For Windows Host Operating Systems
balenaEtcher has the best usability. It flashes, validates, has a nice target selection screen which gets instantly updated when a new device gets connected. It has been reported to be compatible with {{project_name_long}} ISO on the Windows and Linux platform. No reports for macOS yet.There are no extraneous options that easily confuse users. However, balenaEtcher comes with issues.
|quote=For Windows and macOS, we instruct people to use balenaEtcher to copy the USB image onto their USB stick. On top of this, we self-host the downloads of balenaEtcher on our own infrastructure. The https://gitlab.tails.boum.org/tails/etcher-binary repository is added as an ikiwiki underlay on our website.
We self-host a copy of balenaEtcher because:
* It gives us more predictability on what users end up doing. This is useful in terms of Help Desk.
* It prevents 3rd parties from learning a bit more about who uses Tails. Pointing to GitHub from our website would provide direct referrers to GitHub (and maybe Balena too) about who is using balenaEtcher to install Tails.
* It prevents GitHub from serving rogue downloads (targeted or not). We might still get a rogue download ourselves but:
** We download balenaEtcher several times from different locations to prevent targeted attacks.
** We download balenaEtcher in a limited time window, which might save our users some supply chain issues. If our users were to download balenaEtcher every time, a short-time supply chain attack would definitely affect some of them.
|context=[https://tails.net/contribute/design/installation_instructions/#index6h1 Tails installation instructions]
|quote=Etcher is an Electron app, i.e. essentially a glorified webapp wrapped
in a window; this is a rather common way to build a cross-platform app
these days. It’s GUI is made of HTML + JS. Some of it is shipped in the
app itself, some of it is dynamically fetched from balena.io at run
time. So we clearly can’t even try to protect against “Balena knows that
someone is using Etcher from $IP”. I did not check whether the web
content retrieved at run time can inject arbitrary JS which could itself
The <code>analytics</code> modules fetches its config over plaintext HTTP (and is
then redirected to HTTPS but that’s too late). It uses mixpanel.com. I’m
not sure I understood the code correctly but at first glance it seems
that at least errors (and possibly more) will be reported there. So
basically, an active MitM could have users report to an URL chosen by
the attacker. “Interesting”.
Some of the outgoing HTTP requests include the Etcher version as a
parameter. External modules, which I did not inspect, are used to
The ads seem to be fetched from
https://assets.balena.io/etcher-featured/index.html. I did not try to
decipher the obfuscated/minified JS found there but at the very least,
it seems to report to Google Analytics.
I’m stopping here. tl;dr is: Etcher is definitely not behaving as one
would expect a privacy-friendly local app would. It’s behaving more like
any random modern website, including all kinds of tracking technologies.
Fixing this would require major changes so that’s unlikely to happen.
It’s non-trivial to check whether the code reports to Balena or random
third parties (such as Google, Mixpanel) what image is being installed;
and even if we did this audit work now, our results would be invalidated
by every new Etcher release. So it seems we have two options:
|context=[https://gitlab.tails.boum.org/tails/tails/-/issues/16381 intrigeri, Tails developer]
|quote=After adding MitM to my packet sniffing I can confirm gameindustry's findings that balenaEtcher exfiltrates very sensitive information. For instance, the filename of the image will let Balena know that the user is flashing Tails, full details: [https://gitlab.tails.boum.org/tails/tails/uploads/2bdaec1725d89ededc786212ee768bd3/exfil.json exfil.json]. It also exfiltrates tons of information about the host system to sentry.io, an "app monitoring service", definitely making it uniquely identifiable.
Disabling the telemetry in its configuration indeed does stop it from exfiltrating the <code>exfil.json</code> from above, but it doesn't do anything about the data sent to sentry.io, which includes the image name, so there is no way to configure balenaEtcher to not leak that Tails is being flashed.
The good UX of balenaEtcher is not worth this.
|context=[https://gitlab.tails.boum.org/tails/tails/-/issues/16381 anonym, Tails developer]
The issue of Telemetry is known by balena, the developer of etcher as per github issues [https://github.com/balena-io/etcher/issues/3784 Telemtery should be opt-in], [https://github.com/balena-io/etcher/issues/2977 Etcher secretly spies on the user without consent.] balena however closed the tickets and no changes have been made.
This has resulted in bad press for Tails.
What I wonder about, in the context of Tails, an operating system focused on privacy and security, is why the providers of the Tails Foundation suggest BalenaEtcher as the primary program for creating images of the operating system on their own website. It is absolutely incomprehensible and not only negligent but also contradicts any understanding of security and data privacy.
The Tails Foundation has been contacted in this regard and has been approached for comment.
|context=[https://www.gameindustry.eu/reviews/balenaetcher/ GameIndustry BalenaEtcher Review and Privacy Analysis]
* https://forums.kicksecure.com/t/microsoft-windows-iso-writer-documentation-write-kicksecure-iso-to-usb-balenaetcher-issues/434
* https://forum.torproject.org/t/nature-of-etcher-portable-is-it-safe-a-current-version-doesn-t-start-right/9233
<s>Therefore {{project_name_short}} [[ISO]] installation instructions do not use balenaEtcher and instead suggest using [https://apps.kde.org/en-gb/isoimagewriter/ KDE ISO Image Writer].</s> <ref>The KDE project is huge, has a long, positive history. KDE ISO Image Writer does not have a history of privacy intrusions. No negative information about KDE ISO Image Writer could be found.
It is not used due to known issues: [[Troubleshooting#KDE_ISO_Image_Writer|KDE ISO Image Writer]]
From Microsoft Windows Software Store
If there was an ISO to USB image writer available from [https://apps.microsoft.com/ Microsoft Windows Software Store], then using that might be more secure. That is because all software from the Windows Store comes with digital signatures which are verified prior to installation, similar to Linux software package managers such as Debian's APT.
* Only compatible with Windows-based ISOs but not Linux distributions.
* Proprietary. (This might be OK since Windows itself is proprietary.)
Should you be able to find an ISO to USB writer tool in the Windows Store that is compatible with Linux distributions, is free in price, and has a simple interface, please contribute by letting us know in the forums.
[https://apps.microsoft.com/detail/9pc3h3v7q9ch Rufus is available from the Windows Store], but the author of this wiki page didn't check if this is the original Rufus. Also, Rufus has been disregarded because its graphical user interface is too complicated for users to use. There are some other [https://apps.microsoft.com/search?query=bootable+USB bootable USB search results]. From what the author has seen, many tools are not suitable.
Freeware. Non-freedom software. Appears straightforward in usage.
It is not advisable to recommend replacing balenaEtcher (Open Source, [[#balenaEtcher|with known privacy concerns]]) with the closed-source ImageUSB. The latter might have similar issues, but these have not been scrutinized and are more challenging to assess due to its closed-source nature.
* https://gitlab.com/bztsrc/usbimager
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005378
Functional. Has usability issues.
or create an account