Secure node state storage
Tailscale node state contains node keys and other sensitive data necessary for identifying the device to your Tailscale network (known as a tailnet) and for encrypting and decrypting traffic to other devices on the tailnet. This document provides instructions on how to configure Tailscale to encrypt this node state.
Why it matters
Enabling secure node state storage can help protect against a malicious actor copying node state from one device to another, effectively cloning the node. By using platform-specific capabilities, Tailscale ensures node state is encrypted at rest, making theft from disk and node cloning harder.
Platform support
Secure node state storage implementations vary by platform and Tailscale client version.
Platform | Implementation | Version support |
---|---|---|
Android | EncryptedSharedPreferences | All versions |
Linux | Trusted Platform Module (TPM) | Tailscale v1.86 and later |
macOS/iOS/tvOS from Mac App Store | Keychain | All versions |
macOS standalone | Keychain | Tailscale v1.86 and later |
Windows | TPM | Tailscale v1.86 and later |
Prerequisites
- Refer to platform support for the minimum required Tailscale version for your client platforms.
- On Linux and Windows, your device must have a functioning TPM 2.0 device.
Configure secure node state storage
Configuration of node state storage differs by platform.
Android
Secure node state storage is enabled by default and does not require extra configuration.
Linux
Enable secure node state storage by passing the --encrypt-state
flag to tailscaled
. Apply the changes by restarting tailscaled
macOS/iOS/tvOS (from Mac App Store)
Secure node state storage is enabled by default and does not require extra configuration.
macOS standalone
Enable secure node state storage by setting the EncryptState
system policy. Apply the changes by restarting tailscaled
. Refer to Deploy Tailscale on macOS using MDM for how to configure this on macOS.
Windows
Enable secure node state storage by setting the EncryptState
system policy. Apply the changes by restarting tailscaled
. Refer to Deploy Tailscale on Windows using MDM for how to configure this on Windows.
Disabling secure node state storage
On supported platforms, disabling secure node state storage will migrate encrypted state to the prior plaintext format.
Device posture attribute
Devices have a node:tsStateEncrypted
device posture attibute indicating whether the Tailscale node state is encrypted.
Limitations
- If secure node state storage is enabled on a Linux or Windows device without TPM 2.0 support, Tailscale will fail to start.
- Enabling secure node state storage can only be done using system policies or CLI flags, not through the graphical settings screen.