{"slug":"tailnet-lock","title":"Tailnet Lock","tags":["tailscale"],"agent_summary":"Last validated: Dec 2, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Tailnet Lock\r\n\r\nLast validated: Dec 2, 2025\r\n\r\nTailnet Lock lets you verify that no node joins your Tailscale network (known as a tailnet) unless trusted nodes in your tailnet sign the new node. With Tailnet Lock enabled, even if Tailscale were malicious or Tailscale infrastructure hacked, attackers can't send or receive traffic in your tailnet.\r\n\r\nTailnet Lockis available for [the Personal and Enterprise plans](https://tailscale.com/pricing).\r\n\r\n## [What is Tailnet Lock?](https://tailscale.com/docs/features/tailnet-lock\\#what-is-tailnet-lock)\r\n\r\nTailnet Lock lets trusted nodes in your tailnet sign and verify other nodes, meaning you don't need to trust the Tailscale [coordination server](https://tailscale.com/docs/concepts/control-data-planes#coordination-server) for distributing public [node keys](https://tailscale.com/blog/tailscale-key-management#node-keys) to peer nodes in your tailnet. You can control which nodes are trustworthy to sign another node's public key.\r\n\r\nTailscale's [control plane](https://tailscale.com/docs/concepts/control-data-planes#control-plane) has the ability to add to and remove nodes from a tailnet. Inherently, customers must trust Tailscale's control plane to make the right decisions about who and what can join any given tailnet. Customers sometimes consider this a vector for abuse or security threats. Tailnet Lock largely mitigates the risk of Tailscale suddenly acting like a threat vector, by enforcing that the customer must use a trusted node to sign new additions to the tailnet. Tailnet Lock follows a \"Trust on first use (TOFU)\" model, where customers must initially trust Tailscale's control plane, but after first use, the customer can move centers of trust into their network.\r\n\r\nCustomers could alternatively host their own trusted control plane by using [Headscale](https://headscale.net/). This is however a path that removes the availability guarantees and low maintenance overhead that Tailscale's software as a service (SaaS) model provides. Customers who want to keep the center of trust on their networks while still subscribing to the benefits of a Tailscale-maintained control plane can use Tailnet Lock.\r\n\r\n## [How it works](https://tailscale.com/docs/features/tailnet-lock\\#how-it-works)\r\n\r\nWithout Tailnet Lock, when a new node joins the tailnet, the Tailscale coordination server distributes the public node key to peer nodes. If Tailscale were malicious, and stealthily inserted new nodes into your network, then Tailscale could send or receive traffic to your existing nodes in plaintext.\r\n\r\nWith Tailnet Lock, when a new node joins the tailnet, its public node key requires a signature from a Tailnet Lock key. The coordination server distributes the signed public node key to peer nodes in the tailnet. Peer nodes can then verify the signature before allowing connections. In this manner, you control which nodes are trustworthy to be in your tailnet, as well as which nodes are trustworthy to sign other nodes.\r\n\r\nEach node has a node key, and a Tailnet Lock key:\r\n\r\n- The [node key](https://tailscale.com/blog/tailscale-key-management#node-keys) is a public/private key pair generated on a node by a Tailscale client. The coordination server ties the node key to a specific identity. The private key remains private on the node. The public key is transmitted to the coordination server.\r\n\r\n- The Tailnet Lock key (TLK), which is also a public/private key pair. Every node generates a TLK, even if Tailnet Lock is not enabled. The private key of each TLK is stored on the node that generated it, and a copy of each trusted public TLK is stored in the [tailnet key authority](https://tailscale.com/docs/features/tailnet-lock#tailnet-key-authority) (TKA).\r\n\r\n\r\nTailnet Lock primarily consists of two components:\r\n\r\n- Signing nodes, which are nodes that can be used to sign new nodes into the tailnet.\r\n\r\n- The tailnet key authority, which is a storage mechanism for the available signing nodes in a tailnet. By knowing the current set of trusted TLKs, the TKA can verify signatures in two situations:\r\n\r\n\r\n  - Verifying node key signatures before adding node keys to its list of peers.\r\n\r\n  - Verifying signatures for requests to change the set of trusted TLKs before processing those changes.\r\n\r\n\r\nThe TKA storage mechanism is a cryptographic chain. The TKA can grow unbounded as customers change the tailnet's configuration.\r\n\r\nFor more information about the architecture of Tailnet Lock, refer to [Tailnet Lock white paper](https://tailscale.com/docs/concepts/tailnet-lock-whitepaper).\r\n\r\n### [Disablement secrets](https://tailscale.com/docs/features/tailnet-lock\\#disablement-secrets)\r\n\r\nDisablement secrets are long passwords generated during the process of enabling Tailnet Lock. Because disabling Tailnet Lock is a security-relevant operation, you must have a disablement secret if you want to disable Tailnet Lock. If the disablement procedure lacked authorization checks, a compromised coordination server could trivially disable Tailnet Lock (and all its protections) to attack a tailnet as if Tailnet Lock wasn't running.\r\n\r\nYou get your disablement secrets only when you initialize Tailnet Lock. Ensure that you securely store them. Some options include using your organization's secure storage like a password manager, or printing them and storing them in a secure safe. During Tailnet Lock initialization, you can optionally generate a disablement secret for Tailscale support. This way, Tailscale support could disable Tailnet Lock in case of an issue with how we've implemented Tailnet Lock, or if you have lost your disablement secret.\r\n\r\n### [Tailnet key authority](https://tailscale.com/docs/features/tailnet-lock\\#tailnet-key-authority)\r\n\r\nTo determine which Tailnet Lock keys to trust, nodes implement a new subsystem, called the tailnet key authority (TKA). The TKA tracks and updates the set of Tailnet Lock keys available to sign node keys. You specify the initial set of trusted lock keys when you enable Tailnet Lock. You can [add](https://tailscale.com/docs/features/tailnet-lock#add-a-signing-node) or [remove](https://tailscale.com/docs/features/tailnet-lock#remove-a-signing-node) keys to change the set of trusted Tailnet Lock keys. The coordination server publishes the set of trusted Tailnet Lock keys across your tailnet.\r\n\r\n## [Enable Tailnet Lock](https://tailscale.com/docs/features/tailnet-lock\\#enable-tailnet-lock)\r\n\r\nYou need to be an [Owner, Admin, or IT admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to enable Tailnet Lock.\r\n\r\nTailnet Lock is not enabled by default. With Tailnet Lock enabled, all existing nodes in the tailnet have signatures provided by a trusted node in your tailnet.\r\n\r\nEnsure the nodes that you want to lock with Tailnet Lock are running Tailscale v1.46.1 or later.\r\n\r\nEnabling Tailnet Lock requires using the [`tailscale lock init`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-init) command. Use the Tailscale admin console to make it easier to create the `tailscale lock init` command values.\r\n\r\n![Enable Tailnet Lock UI](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-tailnet-lock.3c2d04ef.png&w=1080&q=75)\r\n\r\n1. Open the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the admin console. Ensure that you log into the same tailnet for both the admin console and the Tailscale clients running on the signing nodes.\r\n2. Select **Enable Tailnet Lock**.\r\n3. In the **Add signing nodes** section, select **Add signing node**.\r\n4. Select the nodes whose Tailnet Lock keys you want to trust. You must select at least two signing nodes.\r\n5. (Optional): In the **Configure disablement options** section, specify whether to send a [disablement secret](https://tailscale.com/docs/features/tailnet-lock#disablement-secrets) to Tailscale support. When **Send disablement secret to Tailscale support** is enabled, this option will create an extra disablement secret that is automatically transmitted to Tailscale support. This way, Tailscale support could disable Tailnet Lock in case of an issue with how we've implemented Tailnet Lock, or if you have lost your disablement secret.\r\n6. In the **Run command from signing node** section, copy the `tailscale lock init` command.\r\n7. Open a terminal window on one of the signing nodes you selected.\r\n8. Paste in the `tailscale lock init` command that you copied from the admin console and press Enter.\r\n\r\nWhen you run the `tailscale lock init` command provided by the admin console, the command creates and displays ten disablement secrets. You need only a single disablement secret to disable Tailnet Lock, not all ten, although `tailscale lock init` generates ten. Make note of the disablement secrets displayed in the output. The disablement secrets are long passwords needed to disable your Tailnet Lock. For more information about disablement secrets, refer to [`tailscale lock disable`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable).\r\n\r\nThe disablement secrets display only when you initialize Tailnet Lock. If you lose your disablement secrets, and you did not provide one to Tailscale support, the tailnet cannot be recovered. Ensure that you securely store the disablement secrets. Some options include using your organization's secure storage like a password manager, or printing them and storing them in a secure safe.\r\n\r\nAfter `tailscale lock init` completes successfully:\r\n\r\n- All existing nodes in the tailnet are signed by the trusted Tailnet Lock keys.\r\n- The set of trusted Tailnet Lock keys is distributed to the existing nodes.\r\n- Nodes verify the signature of a peer's node key before allowing a connection.\r\n- All new node keys must be [signed](https://tailscale.com/docs/features/tailnet-lock#add-a-node-to-a-locked-tailnet) by an existing Tailnet Lock key.\r\n\r\nWhen Tailnet Lock is enabled, each node relies on the initial state of Tailnet Lock sent to it from the control plane ( [Trust on First Use](https://tailscale.com/docs/concepts/tailnet-lock-whitepaper#enablement-is-trust-on-first-use-tofu)). To confirm that the initial state has not been compromised, you can verify the provisioned state of Tailnet Lock on each node by running the [`tailscale lock status`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status) command and checking the list of trusted signing keys. All nodes in your tailnet should report the same set of signing keys, which should match the Tailnet Lock keys of your designated signing nodes.\r\n\r\n## [Disable Tailnet Lock](https://tailscale.com/docs/features/tailnet-lock\\#disable-tailnet-lock)\r\n\r\nYou need to be an [Owner, Admin, or IT admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to disable Tailnet Lock.\r\n\r\n[Tailscale admin console](https://tailscale.com/docs/features/tailnet-lock?tab=tailscale+admin+console) [Tailscale CLI](https://tailscale.com/docs/features/tailnet-lock?tab=tailscale+cli)\r\n\r\n1. Open the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the admin console.\r\n2. Select **Disable Tailnet Lock**.\r\n3. For **Disablement secret**, enter a [disablement secret](https://tailscale.com/docs/features/tailnet-lock#disablement-secrets) that you stored securely when you enabled Tailnet Lock.\r\n4. Select **Disable Tailnet Lock**.\r\n\r\nOnce you use the specified disablement secret, the Tailscale coordination server distributes it to all nodes in the tailnet and you should consider it public.\r\n\r\nIf you re-enable Tailnet Lock, for example, by running the `tailscale lock init` command again, you get new disablement secrets.\r\n\r\nIf you encounter a significant issue with Tailnet Lock for your entire tailnet and can't disable it by using the [Device management](https://login.tailscale.com/admin/settings/device-management) page (for example, if you can't locate your disablement secret), you could run the `tailscale lock local-disable` command on each of your nodes to make your tailnet in effect ignore Tailnet Lock. For details, refer to [`tailscale lock local-disable`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-local-disable).\r\n\r\n## [Add a node to a locked tailnet](https://tailscale.com/docs/features/tailnet-lock\\#add-a-node-to-a-locked-tailnet)\r\n\r\nIf you have already enabled Tailnet Lock and want to add an additional node, you need to sign the new node's [node key](https://tailscale.com/blog/tailscale-key-management#node-keys).\r\n\r\nYou have two options to add a node:\r\n\r\n- Use a Tailscale client app signing link. This is possible only for macOS, Windows, and iOS. _We are working on Android._\r\n- Use the [`tailscale lock sign`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign) command, which is part of the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli). This is possible only for Linux, macOS, and Windows.\r\n\r\nBoth options require access to the Tailscale admin console, because retrieving information for the node key to add is possible only through the [Machines](https://login.tailscale.com/admin/machines) page of the admin console.\r\n\r\n### [Use a client app to add a node](https://tailscale.com/docs/features/tailnet-lock\\#use-a-client-app-to-add-a-node)\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the admin console. Ensure that you log into the same tailnet for both the admin console and the Tailscale clients running on the signing nodes.\r\n2. Select the node that needs a signature. Look for the **Locked out** badge in the machines list, or use the [`property:locked-out`](https://login.tailscale.com/admin/machines?q=property%3Alocked-out) filter to find all devices that are locked out.\r\n3. Select **Sign machine**.\r\n4. In the **Sign machine** dialog, you have 3 tabs to choose from, to add the node.\r\n   - In the **Desktop** tab, if you are on a macOS or Windows device that is a signing node, select **Sign this node**. Otherwise, select **Copy signing URL**, send the URL to a signing node, and open the URL on the signing node. Either process opens the Tailscale client and lets you add the node.\r\n\r\n   - In the **Mobile** tab, if you are on an iOS device that is a signing node, scan the QR code to open the Tailscale client, then add the node. Alternatively, select **Copy signing URL**, send the URL to a signing node, and open the URL on the signing node. Either process opens the Tailscale client and lets you add the node.\r\n\r\n\r\n\r\n     Using a QR code to add a node is currently supported only on iOS devices.\r\n\r\n   - In the **CLI** tab, select the **Copy** icon to copy the [`tailscale lock sign`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign) command. Run the command on a signing node to add the node.\r\n\r\n### [Use the CLI to add a node](https://tailscale.com/docs/features/tailnet-lock\\#use-the-cli-to-add-a-node)\r\n\r\nUse the [`tailscale lock sign`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign) command to add a node.\r\n\r\nThis example adds a node:\r\n\r\n```shell\r\ntailscale lock sign nodekey:1abddef1 tlpub:abcdef12\r\n```\r\n\r\n- `nodekey:1abddef1` is the node key for the node you want to add to your tailnet.\r\n- `tlpub:abcdef12` is an optional Tailnet Lock key for a trusted signing node, to use for key rotation.\r\n\r\nReplace these example values with your actual node key and optional Tailnet Lock key.\r\n\r\nYou can determine the `tailscale lock sign` command either using the admin console or using the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli).\r\n\r\nTo determine the `tailscale lock sign` command using the admin console:\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the admin console. Ensure that you log into the same tailnet for both the admin console and the Tailscale clients running on the signing nodes.\r\n2. Select the node that needs to be signed. Look for the **Locked out** badge in the machines list, or use the [`property:locked-out`](https://login.tailscale.com/admin/machines?q=property%3Alocked-out) filter to find all devices that are locked out.\r\n3. Select **Sign node**.\r\n4. Select **CLI**.\r\n5. Copy the `tailscale lock sign` command needed to sign the node.\r\n6. Run the command on a signing node to add the node.\r\n\r\nAlternatively, to determine the `tailscale lock sign` command using the Tailscale CLI:\r\n\r\n1. On the node that you want to add to your tailnet, run:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock status\r\n```\r\n\r\n2. In the output of `tailscale lock status`, copy the `tailscale lock sign` command needed to sign the node.\r\n\r\n3. Then, on a node with a trusted Tailnet Lock key, run the command you copied in the previous step:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock sign nodekey:<your-node-key> tlpub:<your-tailnet-lock-key>\r\n```\r\n\r\n\r\n\r\nReplace these example values with your actual node key and optional Tailnet Lock key.\r\n\r\n\r\nWhen a signed node key [expires](https://tailscale.com/docs/features/access-control/key-expiry), the new node key will not need to be re-signed. When the user re-authenticates, the node's signature will be automatically rotated, by signing the new node key with the node's [Tailnet Lock key](https://tailscale.com/docs/concepts/tailnet-lock-whitepaper#tailnet-lock-keys).\r\n\r\n### [Add a node using a pre-signed auth key](https://tailscale.com/docs/features/tailnet-lock\\#add-a-node-using-a-pre-signed-auth-key)\r\n\r\nSigning an [auth key](https://tailscale.com/docs/features/access-control/auth-keys) lets you add devices to your locked tailnet using [pre-signed](https://tailscale.com/docs/features/access-control/auth-keys#authkey-pre-signed) auth keys, so that you don't need to add the node and _then_ sign its node key.\r\n\r\n1. [Generate](https://tailscale.com/docs/features/access-control/auth-keys#generate-an-auth-key) a pre-approved auth key.\r\n\r\n2. On a node with a trusted Tailnet Lock key, set an environment variable, `AUTH_KEY`, to the value of the auth key:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\nexport AUTH_KEY=\"tskey-auth-<XXXXCTRL-NNNNNN>\"\r\n```\r\n\r\n\r\n\r\nReplace this example value with your actual auth key.\r\n\r\n3. Sign the auth key by running the [`tailscale lock sign`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign) command:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock sign $AUTH_KEY\r\n```\r\n\r\n4. Use the new key that is generated by the `tailscale lock sign` command to [pre-approve devices](https://tailscale.com/docs/features/access-control/device-management/device-approval#pre-approve-devices-with-an-auth-key) in your tailnet.\r\n\r\n\r\n## [Determine a node's Tailnet Lock public key](https://tailscale.com/docs/features/tailnet-lock\\#determine-a-nodes-tailnet-lock-public-key)\r\n\r\nFor some Tailnet Lock operations, you need to know a node's Tailnet Lock public key. A node's Tailnet Lock public key is of the form `tlpub:abcdef12`.\r\n\r\nThis is not the same as a node's Tailscale public key, which is of the form `nodekey:abcdef12`.\r\n\r\n### [Determining the Tailnet Lock public key by using the CLI](https://tailscale.com/docs/features/tailnet-lock\\#determining-the-tailnet-lock-public-key-by-using-the-cli)\r\n\r\nTo determine a node's Tailnet Lock public key using the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli), which is possible only for Linux, macOS, and Windows:\r\n\r\n- Run [`tailscale lock status`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status). The command displays the Tailnet Lock public key for the node.\r\n\r\n### [Determining the Tailnet Lock public key by using the admin console](https://tailscale.com/docs/features/tailnet-lock\\#determining-the-tailnet-lock-public-key-by-using-the-admin-console)\r\n\r\nTo determine a node's Tailnet Lock public key using the admin console:\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines). Ensure that you log into the same tailnet for both the admin console and the Tailscale clients running on the signing nodes.\r\n\r\n2. Select the node whose Tailnet Lock public key you want to determine.\r\n\r\n3. In the **Machine Details** section, look for **Tailnet Lock key**. If you do not find **Tailnet Lock key** within the UI, then Tailnet Lock is not enabled for the tailnet.\r\n\r\n4. Select **Copy** to copy the key to your clipboard.\r\n\r\n\r\n### [Determining the Tailnet Lock public key by using the client](https://tailscale.com/docs/features/tailnet-lock\\#determining-the-tailnet-lock-public-key-by-using-the-client)\r\n\r\n[macOS](https://tailscale.com/docs/features/tailnet-lock?tab=macos) [iOS](https://tailscale.com/docs/features/tailnet-lock?tab=ios)\r\n\r\n1. Select **Settings** from the Tailscale client menu.\r\n2. Select the **Settings** tab if it is not already active.\r\n3. In the **Tailnet Lock** section, select **Manage**.\r\n4. In the dialog that opens, the **Tailnet Lock Key** section shows the Tailnet Lock public key. Select the **Copy** icon to copy the key to your clipboard.\r\n\r\n## [Add a signing node](https://tailscale.com/docs/features/tailnet-lock\\#add-a-signing-node)\r\n\r\n1. [Determine the Tailnet Lock public key](https://tailscale.com/docs/features/tailnet-lock#determine-public-key) for the node you want to add as a signing node.\r\n\r\n2. On a node with a trusted Tailnet Lock key, run the [`tailscale lock add`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-add) command, passing in the Tailnet Lock keys that you determined in the previous step.\r\n\r\nThis examples adds two signing nodes:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock add tlpub:trusted-key1 tlpub:trusted-key2\r\n```\r\n\r\n\r\n\r\nReplace these example values with your Tailnet Lock key or keys.\r\n\r\n\r\n## [Remove a signing node](https://tailscale.com/docs/features/tailnet-lock\\#remove-a-signing-node)\r\n\r\nYou need to run this process from a node with a trusted Tailnet Lock key.\r\n\r\n1. If you don't already have the Tailnet Lock public key for each node you want to remove as a signing node, [determine the Tailnet Lock public key](https://tailscale.com/docs/features/tailnet-lock#determine-public-key).\r\n\r\n2. On a node with a trusted Tailnet Lock key, run the [`tailscale lock remove`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove) command, passing in the Tailnet Lock keys that you determined in the previous step.\r\n\r\nThis example removes two signing nodes:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock remove tlpub:trusted-key7 tlpub:trusted-key8\r\n```\r\n\r\n\r\n\r\nReplace these example values with your Tailnet Lock key or keys.\r\n\r\n\r\nWhen you remove a signing node _Node-B_ by running `tailscale lock remove` on node _Node-A_, by default all nodes previously signed by Node-B are re-signed with Node-A's key. You can disable this by passing in `--re-sign=false` to the `tailscale lock remove` command.\r\n\r\n## [Revoke a compromised signing node](https://tailscale.com/docs/features/tailnet-lock\\#revoke-a-compromised-signing-node)\r\n\r\nIf a signing node becomes compromised, revoke the compromised key by running the [`tailscale lock revoke-keys`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-revoke-keys) command. Once you revoke a key, you can no longer use it for Tailnet Lock. Any nodes that were previously signed by a revoked key lose their authorization and require a new signature.\r\n\r\nIf you want to remove a key that is not compromised, use the [`tailscale lock remove`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove) command instead.\r\n\r\nRevocation is a multi-step process that requires several signing nodes to co-sign the revocation. Each step uses the `tailscale lock revoke-keys` command.\r\n\r\n1. Open a terminal on a signing node that does not have a compromised key.\r\n\r\n2. Run the `tailscale lock revoke-keys` command.\r\n\r\nThis example revokes two signing nodes - `tlpub:compromised-key1 tlpub:compromised-key2` is a space-separated list of the keys to revoke:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock revoke-keys tlpub:compromised-key1 tlpub:compromised-key2\r\n```\r\n\r\n\r\n\r\nReplace these example values with your Tailnet Lock key or keys.\r\n\r\nThe output of this command contains a `tailscale lock revoke-keys --cosign` command, which you will use in the next step.\r\n\r\n3. On another trusted signing node, run the `tailscale lock revoke-keys --cosign` command. The output of this command contains a new `tailscale lock revoke-keys --cosign` command. Repeat this process, always using the new output from each `--cosign` command, until the number of times you used `--cosign` exceeds the number of revoked keys. For example, if you revoked 3 keys, you need to run the `tailscale lock revoke-keys --cosign` command 4 times.\r\n\r\n4. Finish the process by running the command that was output from the last use of `--cosign` **except** replace `--cosign` with `--finish`:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock revoke-keys --finish <hex-data>\r\n```\r\n\r\n\r\n\r\nReplace this example value with your hex data.\r\n\r\n\r\nBy default, Tailscale will determine the appropriate point in the Tailnet Lock log to fork. If more signing nodes agree that a key should be revocable than not, then your tailnet uses the keys in the fork that Tailscale determined as still trustworthy, instead of the revoked keys.\r\n\r\nIf the majority of signing nodes become compromised, you can disable and then re-enable Tailnet Lock itself.\r\n\r\n## [How Tailnet Lock works with other Tailscale features](https://tailscale.com/docs/features/tailnet-lock\\#how-tailnet-lock-works-with-other-tailscale-features)\r\n\r\nTake the following into consideration for how Tailnet Lock works with other Tailscale features.\r\n\r\n### [Sharing](https://tailscale.com/docs/features/tailnet-lock\\#sharing)\r\n\r\nTo use Tailnet Lock with the [sharing feature](https://tailscale.com/docs/features/sharing), a node shared into a tailnet with Tailnet Lock requires a signature before it is accessible.\r\n\r\nTo share nodes out of a tailnet with Tailnet Lock, the user who accepts the share invite needs to have their nodes signed in the locked tailnet before they can access the shared node.\r\n\r\n### [Tailscale SSH Console](https://tailscale.com/docs/features/tailnet-lock\\#tailscale-ssh-console)\r\n\r\nYou can use [Tailscale SSH Console](https://tailscale.com/docs/features/tailscale-ssh/tailscale-ssh-console) to establish an SSH session for a signed node in your tailnet, provided:\r\n\r\n- your [tailnet policy file](https://tailscale.com/docs/features/access-control/acls) permits network access.\r\n- a [Tailscale SSH rule](https://tailscale.com/docs/reference/syntax/policy-file#ssh) permits SSH access.\r\n\r\n## [Configuration audit logging](https://tailscale.com/docs/features/tailnet-lock\\#configuration-audit-logging)\r\n\r\nEnabling, disabling, or modifying Tailnet Lock configuration creates events that will appear in the [configuration audit logs](https://tailscale.com/docs/features/logging/audit-logging).\r\n\r\nIndependent of configuration audit logging, you can run the [`tailscale lock log`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-log) command on a node to find recent Tailnet Lock changes to your tailnet.\r\n\r\n## [Tailnet Lock state](https://tailscale.com/docs/features/tailnet-lock\\#tailnet-lock-state)\r\n\r\nTailnet Lock tries to store data in the Tailscale state directory of each node:\r\n\r\n- If you use the macOS, Windows, iOS, Android, and tvOS clients, the state directory is set automatically.\r\n- If you run the [`tailscaled` daemon](https://tailscale.com/docs/reference/tailscaled), the state directory is set by the [`--statedir`](https://tailscale.com/docs/reference/tailscaled#flags-to-tailscaled) or `--state` flags.\r\n- If you use the default systemd unit files distributed with the official Tailscale `deb`, `rpm` and `tar.gz` packages, the `--state` flag is set automatically.\r\n- If you use Tailscale in Docker or Kubernetes, the state directory is set by the [`TS_STATE_DIR` environment variable](https://tailscale.com/docs/features/containers/docker#ts_state_dir).\r\n\r\nIf you do not provide a state directory, Tailscale must store Tailnet Lock data in-memory.\r\nThis means your node must re-fetch the complete state from the control plane whenever it starts.\r\n\r\nWe strongly recommend setting a state directory, which removes this control plane startup dependency.\r\n\r\n## [Limitations](https://tailscale.com/docs/features/tailnet-lock\\#limitations)\r\n\r\n- You need to securely store the [disablement secrets](https://tailscale.com/docs/features/tailnet-lock#disablement-secrets) yourself. If you lose your disablement secrets, and you did not provide one to Tailscale support, the tailnet cannot be recovered.\r\n- You can have a maximum of 20 signing nodes in your tailnet.\r\n- To prevent unbounded growth of the TKA, rotate Tailnet Lock keys at most once per year.\r\n- You cannot enable both Tailnet Lock and [device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval)—they are mutually exclusive features.\r\n- Tailnet Lock keys are stored on the device. If the device is compromised, the key can be obtained.\r\n- You cannot use an Android device as a signing node, because it cannot be used for signing operations. _This is being worked on._\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Tailnet Lock</h1>\n<p>Last validated: Dec 2, 2025</p>\n<p>Tailnet Lock lets you verify that no node joins your Tailscale network (known as a tailnet) unless trusted nodes in your tailnet sign the new node. With Tailnet Lock enabled, even if Tailscale were malicious or Tailscale infrastructure hacked, attackers can't send or receive traffic in your tailnet.</p>\n<p>Tailnet Lockis available for <a href=\"https://tailscale.com/pricing\">the Personal and Enterprise plans</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#what-is-tailnet-lock\">What is Tailnet Lock?</a></h2>\n<p>Tailnet Lock lets trusted nodes in your tailnet sign and verify other nodes, meaning you don't need to trust the Tailscale <a href=\"https://tailscale.com/docs/concepts/control-data-planes#coordination-server\">coordination server</a> for distributing public <a href=\"https://tailscale.com/blog/tailscale-key-management#node-keys\">node keys</a> to peer nodes in your tailnet. You can control which nodes are trustworthy to sign another node's public key.</p>\n<p>Tailscale's <a href=\"https://tailscale.com/docs/concepts/control-data-planes#control-plane\">control plane</a> has the ability to add to and remove nodes from a tailnet. Inherently, customers must trust Tailscale's control plane to make the right decisions about who and what can join any given tailnet. Customers sometimes consider this a vector for abuse or security threats. Tailnet Lock largely mitigates the risk of Tailscale suddenly acting like a threat vector, by enforcing that the customer must use a trusted node to sign new additions to the tailnet. Tailnet Lock follows a \"Trust on first use (TOFU)\" model, where customers must initially trust Tailscale's control plane, but after first use, the customer can move centers of trust into their network.</p>\n<p>Customers could alternatively host their own trusted control plane by using <a href=\"https://headscale.net/\">Headscale</a>. This is however a path that removes the availability guarantees and low maintenance overhead that Tailscale's software as a service (SaaS) model provides. Customers who want to keep the center of trust on their networks while still subscribing to the benefits of a Tailscale-maintained control plane can use Tailnet Lock.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#how-it-works\">How it works</a></h2>\n<p>Without Tailnet Lock, when a new node joins the tailnet, the Tailscale coordination server distributes the public node key to peer nodes. If Tailscale were malicious, and stealthily inserted new nodes into your network, then Tailscale could send or receive traffic to your existing nodes in plaintext.</p>\n<p>With Tailnet Lock, when a new node joins the tailnet, its public node key requires a signature from a Tailnet Lock key. The coordination server distributes the signed public node key to peer nodes in the tailnet. Peer nodes can then verify the signature before allowing connections. In this manner, you control which nodes are trustworthy to be in your tailnet, as well as which nodes are trustworthy to sign other nodes.</p>\n<p>Each node has a node key, and a Tailnet Lock key:</p>\n<ul>\n<li>\n<p>The <a href=\"https://tailscale.com/blog/tailscale-key-management#node-keys\">node key</a> is a public/private key pair generated on a node by a Tailscale client. The coordination server ties the node key to a specific identity. The private key remains private on the node. The public key is transmitted to the coordination server.</p>\n</li>\n<li>\n<p>The Tailnet Lock key (TLK), which is also a public/private key pair. Every node generates a TLK, even if Tailnet Lock is not enabled. The private key of each TLK is stored on the node that generated it, and a copy of each trusted public TLK is stored in the <a href=\"https://tailscale.com/docs/features/tailnet-lock#tailnet-key-authority\">tailnet key authority</a> (TKA).</p>\n</li>\n</ul>\n<p>Tailnet Lock primarily consists of two components:</p>\n<ul>\n<li>\n<p>Signing nodes, which are nodes that can be used to sign new nodes into the tailnet.</p>\n</li>\n<li>\n<p>The tailnet key authority, which is a storage mechanism for the available signing nodes in a tailnet. By knowing the current set of trusted TLKs, the TKA can verify signatures in two situations:</p>\n<ul>\n<li>\n<p>Verifying node key signatures before adding node keys to its list of peers.</p>\n</li>\n<li>\n<p>Verifying signatures for requests to change the set of trusted TLKs before processing those changes.</p>\n</li>\n</ul>\n</li>\n</ul>\n<p>The TKA storage mechanism is a cryptographic chain. The TKA can grow unbounded as customers change the tailnet's configuration.</p>\n<p>For more information about the architecture of Tailnet Lock, refer to <a href=\"https://tailscale.com/docs/concepts/tailnet-lock-whitepaper\">Tailnet Lock white paper</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#disablement-secrets\">Disablement secrets</a></h3>\n<p>Disablement secrets are long passwords generated during the process of enabling Tailnet Lock. Because disabling Tailnet Lock is a security-relevant operation, you must have a disablement secret if you want to disable Tailnet Lock. If the disablement procedure lacked authorization checks, a compromised coordination server could trivially disable Tailnet Lock (and all its protections) to attack a tailnet as if Tailnet Lock wasn't running.</p>\n<p>You get your disablement secrets only when you initialize Tailnet Lock. Ensure that you securely store them. Some options include using your organization's secure storage like a password manager, or printing them and storing them in a secure safe. During Tailnet Lock initialization, you can optionally generate a disablement secret for Tailscale support. This way, Tailscale support could disable Tailnet Lock in case of an issue with how we've implemented Tailnet Lock, or if you have lost your disablement secret.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#tailnet-key-authority\">Tailnet key authority</a></h3>\n<p>To determine which Tailnet Lock keys to trust, nodes implement a new subsystem, called the tailnet key authority (TKA). The TKA tracks and updates the set of Tailnet Lock keys available to sign node keys. You specify the initial set of trusted lock keys when you enable Tailnet Lock. You can <a href=\"https://tailscale.com/docs/features/tailnet-lock#add-a-signing-node\">add</a> or <a href=\"https://tailscale.com/docs/features/tailnet-lock#remove-a-signing-node\">remove</a> keys to change the set of trusted Tailnet Lock keys. The coordination server publishes the set of trusted Tailnet Lock keys across your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#enable-tailnet-lock\">Enable Tailnet Lock</a></h2>\n<p>You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or IT admin</a> of a tailnet to enable Tailnet Lock.</p>\n<p>Tailnet Lock is not enabled by default. With Tailnet Lock enabled, all existing nodes in the tailnet have signatures provided by a trusted node in your tailnet.</p>\n<p>Ensure the nodes that you want to lock with Tailnet Lock are running Tailscale v1.46.1 or later.</p>\n<p>Enabling Tailnet Lock requires using the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-init\"><code>tailscale lock init</code></a> command. Use the Tailscale admin console to make it easier to create the <code>tailscale lock init</code> command values.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-tailnet-lock.3c2d04ef.png&#x26;w=1080&#x26;q=75\" alt=\"Enable Tailnet Lock UI\"></p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the admin console. Ensure that you log into the same tailnet for both the admin console and the Tailscale clients running on the signing nodes.</li>\n<li>Select <strong>Enable Tailnet Lock</strong>.</li>\n<li>In the <strong>Add signing nodes</strong> section, select <strong>Add signing node</strong>.</li>\n<li>Select the nodes whose Tailnet Lock keys you want to trust. You must select at least two signing nodes.</li>\n<li>(Optional): In the <strong>Configure disablement options</strong> section, specify whether to send a <a href=\"https://tailscale.com/docs/features/tailnet-lock#disablement-secrets\">disablement secret</a> to Tailscale support. When <strong>Send disablement secret to Tailscale support</strong> is enabled, this option will create an extra disablement secret that is automatically transmitted to Tailscale support. This way, Tailscale support could disable Tailnet Lock in case of an issue with how we've implemented Tailnet Lock, or if you have lost your disablement secret.</li>\n<li>In the <strong>Run command from signing node</strong> section, copy the <code>tailscale lock init</code> command.</li>\n<li>Open a terminal window on one of the signing nodes you selected.</li>\n<li>Paste in the <code>tailscale lock init</code> command that you copied from the admin console and press Enter.</li>\n</ol>\n<p>When you run the <code>tailscale lock init</code> command provided by the admin console, the command creates and displays ten disablement secrets. You need only a single disablement secret to disable Tailnet Lock, not all ten, although <code>tailscale lock init</code> generates ten. Make note of the disablement secrets displayed in the output. The disablement secrets are long passwords needed to disable your Tailnet Lock. For more information about disablement secrets, refer to <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable\"><code>tailscale lock disable</code></a>.</p>\n<p>The disablement secrets display only when you initialize Tailnet Lock. If you lose your disablement secrets, and you did not provide one to Tailscale support, the tailnet cannot be recovered. Ensure that you securely store the disablement secrets. Some options include using your organization's secure storage like a password manager, or printing them and storing them in a secure safe.</p>\n<p>After <code>tailscale lock init</code> completes successfully:</p>\n<ul>\n<li>All existing nodes in the tailnet are signed by the trusted Tailnet Lock keys.</li>\n<li>The set of trusted Tailnet Lock keys is distributed to the existing nodes.</li>\n<li>Nodes verify the signature of a peer's node key before allowing a connection.</li>\n<li>All new node keys must be <a href=\"https://tailscale.com/docs/features/tailnet-lock#add-a-node-to-a-locked-tailnet\">signed</a> by an existing Tailnet Lock key.</li>\n</ul>\n<p>When Tailnet Lock is enabled, each node relies on the initial state of Tailnet Lock sent to it from the control plane ( <a href=\"https://tailscale.com/docs/concepts/tailnet-lock-whitepaper#enablement-is-trust-on-first-use-tofu\">Trust on First Use</a>). To confirm that the initial state has not been compromised, you can verify the provisioned state of Tailnet Lock on each node by running the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status\"><code>tailscale lock status</code></a> command and checking the list of trusted signing keys. All nodes in your tailnet should report the same set of signing keys, which should match the Tailnet Lock keys of your designated signing nodes.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#disable-tailnet-lock\">Disable Tailnet Lock</a></h2>\n<p>You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or IT admin</a> of a tailnet to disable Tailnet Lock.</p>\n<p><a href=\"https://tailscale.com/docs/features/tailnet-lock?tab=tailscale+admin+console\">Tailscale admin console</a> <a href=\"https://tailscale.com/docs/features/tailnet-lock?tab=tailscale+cli\">Tailscale CLI</a></p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the admin console.</li>\n<li>Select <strong>Disable Tailnet Lock</strong>.</li>\n<li>For <strong>Disablement secret</strong>, enter a <a href=\"https://tailscale.com/docs/features/tailnet-lock#disablement-secrets\">disablement secret</a> that you stored securely when you enabled Tailnet Lock.</li>\n<li>Select <strong>Disable Tailnet Lock</strong>.</li>\n</ol>\n<p>Once you use the specified disablement secret, the Tailscale coordination server distributes it to all nodes in the tailnet and you should consider it public.</p>\n<p>If you re-enable Tailnet Lock, for example, by running the <code>tailscale lock init</code> command again, you get new disablement secrets.</p>\n<p>If you encounter a significant issue with Tailnet Lock for your entire tailnet and can't disable it by using the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page (for example, if you can't locate your disablement secret), you could run the <code>tailscale lock local-disable</code> command on each of your nodes to make your tailnet in effect ignore Tailnet Lock. For details, refer to <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-local-disable\"><code>tailscale lock local-disable</code></a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#add-a-node-to-a-locked-tailnet\">Add a node to a locked tailnet</a></h2>\n<p>If you have already enabled Tailnet Lock and want to add an additional node, you need to sign the new node's <a href=\"https://tailscale.com/blog/tailscale-key-management#node-keys\">node key</a>.</p>\n<p>You have two options to add a node:</p>\n<ul>\n<li>Use a Tailscale client app signing link. This is possible only for macOS, Windows, and iOS. <em>We are working on Android.</em></li>\n<li>Use the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign\"><code>tailscale lock sign</code></a> command, which is part of the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a>. This is possible only for Linux, macOS, and Windows.</li>\n</ul>\n<p>Both options require access to the Tailscale admin console, because retrieving information for the node key to add is possible only through the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#use-a-client-app-to-add-a-node\">Use a client app to add a node</a></h3>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console. Ensure that you log into the same tailnet for both the admin console and the Tailscale clients running on the signing nodes.</li>\n<li>Select the node that needs a signature. Look for the <strong>Locked out</strong> badge in the machines list, or use the <a href=\"https://login.tailscale.com/admin/machines?q=property%3Alocked-out\"><code>property:locked-out</code></a> filter to find all devices that are locked out.</li>\n<li>Select <strong>Sign machine</strong>.</li>\n<li>In the <strong>Sign machine</strong> dialog, you have 3 tabs to choose from, to add the node.\n<ul>\n<li>\n<p>In the <strong>Desktop</strong> tab, if you are on a macOS or Windows device that is a signing node, select <strong>Sign this node</strong>. Otherwise, select <strong>Copy signing URL</strong>, send the URL to a signing node, and open the URL on the signing node. Either process opens the Tailscale client and lets you add the node.</p>\n</li>\n<li>\n<p>In the <strong>Mobile</strong> tab, if you are on an iOS device that is a signing node, scan the QR code to open the Tailscale client, then add the node. Alternatively, select <strong>Copy signing URL</strong>, send the URL to a signing node, and open the URL on the signing node. Either process opens the Tailscale client and lets you add the node.</p>\n<p>Using a QR code to add a node is currently supported only on iOS devices.</p>\n</li>\n<li>\n<p>In the <strong>CLI</strong> tab, select the <strong>Copy</strong> icon to copy the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign\"><code>tailscale lock sign</code></a> command. Run the command on a signing node to add the node.</p>\n</li>\n</ul>\n</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#use-the-cli-to-add-a-node\">Use the CLI to add a node</a></h3>\n<p>Use the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign\"><code>tailscale lock sign</code></a> command to add a node.</p>\n<p>This example adds a node:</p>\n<pre><code class=\"language-shell\">tailscale lock sign nodekey:1abddef1 tlpub:abcdef12\n</code></pre>\n<ul>\n<li><code>nodekey:1abddef1</code> is the node key for the node you want to add to your tailnet.</li>\n<li><code>tlpub:abcdef12</code> is an optional Tailnet Lock key for a trusted signing node, to use for key rotation.</li>\n</ul>\n<p>Replace these example values with your actual node key and optional Tailnet Lock key.</p>\n<p>You can determine the <code>tailscale lock sign</code> command either using the admin console or using the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a>.</p>\n<p>To determine the <code>tailscale lock sign</code> command using the admin console:</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console. Ensure that you log into the same tailnet for both the admin console and the Tailscale clients running on the signing nodes.</li>\n<li>Select the node that needs to be signed. Look for the <strong>Locked out</strong> badge in the machines list, or use the <a href=\"https://login.tailscale.com/admin/machines?q=property%3Alocked-out\"><code>property:locked-out</code></a> filter to find all devices that are locked out.</li>\n<li>Select <strong>Sign node</strong>.</li>\n<li>Select <strong>CLI</strong>.</li>\n<li>Copy the <code>tailscale lock sign</code> command needed to sign the node.</li>\n<li>Run the command on a signing node to add the node.</li>\n</ol>\n<p>Alternatively, to determine the <code>tailscale lock sign</code> command using the Tailscale CLI:</p>\n<ol>\n<li>On the node that you want to add to your tailnet, run:</li>\n</ol>\n<pre><code class=\"language-shell\">tailscale lock status\n</code></pre>\n<ol start=\"2\">\n<li>\n<p>In the output of <code>tailscale lock status</code>, copy the <code>tailscale lock sign</code> command needed to sign the node.</p>\n</li>\n<li>\n<p>Then, on a node with a trusted Tailnet Lock key, run the command you copied in the previous step:</p>\n</li>\n</ol>\n<pre><code class=\"language-shell\">tailscale lock sign nodekey:&#x3C;your-node-key> tlpub:&#x3C;your-tailnet-lock-key>\n</code></pre>\n<p>Replace these example values with your actual node key and optional Tailnet Lock key.</p>\n<p>When a signed node key <a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">expires</a>, the new node key will not need to be re-signed. When the user re-authenticates, the node's signature will be automatically rotated, by signing the new node key with the node's <a href=\"https://tailscale.com/docs/concepts/tailnet-lock-whitepaper#tailnet-lock-keys\">Tailnet Lock key</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#add-a-node-using-a-pre-signed-auth-key\">Add a node using a pre-signed auth key</a></h3>\n<p>Signing an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth key</a> lets you add devices to your locked tailnet using <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#authkey-pre-signed\">pre-signed</a> auth keys, so that you don't need to add the node and <em>then</em> sign its node key.</p>\n<ol>\n<li>\n<p><a href=\"https://tailscale.com/docs/features/access-control/auth-keys#generate-an-auth-key\">Generate</a> a pre-approved auth key.</p>\n</li>\n<li>\n<p>On a node with a trusted Tailnet Lock key, set an environment variable, <code>AUTH_KEY</code>, to the value of the auth key:</p>\n</li>\n</ol>\n<pre><code class=\"language-shell\">export AUTH_KEY=\"tskey-auth-&#x3C;XXXXCTRL-NNNNNN>\"\n</code></pre>\n<p>Replace this example value with your actual auth key.</p>\n<ol start=\"3\">\n<li>Sign the auth key by running the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign\"><code>tailscale lock sign</code></a> command:</li>\n</ol>\n<pre><code class=\"language-shell\">tailscale lock sign $AUTH_KEY\n</code></pre>\n<ol start=\"4\">\n<li>Use the new key that is generated by the <code>tailscale lock sign</code> command to <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval#pre-approve-devices-with-an-auth-key\">pre-approve devices</a> in your tailnet.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#determine-a-nodes-tailnet-lock-public-key\">Determine a node's Tailnet Lock public key</a></h2>\n<p>For some Tailnet Lock operations, you need to know a node's Tailnet Lock public key. A node's Tailnet Lock public key is of the form <code>tlpub:abcdef12</code>.</p>\n<p>This is not the same as a node's Tailscale public key, which is of the form <code>nodekey:abcdef12</code>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#determining-the-tailnet-lock-public-key-by-using-the-cli\">Determining the Tailnet Lock public key by using the CLI</a></h3>\n<p>To determine a node's Tailnet Lock public key using the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a>, which is possible only for Linux, macOS, and Windows:</p>\n<ul>\n<li>Run <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status\"><code>tailscale lock status</code></a>. The command displays the Tailnet Lock public key for the node.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#determining-the-tailnet-lock-public-key-by-using-the-admin-console\">Determining the Tailnet Lock public key by using the admin console</a></h3>\n<p>To determine a node's Tailnet Lock public key using the admin console:</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a>. Ensure that you log into the same tailnet for both the admin console and the Tailscale clients running on the signing nodes.</p>\n</li>\n<li>\n<p>Select the node whose Tailnet Lock public key you want to determine.</p>\n</li>\n<li>\n<p>In the <strong>Machine Details</strong> section, look for <strong>Tailnet Lock key</strong>. If you do not find <strong>Tailnet Lock key</strong> within the UI, then Tailnet Lock is not enabled for the tailnet.</p>\n</li>\n<li>\n<p>Select <strong>Copy</strong> to copy the key to your clipboard.</p>\n</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#determining-the-tailnet-lock-public-key-by-using-the-client\">Determining the Tailnet Lock public key by using the client</a></h3>\n<p><a href=\"https://tailscale.com/docs/features/tailnet-lock?tab=macos\">macOS</a> <a href=\"https://tailscale.com/docs/features/tailnet-lock?tab=ios\">iOS</a></p>\n<ol>\n<li>Select <strong>Settings</strong> from the Tailscale client menu.</li>\n<li>Select the <strong>Settings</strong> tab if it is not already active.</li>\n<li>In the <strong>Tailnet Lock</strong> section, select <strong>Manage</strong>.</li>\n<li>In the dialog that opens, the <strong>Tailnet Lock Key</strong> section shows the Tailnet Lock public key. Select the <strong>Copy</strong> icon to copy the key to your clipboard.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#add-a-signing-node\">Add a signing node</a></h2>\n<ol>\n<li>\n<p><a href=\"https://tailscale.com/docs/features/tailnet-lock#determine-public-key\">Determine the Tailnet Lock public key</a> for the node you want to add as a signing node.</p>\n</li>\n<li>\n<p>On a node with a trusted Tailnet Lock key, run the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-add\"><code>tailscale lock add</code></a> command, passing in the Tailnet Lock keys that you determined in the previous step.</p>\n</li>\n</ol>\n<p>This examples adds two signing nodes:</p>\n<pre><code class=\"language-shell\">tailscale lock add tlpub:trusted-key1 tlpub:trusted-key2\n</code></pre>\n<p>Replace these example values with your Tailnet Lock key or keys.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#remove-a-signing-node\">Remove a signing node</a></h2>\n<p>You need to run this process from a node with a trusted Tailnet Lock key.</p>\n<ol>\n<li>\n<p>If you don't already have the Tailnet Lock public key for each node you want to remove as a signing node, <a href=\"https://tailscale.com/docs/features/tailnet-lock#determine-public-key\">determine the Tailnet Lock public key</a>.</p>\n</li>\n<li>\n<p>On a node with a trusted Tailnet Lock key, run the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove\"><code>tailscale lock remove</code></a> command, passing in the Tailnet Lock keys that you determined in the previous step.</p>\n</li>\n</ol>\n<p>This example removes two signing nodes:</p>\n<pre><code class=\"language-shell\">tailscale lock remove tlpub:trusted-key7 tlpub:trusted-key8\n</code></pre>\n<p>Replace these example values with your Tailnet Lock key or keys.</p>\n<p>When you remove a signing node <em>Node-B</em> by running <code>tailscale lock remove</code> on node <em>Node-A</em>, by default all nodes previously signed by Node-B are re-signed with Node-A's key. You can disable this by passing in <code>--re-sign=false</code> to the <code>tailscale lock remove</code> command.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#revoke-a-compromised-signing-node\">Revoke a compromised signing node</a></h2>\n<p>If a signing node becomes compromised, revoke the compromised key by running the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-revoke-keys\"><code>tailscale lock revoke-keys</code></a> command. Once you revoke a key, you can no longer use it for Tailnet Lock. Any nodes that were previously signed by a revoked key lose their authorization and require a new signature.</p>\n<p>If you want to remove a key that is not compromised, use the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove\"><code>tailscale lock remove</code></a> command instead.</p>\n<p>Revocation is a multi-step process that requires several signing nodes to co-sign the revocation. Each step uses the <code>tailscale lock revoke-keys</code> command.</p>\n<ol>\n<li>\n<p>Open a terminal on a signing node that does not have a compromised key.</p>\n</li>\n<li>\n<p>Run the <code>tailscale lock revoke-keys</code> command.</p>\n</li>\n</ol>\n<p>This example revokes two signing nodes - <code>tlpub:compromised-key1 tlpub:compromised-key2</code> is a space-separated list of the keys to revoke:</p>\n<pre><code class=\"language-shell\">tailscale lock revoke-keys tlpub:compromised-key1 tlpub:compromised-key2\n</code></pre>\n<p>Replace these example values with your Tailnet Lock key or keys.</p>\n<p>The output of this command contains a <code>tailscale lock revoke-keys --cosign</code> command, which you will use in the next step.</p>\n<ol start=\"3\">\n<li>\n<p>On another trusted signing node, run the <code>tailscale lock revoke-keys --cosign</code> command. The output of this command contains a new <code>tailscale lock revoke-keys --cosign</code> command. Repeat this process, always using the new output from each <code>--cosign</code> command, until the number of times you used <code>--cosign</code> exceeds the number of revoked keys. For example, if you revoked 3 keys, you need to run the <code>tailscale lock revoke-keys --cosign</code> command 4 times.</p>\n</li>\n<li>\n<p>Finish the process by running the command that was output from the last use of <code>--cosign</code> <strong>except</strong> replace <code>--cosign</code> with <code>--finish</code>:</p>\n</li>\n</ol>\n<pre><code class=\"language-shell\">tailscale lock revoke-keys --finish &#x3C;hex-data>\n</code></pre>\n<p>Replace this example value with your hex data.</p>\n<p>By default, Tailscale will determine the appropriate point in the Tailnet Lock log to fork. If more signing nodes agree that a key should be revocable than not, then your tailnet uses the keys in the fork that Tailscale determined as still trustworthy, instead of the revoked keys.</p>\n<p>If the majority of signing nodes become compromised, you can disable and then re-enable Tailnet Lock itself.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#how-tailnet-lock-works-with-other-tailscale-features\">How Tailnet Lock works with other Tailscale features</a></h2>\n<p>Take the following into consideration for how Tailnet Lock works with other Tailscale features.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#sharing\">Sharing</a></h3>\n<p>To use Tailnet Lock with the <a href=\"https://tailscale.com/docs/features/sharing\">sharing feature</a>, a node shared into a tailnet with Tailnet Lock requires a signature before it is accessible.</p>\n<p>To share nodes out of a tailnet with Tailnet Lock, the user who accepts the share invite needs to have their nodes signed in the locked tailnet before they can access the shared node.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tailnet-lock#tailscale-ssh-console\">Tailscale SSH Console</a></h3>\n<p>You can use <a href=\"https://tailscale.com/docs/features/tailscale-ssh/tailscale-ssh-console\">Tailscale SSH Console</a> to establish an SSH session for a signed node in your tailnet, provided:</p>\n<ul>\n<li>your <a href=\"https://tailscale.com/docs/features/access-control/acls\">tailnet policy file</a> permits network access.</li>\n<li>a <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">Tailscale SSH rule</a> permits SSH access.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#configuration-audit-logging\">Configuration audit logging</a></h2>\n<p>Enabling, disabling, or modifying Tailnet Lock configuration creates events that will appear in the <a href=\"https://tailscale.com/docs/features/logging/audit-logging\">configuration audit logs</a>.</p>\n<p>Independent of configuration audit logging, you can run the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-log\"><code>tailscale lock log</code></a> command on a node to find recent Tailnet Lock changes to your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#tailnet-lock-state\">Tailnet Lock state</a></h2>\n<p>Tailnet Lock tries to store data in the Tailscale state directory of each node:</p>\n<ul>\n<li>If you use the macOS, Windows, iOS, Android, and tvOS clients, the state directory is set automatically.</li>\n<li>If you run the <a href=\"https://tailscale.com/docs/reference/tailscaled\"><code>tailscaled</code> daemon</a>, the state directory is set by the <a href=\"https://tailscale.com/docs/reference/tailscaled#flags-to-tailscaled\"><code>--statedir</code></a> or <code>--state</code> flags.</li>\n<li>If you use the default systemd unit files distributed with the official Tailscale <code>deb</code>, <code>rpm</code> and <code>tar.gz</code> packages, the <code>--state</code> flag is set automatically.</li>\n<li>If you use Tailscale in Docker or Kubernetes, the state directory is set by the <a href=\"https://tailscale.com/docs/features/containers/docker#ts_state_dir\"><code>TS_STATE_DIR</code> environment variable</a>.</li>\n</ul>\n<p>If you do not provide a state directory, Tailscale must store Tailnet Lock data in-memory.\r\nThis means your node must re-fetch the complete state from the control plane whenever it starts.</p>\n<p>We strongly recommend setting a state directory, which removes this control plane startup dependency.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-lock#limitations\">Limitations</a></h2>\n<ul>\n<li>You need to securely store the <a href=\"https://tailscale.com/docs/features/tailnet-lock#disablement-secrets\">disablement secrets</a> yourself. If you lose your disablement secrets, and you did not provide one to Tailscale support, the tailnet cannot be recovered.</li>\n<li>You can have a maximum of 20 signing nodes in your tailnet.</li>\n<li>To prevent unbounded growth of the TKA, rotate Tailnet Lock keys at most once per year.</li>\n<li>You cannot enable both Tailnet Lock and <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">device approval</a>—they are mutually exclusive features.</li>\n<li>Tailnet Lock keys are stored on the device. If the device is compromised, the key can be obtained.</li>\n<li>You cannot use an Android device as a signing node, because it cannot be used for signing operations. <em>This is being worked on.</em></li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}