Not even that. An attacker with local root can just extract the wireguard keys f... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cronos 3 months ago \| parent \| context \| favorite \| on: Tailscale state file encryption no longer enabled ... Not even that. An attacker with local root can just extract the wireguard keys from process memory, or use the TPM to decrypt the state file like Tailscale would. The only scenario where it helps is a local attacker who can read the state file on disk, but is not full root. Kinda unlikely on Linux, but could happen on Windows.

nottorp 3 months ago [–]

> An attacker with local root can just extract the wireguard keys from process memory, or use the TPM to decrypt the state file like Tailscale would.

That was my point :)

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact