Get started - it's free!
Log in
© 2025

Secure node state storage

Tailscale node state contains node keys and other sensitive data necessary for identifying the device to your Tailscale network (known as a tailnet) and for encrypting and decrypting traffic to other devices on the tailnet. This document provides instructions on how to configure Tailscale to encrypt this node state.

Secure node state storage is available for all plans.

Why it matters

Enabling secure node state storage can help protect against a malicious actor copying node state from one device to another, effectively cloning the node. By using platform-specific capabilities, Tailscale ensures node state is encrypted at rest, making theft from disk and node cloning harder.

Platform support

Secure node state storage implementations vary by platform and Tailscale client version.

PlatformImplementationVersion support
AndroidEncryptedSharedPreferencesAll versions
LinuxTrusted Platform Module (TPM)Tailscale v1.86 and later
macOS/iOS/tvOS from Mac App StoreKeychainAll versions
macOS standaloneKeychainTailscale v1.86 and later
WindowsTPMTailscale v1.86 and later

Prerequisites

  • Refer to platform support for the minimum required Tailscale version for your client platforms.
  • On Linux and Windows, your device must have a functioning TPM 2.0 device.

Configure secure node state storage

Configuration of node state storage differs by platform.

Android

Secure node state storage is enabled by default and does not require extra configuration.

Linux

Enable secure node state storage by passing the --encrypt-state flag to tailscaled. Apply the changes by restarting tailscaled

macOS/iOS/tvOS (from Mac App Store)

Secure node state storage is enabled by default and does not require extra configuration.

macOS standalone

Enable secure node state storage by setting the EncryptState system policy. Apply the changes by restarting tailscaled. Refer to Deploy Tailscale on macOS using MDM for how to configure this on macOS.

Windows

Enable secure node state storage by setting the EncryptState system policy. Apply the changes by restarting tailscaled. Refer to Deploy Tailscale on Windows using MDM for how to configure this on Windows.

Disabling secure node state storage

On supported platforms, disabling secure node state storage will migrate encrypted state to the prior plaintext format.

Device posture attribute

Devices have a node:tsStateEncrypted device posture attibute indicating whether the Tailscale node state is encrypted.

Limitations

  • If secure node state storage is enabled on a Linux or Windows device without TPM 2.0 support, Tailscale will fail to start.
  • Enabling secure node state storage can only be done using system policies or CLI flags, not through the graphical settings screen.

Last updated Aug 8, 2025