Encrypting data at rest, one OS at a time

Starting with version 1.86, the Tailscale client introduces the ability to encrypt its state file while stored on disk, enhancing security by making it more challenging for attackers to clone nodes or alter client settings. This encryption focuses on safeguarding private keys necessary for node identification and communication with the coordination server. The feature addresses threats from attackers with root access to the filesystem, but not those capable of reading process memory or executing code as root. Different operating systems implement this encryption through various means: Windows and Linux use TPMs, Apple devices utilize Keychain, and Android employs EncryptedSharedPreferences. While state files on Apple and Android have always been encrypted, the standalone macOS variant and Windows/Linux are seeing these changes as optional "Alpha" features, not enabled by default yet, as Tailscale seeks user feedback before a full rollout. Users can manually activate encryption on these platforms, and Tailscale plans to make it standard in future updates if no major issues arise.