{"slug":"tailscale-lock-command","title":"tailscale lock command","tags":["tailscale"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# tailscale lock command\r\n\r\nLast validated: Jan 5, 2026\r\n\r\n`tailscale lock` manages [Tailnet Lock](https://tailscale.com/docs/features/tailnet-lock) for your tailnet.\r\n\r\n```shell\r\ntailscale lock <subcommand> [flags] <args>\r\n```\r\n\r\nSubcommands:\r\n\r\n- [`init`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-init) Initializes Tailnet Lock.\r\n- [`status`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status) Outputs the state of Tailnet Lock.\r\n- [`add`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-add) Adds one or more trusted signing keys to Tailnet Lock.\r\n- [`remove`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove) Removes one or more trusted signing keys from Tailnet Lock.\r\n- [`sign`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign) Signs a node key and transmits the signature to the coordination server.\r\n- [`disable`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable) Consumes a disablement secret to shut down Tailnet Lock for the tailnet.\r\n- [`log`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-log) Lists changes applied to Tailnet Lock.\r\n- [`local-disable`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-local-disable) Disables Tailnet Lock for this node only.\r\n- [`revoke-keys`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-revoke-keys) Retroactively revoke one or more Tailnet Lock keys.\r\n\r\nRunning `Tailnet Lock` with no subcommand and no arguments is equivalent to running [`tailscale lock status`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status).\r\n\r\nExample:\r\n\r\n```shell\r\ntailscale lock\r\n```\r\n\r\nExample output:\r\n\r\n```shell\r\nTailnet Lock is ENABLED.\r\n\r\nThis node is accessible under Tailnet Lock.\r\n\r\nThis node's tailnet-lock key: tlpub:1234abcdef\r\n\r\nTrusted signing keys:\r\n\ttlpub:1234abcdef\t(us)\r\n```\r\n\r\n## [lock init](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-init)\r\n\r\nInitializes [Tailnet Lock](https://tailscale.com/docs/features/tailnet-lock) for the entire tailnet.\r\n\r\n```shell\r\ntailscale lock init [flags] <tlpub:trusted-key1 tlpub:trusted-key2 ...>\r\n```\r\n\r\nAvailable flags:\r\n\r\n- `--confirm=false` Whether to prompt for confirmation. If `true`, there is no prompt for confirmation.\r\n- `--gen-disablement-for-support` Generate an additional disablement secret and transmit it to Tailscale support. Tailscale support can then use it to disable Tailnet Lock. Note that if Tailscale support disables Tailnet Lock, it will remain disabled and Tailscale support cannot re-enable it, so this would be considered an emergency recovery mechanism, not a temporary disabling of Tailnet Lock.\r\n- `--gen-disablements <N>` Number of disablement secrets to generate. If not specified, defaults to one disablement secret, which is the minimum required to initialize Tailnet Lock.\r\n\r\nThe Tailnet Lock keys specified are those initially trusted to sign nodes or to make further changes to your Tailnet Lock configuration. These are Tailnet Lock public keys. You can identify the Tailnet Lock key for a node you wish to trust by running `tailscale lock` on that node and then copying the node's Tailnet Lock key.\r\n\r\nYou must specify the Tailnet Lock key for the node where you are running `tailscale lock init` as one of the trusted Tailnet Lock keys. The list of additional keys must be space-separated.\r\n\r\nThe disablement secrets are displayed only when you initialize Tailnet Lock. Make note of them and secure them in a safe place.\r\n\r\nExample:\r\n\r\n```shell\r\ntailscale lock init --gen-disablements=3 --gen-disablement-for-support \\\r\n  --confirm tlpub:1234abcdef\r\n```\r\n\r\nExample output:\r\n\r\n```markup\r\nYou are initializing Tailnet Lock with the following trusted signing keys:\r\n - tlpub:1234abcdef (25519 key)\r\n\r\n3 disablement secrets have been generated and are printed below. Take note of them now, they WILL NOT be shown again.\r\n\tdisablement-secret:ABC1234\r\n\tdisablement-secret:DEF5678\r\n\tdisablement-secret:GHI9012\r\nA disablement secret for Tailscale support has been generated and will be transmitted to Tailscale upon initialization.\r\nInitialization complete.\r\n```\r\n\r\nThe disablement secrets are long passwords needed to disable your Tailnet Lock. Refer to the [`tailscale lock disable`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable) command for more information.\r\n\r\nThe number of disablement secrets will be the value you specified for `--gen-disablements`. If you set `--gen-disablement-for-support`, you'll receive a message about a disablement secret being generated for Tailscale support.\r\n\r\n## [lock status](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-status)\r\n\r\nOutputs the state of Tailnet Lock. The command shows whether Tailnet Lock is enabled, the value of the node's Tailnet Lock public key, and which nodes are locked out by Tailnet Lock and cannot connect to other nodes.\r\n\r\n```shell\r\ntailscale lock status [flags]\r\n```\r\n\r\nAvailable flags:\r\n\r\n- `--json` Return a machine-readable JSON response.\r\n\r\nExample:\r\n\r\n```shell\r\ntailscale lock status\r\n```\r\n\r\nExample output:\r\n\r\n```markup\r\nTailnet Lock is ENABLED.\r\n\r\nThis node is accessible under Tailnet Lock.\r\n\r\nThis node's tailnet-lock key: tlpub:1234abcdef\r\n\r\nTrusted signing keys:\r\n\ttlpub:1234abcdef\t(us)\r\n```\r\n\r\nIf the node you run `tailscale lock status` on doesn't have an accessible key, the output will look like:\r\n\r\n```markup\r\nThis node is LOCKED OUT by tailnet-lock, and action is required to establish connectivity.\r\nRun the following command on a node with a trusted key:\r\n\ttailscale lock sign nodekey:abcdef12 tlpub:11223344\r\n```\r\n\r\nIf one of your peer nodes is locked out of your tailnet, after the list of trusted signing keys, the output will look like:\r\n\r\n```markup\r\n The following nodes are locked out by Tailnet Lock and cannot connect to other nodes:\r\n\tbob.yak-bebop.ts.net.\t100.111.222.33, fd7a:115c:a1e0:aabb:ccdd:eeff:0123:4567\tn12345CNTRL\r\n```\r\n\r\n## [lock add](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-add)\r\n\r\nAdds one or more trusted signing keys to Tailnet Lock.\r\n\r\nThis command needs to be run from a node with a trusted Tailnet Lock key.\r\n\r\n```shell\r\ntailscale lock add <tlpub:trusted-key1 tlpub:trusted-key2 ...>\r\n```\r\n\r\nThe Tailnet Lock keys specified are Tailnet Lock public keys. You can identify the Tailnet Lock key by running `tailscale lock` on that node and then copying the node's Tailnet Lock key.\r\n\r\nThe list of additional keys must be space-separated.\r\n\r\n## [lock remove](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-remove)\r\n\r\nRemoves one or more trusted signing keys from Tailnet Lock.\r\n\r\nThis command needs to be run from a node with a trusted Tailnet Lock key.\r\n\r\n```shell\r\ntailscale lock remove [flags] <tlpub:trusted-key1 tlpub:trusted-key2 ...>\r\n```\r\n\r\nAvailable flags:\r\n\r\n- `--re-sign` Resign signatures which would be invalidated by removal of trusted signing keys. Defaults to true.\r\n\r\nThe Tailnet Lock keys specified are Tailnet Lock public keys. You can identify the Tailnet Lock key by running `tailscale lock` on that node and then copying the node's Tailnet Lock key.\r\n\r\nThe list of additional keys must be space-separated.\r\n\r\n## [lock sign](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-sign)\r\n\r\nPerforms signing operations. `tailscale lock sign` has two signing modes:\r\n\r\n- Signs a node key using the Tailnet Lock key on the current node (the node where the command is running), and transmits the signature to the coordination server.\r\n- Signs a [pre-approved auth key](https://tailscale.com/docs/features/access-control/auth-keys), printing it in a form that can be used to bring up nodes under [Tailnet Lock](https://tailscale.com/docs/features/tailnet-lock). Specifically, it [signs the auth key](https://tailscale.com/docs/features/tailnet-lock#add-a-node-using-a-pre-signed-auth-key) so it can authenticate a new node without needing to _then_ sign the new node before adding it to the tailnet. Each signed auth key, also known as a wrapped auth key, embeds a signing key that can sign a new node or multiple nodes, until it has been [removed](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove).\r\n\r\nSigning a node key is necessary to establish connectivity for nodes which are locked out by Tailnet Lock.\r\n\r\nIf any of the key arguments begin with `file:`, the key is retrieved from the file at the path specified in the argument suffix.\r\n\r\nThis command needs to be run from a node with a trusted Tailnet Lock key.\r\n\r\n```shell\r\ntailscale lock sign <node-key> [<rotation-key>]\r\n```\r\n\r\nor\r\n\r\n```shell\r\ntailscale lock sign <auth-key>\r\n```\r\n\r\nExamples:\r\n\r\nThis example demonstrates signing a node key, optionally using the node's Tailnet Lock key (`tlpub:trusted-key2`) to support key rotation.\r\n\r\n```shell\r\ntailscale lock sign nodekey:1abddef1 tlpub:trusted-key2\r\n```\r\n\r\nThis example shows signing an auth key. For this example, `$AUTH_KEY` is an environment variable set to a [pre-approved](https://tailscale.com/docs/features/access-control/auth-keys#types-of-auth-keys) auth key that you [already generated](https://tailscale.com/docs/features/access-control/auth-keys#generate-an-auth-key).\r\n\r\n```shell\r\ntailscale lock sign $AUTH_KEY\r\n```\r\n\r\nThe output from successfully running the command is a signed pre-approved auth key, which you can then use to [pre-approve a device](https://tailscale.com/docs/features/access-control/device-management/device-approval#pre-approve-devices-with-an-auth-key) in your tailnet.\r\n\r\nWhen you create a signed auth key, a new trusted signing key gets created for it, which is added to the [tailnet key authority](https://tailscale.com/docs/features/tailnet-lock#tailnet-key-authority). The private key of the signing key gets encoded in the signed auth key. A signed auth key is equivalent to a private signing key on a signing node in your tailnet, and poses a risk to your tailnet if leaked. Even if the auth key is single-use, the signing key remains trusted until it's removed from the tailnet key authority.\r\n\r\nFor security best practices, we do not recommend using signed auth keys.\r\n\r\n## [lock disable](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-disable)\r\n\r\nConsumes the specified disablement secret to disable Tailnet Lock for the entire tailnet.\r\n\r\n```shell\r\ntailscale lock disable <disablement-secret>\r\n```\r\n\r\nDisabling Tailnet Lock is a security-relevant operation—if the disablement procedure lacked authorization checks, a compromised control plane could trivially disable Tailnet Lock (and all its protections) to attack a tailnet as before. To avoid this, use of a disablement secret is required to globally disable Tailnet Lock.\r\n\r\nDisablement secrets are long passwords generated during the process of enabling Tailnet Lock, when you ran [`tailscale lock init`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-init). The key derivation function (KDF) derived value of each disablement secret is stored by each node's tailnet key authority (and hence known by every node in a tailnet), but the secret itself remains confidential until use.\r\n\r\nWhen a disablement secret is used, the secret is distributed to all nodes in the tailnet. Each node can then verify the authenticity of the disablement operation by computing the KDF value of the secret, and comparing it to the stored KDF values in their tailnet key authority (TKA). If they match, then the node can be sure the disablement was authentic, and disable Tailnet Lock locally.\r\n\r\nOnce the specified `disablement-secret` secret is used, it has been distributed to all nodes in the tailnet and should be considered public.\r\n\r\nIf Tailnet Lock is re-enabled, new disablement secrets will be generated.\r\n\r\nExample:\r\n\r\n```shell\r\ntailscale lock disable disablement-secret:ABC1234\r\n```\r\n\r\n## [lock disablement-kdf](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-disablement-kdf)\r\n\r\nCompute a disablement value from a disablement secret. This command is for advanced users only.\r\n\r\n```shell\r\ntailscale lock disablement-kdf <hex-encoded-disablement-secret>\r\n```\r\n\r\n## [lock log](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-log)\r\n\r\nList changes applied to Tailnet Lock.\r\n\r\n```shell\r\ntailscale lock log [flags]\r\n```\r\n\r\nAvailable flags:\r\n\r\n- `--json` Return a machine-readable JSON response.\r\n- `--limit` Maximum number of changes to list. Defaults to 50.\r\n\r\nExample:\r\n\r\n```shell\r\ntailscale lock log\r\n```\r\n\r\nExample output:\r\n\r\n```markup\r\nupdate 17310b8e655867d3973a72cd20bc7c21f81f7687b4e7911c285f2eb16df5df36 (checkpoint)\r\nDisablement values:\r\n - 1234abcd\r\n - 9876aaaa\r\n - c1d2e3f4\r\n - 8f6e4d2c\r\nKeys:\r\n  Type: 25519\r\n  KeyID: 1234abcdef\r\n  Votes: 1\r\n```\r\n\r\n## [lock local-disable](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-local-disable)\r\n\r\nDisables Tailnet Lock for this node only.\r\n\r\n```shell\r\ntailscale lock local-disable\r\n```\r\n\r\nThis command disables Tailnet Lock for only the current node (the node where the command is running). If Tailnet Lock is disabled just for this node, the node will now accept traffic from other nodes that are locked out. It does not mean that the node can send or receive traffic from other nodes in the tailnet that are signed.\r\n\r\nIf you encounter a significant issue with Tailnet Lock for your entire tailnet and can't disable it with [`tailscale lock disable`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable) (for example, if you can't locate your disablement secret), you could run `tailscale lock local-disable` on each of your nodes to make your tailnet in effect ignore Tailnet Lock.\r\n\r\n## [lock revoke-keys](https://tailscale.com/docs/reference/tailscale-cli/lock\\#lock-revoke-keys)\r\n\r\nRetroactively revoke the specified Tailnet Lock keys.\r\n\r\nThis command needs to be run from a node with a trusted Tailnet Lock key.\r\n\r\n```shell\r\ntailscale lock revoke-keys <tlpub:key1 tlpub:key2 ...> [flags]\r\n```\r\n\r\nAvailable flags:\r\n\r\n- `--cosign=false` Continue the key revocation using the Tailnet Lock key on this device and the provided recovery command from another device with a trusted Tailnet Lock key that has run `tailscale lock revoke-keys`.\r\n- `--finish=false` Finish the recovery process by transmitting the revocation.\r\n- `--fork-from <hash>` (Advanced users only) Hash of the parent [authority update message](https://tailscale.com/docs/concepts/tailnet-lock-whitepaper#authority-update-messages-aums) (AUM) from which to rewrite the tailnet key authority state.\r\n\r\nThe Tailnet Lock keys specified are Tailnet Lock public keys. You can identify the Tailnet Lock key by running `tailscale lock` on that node and then copying the node's Tailnet Lock key.\r\n\r\nThe list of additional keys must be space-separated.\r\n\r\nIf you want to remove a key that has not been compromised, use the [`tailscale lock remove`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove) command instead.\r\n\r\nRevocation is a multi-step process that requires several signing nodes to co-sign the revocation. Each step uses the `tailscale lock revoke-keys` command.\r\n\r\n1. Open a terminal on a signing node that does not have a compromised key.\r\n\r\n2. Run the following command, where `<tlpub:compromised-key1 tlpub:compromised-key2>` is a space-separated list of the keys that you want to revoke:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock revoke-keys tlpub:compromised-key1 tlpub:compromised-key2\r\n```\r\n\r\n\r\n\r\nThe output of this command contains a `tailscale lock revoke-keys --cosign` command, which you will use in the next step.\r\n\r\n3. On another trusted signing node, run the `tailscale lock revoke-keys --cosign` command. The output of this command contains a new `tailscale lock revoke-keys --cosign` command. Repeat this process, always using the new output from each `--cosign` command, until the number of times you used `--cosign` exceeds the number of revoked keys. For example, if you revoked 3 keys, you need to run the `tailscale lock revoke-keys --cosign` command 4 times.\r\n\r\n4. Finish the process by running the command that was output from the last use of `--cosign` **except** replace `--cosign` with `--finish`:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale lock revoke-keys --finish <hex-data>\r\n```\r\n\r\n\r\nBy default, Tailscale will determine the appropriate point in the Tailnet Lock log to fork. If more signing nodes agree that a key should be revoked than not, then the keys in the fork that Tailscale determined to still be trusted are then used instead of the revoked keys.\r\n\r\nIf the majority of signing nodes are compromised, you can [disable](https://tailscale.com/docs/features/tailnet-lock#disable-tailnet-lock) and then [re-enable](https://tailscale.com/docs/features/tailnet-lock#enable-tailnet-lock) Tailnet Lock itself.\r\n","html":"<h1>tailscale lock command</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p><code>tailscale lock</code> manages <a href=\"https://tailscale.com/docs/features/tailnet-lock\">Tailnet Lock</a> for your tailnet.</p>\n<pre><code class=\"language-shell\">tailscale lock &#x3C;subcommand> [flags] &#x3C;args>\n</code></pre>\n<p>Subcommands:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-init\"><code>init</code></a> Initializes Tailnet Lock.</li>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status\"><code>status</code></a> Outputs the state of Tailnet Lock.</li>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-add\"><code>add</code></a> Adds one or more trusted signing keys to Tailnet Lock.</li>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove\"><code>remove</code></a> Removes one or more trusted signing keys from Tailnet Lock.</li>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign\"><code>sign</code></a> Signs a node key and transmits the signature to the coordination server.</li>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable\"><code>disable</code></a> Consumes a disablement secret to shut down Tailnet Lock for the tailnet.</li>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-log\"><code>log</code></a> Lists changes applied to Tailnet Lock.</li>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-local-disable\"><code>local-disable</code></a> Disables Tailnet Lock for this node only.</li>\n<li><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-revoke-keys\"><code>revoke-keys</code></a> Retroactively revoke one or more Tailnet Lock keys.</li>\n</ul>\n<p>Running <code>Tailnet Lock</code> with no subcommand and no arguments is equivalent to running <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status\"><code>tailscale lock status</code></a>.</p>\n<p>Example:</p>\n<pre><code class=\"language-shell\">tailscale lock\n</code></pre>\n<p>Example output:</p>\n<pre><code class=\"language-shell\">Tailnet Lock is ENABLED.\r\n\r\nThis node is accessible under Tailnet Lock.\r\n\r\nThis node's tailnet-lock key: tlpub:1234abcdef\r\n\r\nTrusted signing keys:\r\n\ttlpub:1234abcdef\t(us)\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-init\">lock init</a></h2>\n<p>Initializes <a href=\"https://tailscale.com/docs/features/tailnet-lock\">Tailnet Lock</a> for the entire tailnet.</p>\n<pre><code class=\"language-shell\">tailscale lock init [flags] &#x3C;tlpub:trusted-key1 tlpub:trusted-key2 ...>\n</code></pre>\n<p>Available flags:</p>\n<ul>\n<li><code>--confirm=false</code> Whether to prompt for confirmation. If <code>true</code>, there is no prompt for confirmation.</li>\n<li><code>--gen-disablement-for-support</code> Generate an additional disablement secret and transmit it to Tailscale support. Tailscale support can then use it to disable Tailnet Lock. Note that if Tailscale support disables Tailnet Lock, it will remain disabled and Tailscale support cannot re-enable it, so this would be considered an emergency recovery mechanism, not a temporary disabling of Tailnet Lock.</li>\n<li><code>--gen-disablements &#x3C;N></code> Number of disablement secrets to generate. If not specified, defaults to one disablement secret, which is the minimum required to initialize Tailnet Lock.</li>\n</ul>\n<p>The Tailnet Lock keys specified are those initially trusted to sign nodes or to make further changes to your Tailnet Lock configuration. These are Tailnet Lock public keys. You can identify the Tailnet Lock key for a node you wish to trust by running <code>tailscale lock</code> on that node and then copying the node's Tailnet Lock key.</p>\n<p>You must specify the Tailnet Lock key for the node where you are running <code>tailscale lock init</code> as one of the trusted Tailnet Lock keys. The list of additional keys must be space-separated.</p>\n<p>The disablement secrets are displayed only when you initialize Tailnet Lock. Make note of them and secure them in a safe place.</p>\n<p>Example:</p>\n<pre><code class=\"language-shell\">tailscale lock init --gen-disablements=3 --gen-disablement-for-support \\\r\n  --confirm tlpub:1234abcdef\n</code></pre>\n<p>Example output:</p>\n<pre><code class=\"language-markup\">You are initializing Tailnet Lock with the following trusted signing keys:\r\n - tlpub:1234abcdef (25519 key)\r\n\r\n3 disablement secrets have been generated and are printed below. Take note of them now, they WILL NOT be shown again.\r\n\tdisablement-secret:ABC1234\r\n\tdisablement-secret:DEF5678\r\n\tdisablement-secret:GHI9012\r\nA disablement secret for Tailscale support has been generated and will be transmitted to Tailscale upon initialization.\r\nInitialization complete.\n</code></pre>\n<p>The disablement secrets are long passwords needed to disable your Tailnet Lock. Refer to the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable\"><code>tailscale lock disable</code></a> command for more information.</p>\n<p>The number of disablement secrets will be the value you specified for <code>--gen-disablements</code>. If you set <code>--gen-disablement-for-support</code>, you'll receive a message about a disablement secret being generated for Tailscale support.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-status\">lock status</a></h2>\n<p>Outputs the state of Tailnet Lock. The command shows whether Tailnet Lock is enabled, the value of the node's Tailnet Lock public key, and which nodes are locked out by Tailnet Lock and cannot connect to other nodes.</p>\n<pre><code class=\"language-shell\">tailscale lock status [flags]\n</code></pre>\n<p>Available flags:</p>\n<ul>\n<li><code>--json</code> Return a machine-readable JSON response.</li>\n</ul>\n<p>Example:</p>\n<pre><code class=\"language-shell\">tailscale lock status\n</code></pre>\n<p>Example output:</p>\n<pre><code class=\"language-markup\">Tailnet Lock is ENABLED.\r\n\r\nThis node is accessible under Tailnet Lock.\r\n\r\nThis node's tailnet-lock key: tlpub:1234abcdef\r\n\r\nTrusted signing keys:\r\n\ttlpub:1234abcdef\t(us)\n</code></pre>\n<p>If the node you run <code>tailscale lock status</code> on doesn't have an accessible key, the output will look like:</p>\n<pre><code class=\"language-markup\">This node is LOCKED OUT by tailnet-lock, and action is required to establish connectivity.\r\nRun the following command on a node with a trusted key:\r\n\ttailscale lock sign nodekey:abcdef12 tlpub:11223344\n</code></pre>\n<p>If one of your peer nodes is locked out of your tailnet, after the list of trusted signing keys, the output will look like:</p>\n<pre><code class=\"language-markup\"> The following nodes are locked out by Tailnet Lock and cannot connect to other nodes:\r\n\tbob.yak-bebop.ts.net.\t100.111.222.33, fd7a:115c:a1e0:aabb:ccdd:eeff:0123:4567\tn12345CNTRL\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-add\">lock add</a></h2>\n<p>Adds one or more trusted signing keys to Tailnet Lock.</p>\n<p>This command needs to be run from a node with a trusted Tailnet Lock key.</p>\n<pre><code class=\"language-shell\">tailscale lock add &#x3C;tlpub:trusted-key1 tlpub:trusted-key2 ...>\n</code></pre>\n<p>The Tailnet Lock keys specified are Tailnet Lock public keys. You can identify the Tailnet Lock key by running <code>tailscale lock</code> on that node and then copying the node's Tailnet Lock key.</p>\n<p>The list of additional keys must be space-separated.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove\">lock remove</a></h2>\n<p>Removes one or more trusted signing keys from Tailnet Lock.</p>\n<p>This command needs to be run from a node with a trusted Tailnet Lock key.</p>\n<pre><code class=\"language-shell\">tailscale lock remove [flags] &#x3C;tlpub:trusted-key1 tlpub:trusted-key2 ...>\n</code></pre>\n<p>Available flags:</p>\n<ul>\n<li><code>--re-sign</code> Resign signatures which would be invalidated by removal of trusted signing keys. Defaults to true.</li>\n</ul>\n<p>The Tailnet Lock keys specified are Tailnet Lock public keys. You can identify the Tailnet Lock key by running <code>tailscale lock</code> on that node and then copying the node's Tailnet Lock key.</p>\n<p>The list of additional keys must be space-separated.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign\">lock sign</a></h2>\n<p>Performs signing operations. <code>tailscale lock sign</code> has two signing modes:</p>\n<ul>\n<li>Signs a node key using the Tailnet Lock key on the current node (the node where the command is running), and transmits the signature to the coordination server.</li>\n<li>Signs a <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">pre-approved auth key</a>, printing it in a form that can be used to bring up nodes under <a href=\"https://tailscale.com/docs/features/tailnet-lock\">Tailnet Lock</a>. Specifically, it <a href=\"https://tailscale.com/docs/features/tailnet-lock#add-a-node-using-a-pre-signed-auth-key\">signs the auth key</a> so it can authenticate a new node without needing to <em>then</em> sign the new node before adding it to the tailnet. Each signed auth key, also known as a wrapped auth key, embeds a signing key that can sign a new node or multiple nodes, until it has been <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove\">removed</a>.</li>\n</ul>\n<p>Signing a node key is necessary to establish connectivity for nodes which are locked out by Tailnet Lock.</p>\n<p>If any of the key arguments begin with <code>file:</code>, the key is retrieved from the file at the path specified in the argument suffix.</p>\n<p>This command needs to be run from a node with a trusted Tailnet Lock key.</p>\n<pre><code class=\"language-shell\">tailscale lock sign &#x3C;node-key> [&#x3C;rotation-key>]\n</code></pre>\n<p>or</p>\n<pre><code class=\"language-shell\">tailscale lock sign &#x3C;auth-key>\n</code></pre>\n<p>Examples:</p>\n<p>This example demonstrates signing a node key, optionally using the node's Tailnet Lock key (<code>tlpub:trusted-key2</code>) to support key rotation.</p>\n<pre><code class=\"language-shell\">tailscale lock sign nodekey:1abddef1 tlpub:trusted-key2\n</code></pre>\n<p>This example shows signing an auth key. For this example, <code>$AUTH_KEY</code> is an environment variable set to a <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#types-of-auth-keys\">pre-approved</a> auth key that you <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#generate-an-auth-key\">already generated</a>.</p>\n<pre><code class=\"language-shell\">tailscale lock sign $AUTH_KEY\n</code></pre>\n<p>The output from successfully running the command is a signed pre-approved auth key, which you can then use to <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval#pre-approve-devices-with-an-auth-key\">pre-approve a device</a> in your tailnet.</p>\n<p>When you create a signed auth key, a new trusted signing key gets created for it, which is added to the <a href=\"https://tailscale.com/docs/features/tailnet-lock#tailnet-key-authority\">tailnet key authority</a>. The private key of the signing key gets encoded in the signed auth key. A signed auth key is equivalent to a private signing key on a signing node in your tailnet, and poses a risk to your tailnet if leaked. Even if the auth key is single-use, the signing key remains trusted until it's removed from the tailnet key authority.</p>\n<p>For security best practices, we do not recommend using signed auth keys.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable\">lock disable</a></h2>\n<p>Consumes the specified disablement secret to disable Tailnet Lock for the entire tailnet.</p>\n<pre><code class=\"language-shell\">tailscale lock disable &#x3C;disablement-secret>\n</code></pre>\n<p>Disabling Tailnet Lock is a security-relevant operation—if the disablement procedure lacked authorization checks, a compromised control plane could trivially disable Tailnet Lock (and all its protections) to attack a tailnet as before. To avoid this, use of a disablement secret is required to globally disable Tailnet Lock.</p>\n<p>Disablement secrets are long passwords generated during the process of enabling Tailnet Lock, when you ran <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-init\"><code>tailscale lock init</code></a>. The key derivation function (KDF) derived value of each disablement secret is stored by each node's tailnet key authority (and hence known by every node in a tailnet), but the secret itself remains confidential until use.</p>\n<p>When a disablement secret is used, the secret is distributed to all nodes in the tailnet. Each node can then verify the authenticity of the disablement operation by computing the KDF value of the secret, and comparing it to the stored KDF values in their tailnet key authority (TKA). If they match, then the node can be sure the disablement was authentic, and disable Tailnet Lock locally.</p>\n<p>Once the specified <code>disablement-secret</code> secret is used, it has been distributed to all nodes in the tailnet and should be considered public.</p>\n<p>If Tailnet Lock is re-enabled, new disablement secrets will be generated.</p>\n<p>Example:</p>\n<pre><code class=\"language-shell\">tailscale lock disable disablement-secret:ABC1234\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disablement-kdf\">lock disablement-kdf</a></h2>\n<p>Compute a disablement value from a disablement secret. This command is for advanced users only.</p>\n<pre><code class=\"language-shell\">tailscale lock disablement-kdf &#x3C;hex-encoded-disablement-secret>\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-log\">lock log</a></h2>\n<p>List changes applied to Tailnet Lock.</p>\n<pre><code class=\"language-shell\">tailscale lock log [flags]\n</code></pre>\n<p>Available flags:</p>\n<ul>\n<li><code>--json</code> Return a machine-readable JSON response.</li>\n<li><code>--limit</code> Maximum number of changes to list. Defaults to 50.</li>\n</ul>\n<p>Example:</p>\n<pre><code class=\"language-shell\">tailscale lock log\n</code></pre>\n<p>Example output:</p>\n<pre><code class=\"language-markup\">update 17310b8e655867d3973a72cd20bc7c21f81f7687b4e7911c285f2eb16df5df36 (checkpoint)\r\nDisablement values:\r\n - 1234abcd\r\n - 9876aaaa\r\n - c1d2e3f4\r\n - 8f6e4d2c\r\nKeys:\r\n  Type: 25519\r\n  KeyID: 1234abcdef\r\n  Votes: 1\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-local-disable\">lock local-disable</a></h2>\n<p>Disables Tailnet Lock for this node only.</p>\n<pre><code class=\"language-shell\">tailscale lock local-disable\n</code></pre>\n<p>This command disables Tailnet Lock for only the current node (the node where the command is running). If Tailnet Lock is disabled just for this node, the node will now accept traffic from other nodes that are locked out. It does not mean that the node can send or receive traffic from other nodes in the tailnet that are signed.</p>\n<p>If you encounter a significant issue with Tailnet Lock for your entire tailnet and can't disable it with <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-disable\"><code>tailscale lock disable</code></a> (for example, if you can't locate your disablement secret), you could run <code>tailscale lock local-disable</code> on each of your nodes to make your tailnet in effect ignore Tailnet Lock.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-revoke-keys\">lock revoke-keys</a></h2>\n<p>Retroactively revoke the specified Tailnet Lock keys.</p>\n<p>This command needs to be run from a node with a trusted Tailnet Lock key.</p>\n<pre><code class=\"language-shell\">tailscale lock revoke-keys &#x3C;tlpub:key1 tlpub:key2 ...> [flags]\n</code></pre>\n<p>Available flags:</p>\n<ul>\n<li><code>--cosign=false</code> Continue the key revocation using the Tailnet Lock key on this device and the provided recovery command from another device with a trusted Tailnet Lock key that has run <code>tailscale lock revoke-keys</code>.</li>\n<li><code>--finish=false</code> Finish the recovery process by transmitting the revocation.</li>\n<li><code>--fork-from &#x3C;hash></code> (Advanced users only) Hash of the parent <a href=\"https://tailscale.com/docs/concepts/tailnet-lock-whitepaper#authority-update-messages-aums\">authority update message</a> (AUM) from which to rewrite the tailnet key authority state.</li>\n</ul>\n<p>The Tailnet Lock keys specified are Tailnet Lock public keys. You can identify the Tailnet Lock key by running <code>tailscale lock</code> on that node and then copying the node's Tailnet Lock key.</p>\n<p>The list of additional keys must be space-separated.</p>\n<p>If you want to remove a key that has not been compromised, use the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-remove\"><code>tailscale lock remove</code></a> command instead.</p>\n<p>Revocation is a multi-step process that requires several signing nodes to co-sign the revocation. Each step uses the <code>tailscale lock revoke-keys</code> command.</p>\n<ol>\n<li>\n<p>Open a terminal on a signing node that does not have a compromised key.</p>\n</li>\n<li>\n<p>Run the following command, where <code>&#x3C;tlpub:compromised-key1 tlpub:compromised-key2></code> is a space-separated list of the keys that you want to revoke:</p>\n</li>\n</ol>\n<pre><code class=\"language-shell\">tailscale lock revoke-keys tlpub:compromised-key1 tlpub:compromised-key2\n</code></pre>\n<p>The output of this command contains a <code>tailscale lock revoke-keys --cosign</code> command, which you will use in the next step.</p>\n<ol start=\"3\">\n<li>\n<p>On another trusted signing node, run the <code>tailscale lock revoke-keys --cosign</code> command. The output of this command contains a new <code>tailscale lock revoke-keys --cosign</code> command. Repeat this process, always using the new output from each <code>--cosign</code> command, until the number of times you used <code>--cosign</code> exceeds the number of revoked keys. For example, if you revoked 3 keys, you need to run the <code>tailscale lock revoke-keys --cosign</code> command 4 times.</p>\n</li>\n<li>\n<p>Finish the process by running the command that was output from the last use of <code>--cosign</code> <strong>except</strong> replace <code>--cosign</code> with <code>--finish</code>:</p>\n</li>\n</ol>\n<pre><code class=\"language-shell\">tailscale lock revoke-keys --finish &#x3C;hex-data>\n</code></pre>\n<p>By default, Tailscale will determine the appropriate point in the Tailnet Lock log to fork. If more signing nodes agree that a key should be revoked than not, then the keys in the fork that Tailscale determined to still be trusted are then used instead of the revoked keys.</p>\n<p>If the majority of signing nodes are compromised, you can <a href=\"https://tailscale.com/docs/features/tailnet-lock#disable-tailnet-lock\">disable</a> and then <a href=\"https://tailscale.com/docs/features/tailnet-lock#enable-tailnet-lock\">re-enable</a> Tailnet Lock itself.</p>\n"}