webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

cmd/tailscaled: default --encrypt-state to true if TPM is available (#17376)

Browse Source 
Whenever running on a platform that has a TPM (and tailscaled can access
it), default to encrypting the state. The user can still explicitly set
this flag to disable encryption.

Updates https://github.com/tailscale/corp/issues/32909

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
2025-10-01 20:18:58 -07:00
committed by GitHub
parent 78af49dd1a
commit cca70ddbfc
7 changed files with 65 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ipn/ipnlocal/local.go
+1 -5
View File
@@ -7559,11 +7559,7 @@ func (b *LocalBackend) stateEncrypted() opt.Bool {
case version.IsMacAppStore():
return opt.NewBool(true)
case version.IsMacSysExt():
// MacSys still stores its state in plaintext on disk in addition to
// the Keychain. A future release will clean up the on-disk state
// files.
// TODO(#15830): always return true here once MacSys is fully migrated.
sp, _ := b.polc.GetBoolean(pkey.EncryptState, false)
sp, _ := b.polc.GetBoolean(pkey.EncryptState, true)
return opt.NewBool(sp)
default:
// Probably self-compiled tailscaled, we don't use the Keychain