{"slug":"secure-node-state-storage","title":"Secure node state storage","tags":["tailscale"],"agent_summary":"Last validated: Jan 12, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Secure node state storage\r\n\r\nLast validated: Jan 12, 2026\r\n\r\nTailscale node state contains [node keys](https://tailscale.com/docs/concepts/node-keys) and other sensitive data necessary for identifying the device to your Tailscale network (known as a [tailnet](https://tailscale.com/docs/concepts/tailnet)) and for encrypting and decrypting traffic to other devices on the tailnet. This document covers how to configure Tailscale to encrypt the node state.\r\n\r\nSecure node state storageis available for [all plans](https://tailscale.com/pricing).\r\n\r\n## [Why it matters](https://tailscale.com/docs/features/secure-node-state-storage\\#why-it-matters)\r\n\r\nSecure node state storage can help protect against a malicious actor copying node state from one device to another, effectively cloning the node. By using [platform-specific](https://tailscale.com/docs/features/secure-node-state-storage#platform-support) capabilities, Tailscale ensures node state encrypts at rest, making theft from disk and node cloning more difficult.\r\n\r\n## [Platform support](https://tailscale.com/docs/features/secure-node-state-storage\\#platform-support)\r\n\r\nSecure node state storage implementations vary by platform and Tailscale client version.\r\n\r\n| **Platform** | **Implementation** | **Version support** |\r\n| --- | --- | --- |\r\n| Android | [EncryptedSharedPreferences](https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences) | All versions |\r\n| Linux | Trusted Platform Module (TPM) | Tailscale [v1.86](https://tailscale.com/changelog#2025-07-24) and later |\r\n| macOS/iOS/tvOS from Mac App Store | [Keychain](https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac) | All versions |\r\n| [macOS standalone](https://tailscale.com/docs/concepts/macos-variants#standalone-variant) | [Keychain](https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac) | Tailscale [v1.86](https://tailscale.com/changelog#2025-07-24) and later |\r\n| Windows | TPM | Tailscale [v1.86](https://tailscale.com/changelog#2025-07-24) and later |\r\n\r\n## [Prerequisites](https://tailscale.com/docs/features/secure-node-state-storage\\#prerequisites)\r\n\r\n- Refer to [platform support](https://tailscale.com/docs/features/secure-node-state-storage#platform-support) for the minimum required Tailscale version for your client platforms.\r\n- On Linux and Windows, your device must have a functioning TPM 2.0 device.\r\n\r\n## [Configure secure node state storage](https://tailscale.com/docs/features/secure-node-state-storage\\#configure-secure-node-state-storage)\r\n\r\nConfiguration of node state storage differs by platform and version:\r\n\r\n- Tailscale 1.90.2 to 1.92.4: node state storage encryption is enabled by default on all supported platforms.\r\n- Tailscale 1.92.5 or later: node state storage encryption is opt-in on Windows and Linux, and enabled by default on all other supported platforms.\r\n\r\n### [Android](https://tailscale.com/docs/features/secure-node-state-storage\\#android)\r\n\r\nSecure node state storage encrypts by default and does not require extra configuration.\r\n\r\n### [Linux](https://tailscale.com/docs/features/secure-node-state-storage\\#linux)\r\n\r\nConfigure secure node state storage by passing the [`--encrypt-state`](https://tailscale.com/docs/reference/tailscaled#flags-to-tailscaled) flag to `tailscaled`. Apply the changes by [restarting `tailscaled`](https://tailscale.com/docs/reference/tailscaled#stopping-and-starting-tailscaled).\r\n\r\n### [macOS/iOS/tvOS (from Mac App Store)](https://tailscale.com/docs/features/secure-node-state-storage\\#macosiostvos-from-mac-app-store)\r\n\r\nSecure node state storage encrypts by default and does not require extra configuration.\r\n\r\n### [macOS standalone](https://tailscale.com/docs/features/secure-node-state-storage\\#macos-standalone)\r\n\r\nConfigure secure node state storage by setting the [`EncryptState`](https://tailscale.com/docs/features/tailscale-system-policies#encrypt-node-state-file) system policy. Apply the changes by [restarting `tailscaled`](https://tailscale.com/docs/reference/tailscaled#stopping-and-starting-tailscaled). Refer to [Deploy Tailscale on macOS using MDM](https://tailscale.com/docs/integrations/mdm/mac) for how to configure this on macOS.\r\n\r\n### [Windows](https://tailscale.com/docs/features/secure-node-state-storage\\#windows)\r\n\r\nConfigure secure node state storage by setting the [`EncryptState`](https://tailscale.com/docs/features/tailscale-system-policies#encrypt-node-state-file) system policy. Apply the changes by [restarting `tailscaled`](https://tailscale.com/docs/reference/tailscaled#stopping-and-starting-tailscaled). Refer to [Deploy Tailscale on Windows using MDM](https://tailscale.com/docs/integrations/mdm/windows-mdm) for how to configure this on Windows.\r\n\r\n## [Disabling secure node state storage](https://tailscale.com/docs/features/secure-node-state-storage\\#disabling-secure-node-state-storage)\r\n\r\nOn supported platforms, disabling secure node state storage will migrate encrypted state to the prior plaintext format.\r\n\r\n## [Device posture attribute](https://tailscale.com/docs/features/secure-node-state-storage\\#device-posture-attribute)\r\n\r\nDevices have a `node:tsStateEncrypted` [device posture attribute](https://tailscale.com/docs/features/device-posture#device-posture-attributes) indicating whether the Tailscale node state encrypts.\r\n\r\n## [Recover from TPM failures](https://tailscale.com/docs/features/secure-node-state-storage\\#recover-from-tpm-failures)\r\n\r\nOn [Linux and Windows](https://tailscale.com/blog/encrypting-data-at-rest#windowslinux), the Tailscale client\r\nencrypts the node state file with a TPM device. To read or modify the state\r\nfile, Tailscale has to decrypt it with the exact same TPM device.\r\n\r\nIn some uncommon situations the TPM device can get reset or disappear entirely,\r\nusually due to a bad firmware update or hardware failure. When this happens,\r\nTailscale is unable to decrypt the state file, which causes the client to fail\r\nto start.\r\n\r\nYou can verify that this is the reason for Tailscale not running by looking for\r\nerrors containing `failed to unseal state file` in the [client\\\\\r\nlogs](https://tailscale.com/docs/features/logging#client-logs).\r\n\r\nIf you are unable to determine why the TPM device is misbehaving and fix it, the\r\nonly remaining solution is to reset the node state and register it again.\r\n\r\n1. [Remove the old device](https://tailscale.com/docs/features/access-control/device-management/how-to/remove) from the admin console.\r\n\r\n2. Remove the node state files.\r\n\r\n\r\n\r\n[Windows](https://tailscale.com/docs/features/secure-node-state-storage?tab=windows) [Linux](https://tailscale.com/docs/features/secure-node-state-storage?tab=linux)\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nRemove the following directories:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```powershell\r\nC:\\ProgramData\\Tailscale\r\nC:\\Users\\%USERNAME%\\AppData\\Local\\Tailscale\r\n```\r\n\r\n3. Follow the usual login flow to register the node again.\r\n\r\n\r\n## [Limitations](https://tailscale.com/docs/features/secure-node-state-storage\\#limitations)\r\n\r\n- If secure node state storage is enabled on a Linux or Windows\r\ndevice without TPM 2.0 support, Tailscale will fail to start.\r\n- Enabling secure node state storage can only be done using system policies or CLI flags, not through the graphical settings screen.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Secure node state storage</h1>\n<p>Last validated: Jan 12, 2026</p>\n<p>Tailscale node state contains <a href=\"https://tailscale.com/docs/concepts/node-keys\">node keys</a> and other sensitive data necessary for identifying the device to your Tailscale network (known as a <a href=\"https://tailscale.com/docs/concepts/tailnet\">tailnet</a>) and for encrypting and decrypting traffic to other devices on the tailnet. This document covers how to configure Tailscale to encrypt the node state.</p>\n<p>Secure node state storageis available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#why-it-matters\">Why it matters</a></h2>\n<p>Secure node state storage can help protect against a malicious actor copying node state from one device to another, effectively cloning the node. By using <a href=\"https://tailscale.com/docs/features/secure-node-state-storage#platform-support\">platform-specific</a> capabilities, Tailscale ensures node state encrypts at rest, making theft from disk and node cloning more difficult.</p>\n<h2><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#platform-support\">Platform support</a></h2>\n<p>Secure node state storage implementations vary by platform and Tailscale client version.</p>\n<p>| <strong>Platform</strong> | <strong>Implementation</strong> | <strong>Version support</strong> |\r\n| --- | --- | --- |\r\n| Android | <a href=\"https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences\">EncryptedSharedPreferences</a> | All versions |\r\n| Linux | Trusted Platform Module (TPM) | Tailscale <a href=\"https://tailscale.com/changelog#2025-07-24\">v1.86</a> and later |\r\n| macOS/iOS/tvOS from Mac App Store | <a href=\"https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac\">Keychain</a> | All versions |\r\n| <a href=\"https://tailscale.com/docs/concepts/macos-variants#standalone-variant\">macOS standalone</a> | <a href=\"https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac\">Keychain</a> | Tailscale <a href=\"https://tailscale.com/changelog#2025-07-24\">v1.86</a> and later |\r\n| Windows | TPM | Tailscale <a href=\"https://tailscale.com/changelog#2025-07-24\">v1.86</a> and later |</p>\n<h2><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#prerequisites\">Prerequisites</a></h2>\n<ul>\n<li>Refer to <a href=\"https://tailscale.com/docs/features/secure-node-state-storage#platform-support\">platform support</a> for the minimum required Tailscale version for your client platforms.</li>\n<li>On Linux and Windows, your device must have a functioning TPM 2.0 device.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#configure-secure-node-state-storage\">Configure secure node state storage</a></h2>\n<p>Configuration of node state storage differs by platform and version:</p>\n<ul>\n<li>Tailscale 1.90.2 to 1.92.4: node state storage encryption is enabled by default on all supported platforms.</li>\n<li>Tailscale 1.92.5 or later: node state storage encryption is opt-in on Windows and Linux, and enabled by default on all other supported platforms.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#android\">Android</a></h3>\n<p>Secure node state storage encrypts by default and does not require extra configuration.</p>\n<h3><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#linux\">Linux</a></h3>\n<p>Configure secure node state storage by passing the <a href=\"https://tailscale.com/docs/reference/tailscaled#flags-to-tailscaled\"><code>--encrypt-state</code></a> flag to <code>tailscaled</code>. Apply the changes by <a href=\"https://tailscale.com/docs/reference/tailscaled#stopping-and-starting-tailscaled\">restarting <code>tailscaled</code></a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#macosiostvos-from-mac-app-store\">macOS/iOS/tvOS (from Mac App Store)</a></h3>\n<p>Secure node state storage encrypts by default and does not require extra configuration.</p>\n<h3><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#macos-standalone\">macOS standalone</a></h3>\n<p>Configure secure node state storage by setting the <a href=\"https://tailscale.com/docs/features/tailscale-system-policies#encrypt-node-state-file\"><code>EncryptState</code></a> system policy. Apply the changes by <a href=\"https://tailscale.com/docs/reference/tailscaled#stopping-and-starting-tailscaled\">restarting <code>tailscaled</code></a>. Refer to <a href=\"https://tailscale.com/docs/integrations/mdm/mac\">Deploy Tailscale on macOS using MDM</a> for how to configure this on macOS.</p>\n<h3><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#windows\">Windows</a></h3>\n<p>Configure secure node state storage by setting the <a href=\"https://tailscale.com/docs/features/tailscale-system-policies#encrypt-node-state-file\"><code>EncryptState</code></a> system policy. Apply the changes by <a href=\"https://tailscale.com/docs/reference/tailscaled#stopping-and-starting-tailscaled\">restarting <code>tailscaled</code></a>. Refer to <a href=\"https://tailscale.com/docs/integrations/mdm/windows-mdm\">Deploy Tailscale on Windows using MDM</a> for how to configure this on Windows.</p>\n<h2><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#disabling-secure-node-state-storage\">Disabling secure node state storage</a></h2>\n<p>On supported platforms, disabling secure node state storage will migrate encrypted state to the prior plaintext format.</p>\n<h2><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#device-posture-attribute\">Device posture attribute</a></h2>\n<p>Devices have a <code>node:tsStateEncrypted</code> <a href=\"https://tailscale.com/docs/features/device-posture#device-posture-attributes\">device posture attribute</a> indicating whether the Tailscale node state encrypts.</p>\n<h2><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#recover-from-tpm-failures\">Recover from TPM failures</a></h2>\n<p>On <a href=\"https://tailscale.com/blog/encrypting-data-at-rest#windowslinux\">Linux and Windows</a>, the Tailscale client\r\nencrypts the node state file with a TPM device. To read or modify the state\r\nfile, Tailscale has to decrypt it with the exact same TPM device.</p>\n<p>In some uncommon situations the TPM device can get reset or disappear entirely,\r\nusually due to a bad firmware update or hardware failure. When this happens,\r\nTailscale is unable to decrypt the state file, which causes the client to fail\r\nto start.</p>\n<p>You can verify that this is the reason for Tailscale not running by looking for\r\nerrors containing <code>failed to unseal state file</code> in the <a href=\"https://tailscale.com/docs/features/logging#client-logs\">client\\\r\nlogs</a>.</p>\n<p>If you are unable to determine why the TPM device is misbehaving and fix it, the\r\nonly remaining solution is to reset the node state and register it again.</p>\n<ol>\n<li>\n<p><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/remove\">Remove the old device</a> from the admin console.</p>\n</li>\n<li>\n<p>Remove the node state files.</p>\n</li>\n</ol>\n<p><a href=\"https://tailscale.com/docs/features/secure-node-state-storage?tab=windows\">Windows</a> <a href=\"https://tailscale.com/docs/features/secure-node-state-storage?tab=linux\">Linux</a></p>\n<p>Remove the following directories:</p>\n<pre><code class=\"language-powershell\">C:\\ProgramData\\Tailscale\r\nC:\\Users\\%USERNAME%\\AppData\\Local\\Tailscale\n</code></pre>\n<ol start=\"3\">\n<li>Follow the usual login flow to register the node again.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/secure-node-state-storage#limitations\">Limitations</a></h2>\n<ul>\n<li>If secure node state storage is enabled on a Linux or Windows\r\ndevice without TPM 2.0 support, Tailscale will fail to start.</li>\n<li>Enabling secure node state storage can only be done using system policies or CLI flags, not through the graphical settings screen.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}