsa4096 2024-04-26 [E]

How to get the public key?

There are multiple ways to get this OpenPGP public key:

Translation platform admins team key

Purpose

Encryption

Key details

pub   rsa4096 2024-04-30 [SC]
      EFECA896F429B066B83E0266B702FE73C485A41D
uid           [ unknown] weblate@tails.net <weblate@tails.net>
uid           [ unknown] weblate@tails.net <weblate-request@tails.net>
uid           [ unknown] weblate@tails.net <weblate-owner@tails.net>
sub   rsa4096 2024-04-30 [E]

How to get the public key?

There are multiple ways to get this OpenPGP public key: