Secure node state storage

Tailscale node state contains node keys and other sensitive data necessary for identifying the device to your Tailscale network (known as a tailnet) and for encrypting and decrypting traffic to other devices on the tailnet. This document covers how Tailscale encrypts the node state and how to opt out.

Secure node state storage is available for all plans.

Why it matters

Secure node state storage can help protect against a malicious actor copying node state from one device to another, effectively cloning the node. By using platform-specific capabilities, Tailscale ensures node state encrypts at rest, making theft from disk and node cloning more difficult.

Platform support

Secure node state storage implementations vary by platform and Tailscale client version.

Platform	Implementation	Version support
Android	EncryptedSharedPreferences	All versions
Linux	Trusted Platform Module (TPM)	Tailscale v1.86 and later
macOS/iOS/tvOS from Mac App Store	Keychain	All versions
macOS standalone	Keychain	Tailscale v1.86 and later
Windows	TPM	Tailscale v1.86 and later

Prerequisites

Refer to platform support for the minimum required Tailscale version for your client platforms.
On Linux and Windows, your device must have a functioning TPM 2.0 device.

If secure node state storage is explicitly enabled on a Linux or Windows device without TPM 2.0 support, Tailscale will fail to start. If not configured explicitly, node state will not be encrypted on devices without TPM 2.0 support, and Tailscale will run normally.
Enabling secure node state storage can only be done using system policies or CLI flags, not through the graphical settings screen.

Last updated

Secure node state storage

Why it matters

Platform support

Prerequisites

Configure secure node state storage

Android

Linux

macOS/iOS/tvOS (from Mac App Store)

macOS standalone

Windows

Disabling secure node state storage

Device posture attribute

Limitations