Tailscale uses WireGuard to enable encrypted connections between machines. With Tailscale, private encryption keys are fully managed by clients, and the coordination server is only used to distribute public encryption keys.
Using Tailscale means you never have to manage encryption keys directly. Keys are set to automatically expire and must be regenerated at regular intervals. For long-lived cloud servers and other IoT devices, you may disable key expiry from the admin console.