cmd/tailscaled: default --encrypt-state to true if TPM is available (#17376)

Whenever running on a platform that has a TPM (and tailscaled can access it), default to encrypting the state. The user can still explicitly set this flag to disable encryption. Updates https://github.com/tailscale/corp/issues/32909 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-10-28 05:00:08 +00:00 · 2025-10-01 20:18:58 -07:00
parent 78af49dd1a
commit cca70ddbfc
7 changed files with 65 additions and 20 deletions
--- a/util/syspolicy/pkey/pkey.go
+++ b/util/syspolicy/pkey/pkey.go
@@ -136,7 +136,9 @@ const (
 	FlushDNSOnSessionUnlock Key = "FlushDNSOnSessionUnlock"

 	// EncryptState is a boolean setting that specifies whether to encrypt the
-	// tailscaled state file with a TPM device.
+	// tailscaled state file.
+	// Windows and Linux use a TPM device, Apple uses the Keychain.
+	// It's a noop on other platforms.
 	EncryptState Key = "EncryptState"

 	// PostureChecking indicates if posture checking is enabled and the client shall gather