January 7, 2026
Toggle-gate: switch-flip saga
Tailscale state file encryption no longer enabled by default
Tailscale flips the safety switch off by default — admins cheer, worriers worry
TLDR: Tailscale turned off default lock-down on saved settings and hardware keys after widespread device chip (TPM) headaches. The community is split: admins call it common sense, security purists call it risky; either way, you’ll need to switch this protection on yourself, making it a must-watch change.
Tailscale quietly reversed course: encryption of its local settings (“state file”) and the special hardware keys that prove device identity are no longer turned on automatically. The crowd reacted like a split-screen: one half yelling “u‑turn!”, the other half sighing “finally, sanity.” As commenter traceroute66 put it, this is a “significant u-turn,” rolling back a change from version 1.90.2 where it had been on by default.
Why the flip? Speculators say support nightmares. jsiepkes guesses it was “too support intensive,” and rstat1 points to the official explanation in a PR: TPM chips (tiny security modules in devices) are wildly inconsistent, causing chaos. Meanwhile, xyzzy_plugh declares it never should’ve been default anyway, calling it a “huge foot gun” for many devices. The new tweak also ensures Tailscale starts even if the hardware keys don’t load—cue jokes like “TPM = Too Problematic, Man.”
Security diehards want timelines and assurances; jkaplowitz hopes Tailscale will fix the issues and re-enable the default soon, while pragmatists are popping champagne that their fleets won’t brick after a TPM swap. Other release notes (Docker images, Kubernetes operator updates, and PROXY protocol support) barely got a cameo. The real show is toggle-gate: convenience vs paranoia, with memes firing from both sides.
Key Points
- •On Linux, state file encryption and hardware attestation keys are no longer enabled by default, and client startup proceeds even if attestation keys fail to load (e.g., after TPM reset/replacement).
- •A new Tailscale container image is available on Docker Hub and GitHub Packages; hosts without nftables can use iptables.
- •The Tailscale Kubernetes Operator adds workload identity federation, HTTP-to-HTTPS redirect annotations, HA Recorder replicas (requiring S3), ArgoCD compatibility, and reconciliation/deletion fixes.
- •Across platforms, Funnel and Serve support the PROXY protocol; Peer Relays gain static endpoints, improved advertisements, and handshake reliability; nodes can authenticate via workload identity federation flags.
- •Security and stability fixes include resolving Tailnet Lock signing enforcement without statedir/TS_STATE_DIR (TS-2025-008), Peer Relay deadlocks/memory leaks, wake/hang behavior, DNS switching, and logging to the control plane (disable with TS_NO_LO).