Secure node state storage

Tailscale node state contains node keys and other sensitive data necessary for identifying the device to your Tailscale network (known as a tailnet) and for encrypting and decrypting traffic to other devices on the tailnet. This document provides instructions on how to configure Tailscale to encrypt this node state.

Secure node state storage is available for all plans.

Why it matters

Enabling secure node state storage can help protect against a malicious actor copying node state from one device to another, effectively cloning the node. By using platform-specific capabilities, Tailscale ensures node state is encrypted at rest, making theft from disk and node cloning harder.

Platform support

Secure node state storage implementations vary by platform and Tailscale client version.

Platform	Implementation	Version support
Android	EncryptedSharedPreferences	All versions
Linux	Trusted Platform Module (TPM)	Tailscale v1.86 and later
macOS/iOS/tvOS from Mac App Store	Keychain	All versions
macOS standalone	Keychain	Tailscale v1.86 and later
Windows	TPM	Tailscale v1.86 and later

Prerequisites

Refer to platform support for the minimum required Tailscale version for your client platforms.
On Linux and Windows, your device must have a functioning TPM 2.0 device.

If secure node state storage is enabled on a Linux or Windows device without TPM 2.0 support, Tailscale will fail to start.
Enabling secure node state storage can only be done using system policies or CLI flags, not through the graphical settings screen.

Last updated Aug 8, 2025

Secure node state storage

Why it matters

Platform support

Prerequisites

Configure secure node state storage

Android

Linux

macOS/iOS/tvOS (from Mac App Store)

macOS standalone

Windows

Disabling secure node state storage

Device posture attribute

Limitations