Those issues are a surprising read. I would expect issues with TPM on old or niche devices, but not Dell XPS laptops, or a variety of VMs. But I guess I'm not entirely sure how my vms handle TPM state, or if they even can.

I'm running nearly all of my personal tailscale instances in containers and VMs. Looking now at the dashboard, it appears this feature really only encrypted things on my primary linux and windows pc, my iphone, and my main linux server's host. None of the VMs+containers i use were able to take advantage of this, nor was my laptop. Although my laptop might be too old.

That's an eminently reasonable and logical policy. Thanks for the context.

@cronos

Question:

You link to https://github.com/tailscale/tailscale/issues/17654 where a user states[1]:

"Previous workaround from some comments (TS_ENCRYPT_STATE=false, FLAGS="--encrypt-state=false") didn't help on this problematic Debian 13 host"

And the same user states "I confirm this issue is NOT found anymore with tailscale version 1.92.1".

Could you provide a little extra context to clarify those types of comments which seem to suggest it wasn't state encryption after all ?

[1] https://github.com/tailscale/tailscale/issues/17654#issuecom...

I too thought that the TPM was something to be trusted with a secret until a BIOS upgrade just wiped mine. I'm not relying on TPM again.

Thank you for your openness here - and yes, it would be nice to see this kind of reasoning in the changelog, even if it's tucked a little out of the way! Those of us who care will read it.

Also very welcome is to separate it into a small blogpost providing details, if the situation warrants a longer, more detailed format.

Thanks! In your change https://github.com/tailscale/tailscale/pull/18336 you mention:

> There's also tailscaled-on-macOS, but it won't have a TPM or Keychain bindings anyway.

Do you mean that on macOS, tailscaled does not and has never leveraged equivalent hardware-attestation functionality from the SEP? (Assuming such functionality is available)

A BIOS update to my PC reset the TPM only this week. I did get a warning that Bitlocker keys would be wiped as a result before acting at least.

(I believe this was because it was fixing an AMD TPM exploit - presumably updating the TPM code wipes the TPM storage either deliberately or as an inevitable side effect.)

Coincidentally this was a feature unknown to me until I performed a SSD migration from one server to another and Tailscale failed to connect because ("of course!" in hindsight) it failed to decrypt whatever.

So not a TPM failure but certainly a gotcha! moment; luckily I had a fallback method to connect to the machine, otherwise in the particular situation I was in I would have been very sorry.

The "whoever needs this will enable it" + support angle makes total sense.

So this is only disabled on platforms that use a TPM, e.g. Linux and Windows? What about Mac OS?

i just started using tailscale and responses like this make me believe in the product. awesome!

Did you rely on the Google go tpm lib for that?

Your suspicion is correct. I have an AMD AM5 motherboard, and everytime I update it's BIOS it warns me that the fTPM will be reset, and I know it does so because afterwards Bitlocker prompts me to introduce the recovery key since it can't unlock the drive anymore.

Does this mean TS is not FIPS 140-3 now?

Thank you for explaining that context!