IdeaWell

Project ideas from Hacker News discussions.

Tailscale state file encryption no longer enabled by default

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. TPM Unreliability Causes Frequent Breakages

TPMs often reset or fail due to BIOS updates, hardware changes, VMs, and poor implementations, leading to Tailscale startup failures.
"Everytime I have to upgrade my MB firmware it breaks bitlocker" (Thaxll).
"Updating the firmware or the OS does not actually erase the TPM... But voluntarily upgrading the BIOS or the OS looks exactly like tampering" (db48x).
cronos (Tailscale engineer): "TPMs are not reliable for non-malicious reasons... BIOS updates (when a TPM is implemented in firmware)."

2. Tailscale's Reversal Justified by Support Burden

Disabling default encryption avoids widespread breakage in heterogeneous environments like VMs and consumer hardware.
"this feature is too support intensive" (cronos).
"PR explaining why they disabled this function... tons of problems due to the variability of TPM quality" (rstat1).
"TPMs are a great tool for organizations... But the very heterogeneous fleet of devices that Tailscale users have is very difficult to support out of the box" (cronos).

3. Security Benefits Limited; Opt-In Makes Sense

Protects against node cloning but ineffective against root access; ideal for enterprises, risky as default.
"An attacker with local root can just extract the wireguard keys from process memory" (cronos).
"this never should have been on by default. The end user needs to know they want to use the TPM. This is a huge foot gun" (xyzzy_plugh).
db48x: "In an enterprise environment... using TPMs for additional security is a great idea."

🚀 Project Ideas

Tailscale Secure Deployer

Summary

  • An automation script/service for installing/configuring Tailscale that detects environments (VM, container, bare metal), auto-sets --encrypt-state flag only when TPM is reliable, and updates deployment pipelines.
  • Core value: Fixes script breakage from u-turn, ensures secure configs without manual tweaks across fleets.

Details

Key Value
Target Audience DevOps engineers, automated deployment users (Ansible/Terraform/Puppet)
Core Feature Environment probing (Kubernetes detection, BIOS version check), flag injection, dry-run validation
Tech Stack Bash/Python, Tailscale CLI wrapper, systemd unit generator
Difficulty Low
Monetization Revenue-ready: Freemium CLI (pro: cloud integrations)

Notes

  • "for people using deployment scripts/tools you now need to update those to put the flag in during installation" (traceroute66); "people with automated deployments based on >= 1.90.2 can no longer rely on the 'by default'" (traceroute66).
  • Practical for CI/CD; HN loves idempotent deploy tools.

TPM Key Escrow Vault

Summary

  • A self-hosted or cloud service that automatically backs up Tailscale node keys to an encrypted vault (with passphrase/backup recovery), restores on TPM resets, and supports multi-device sync.
  • Core value: Mitigates key loss from hardware/firmware changes without negating TPM security, like BitLocker recovery keys but Tailscale-native.

Details

Key Value
Target Audience Enterprise Tailscale admins, home users with VMs/hardware swaps
Core Feature Auto-export/import of state file keys, webhook integration with Tailscale, multi-vault (Age/TPM-wrapped)
Tech Stack Rust (tpm2 crate), SQLite/Postgres, Tailscale ACL integration
Difficulty High
Monetization Revenue-ready: SaaS ($5/mo per tailnet)

Notes

  • "needing some kind of recovery password/backup key setup that entirely negates the point of the TPM" (candiddevmike); "you’d better have a working backup system" (nottorp).
  • Addresses real pain like SSD migrations (lloeki); potential for viral HN threads on key management.

Read Later