Andrew Lytvynov

After debugging this a bit with @nickkhyl we found that `TPM_CC_EncryptDecrypt2` is optional and not always supported by various TPM devices. Indeed the spec says: > A TPM often will...

Updated to (1) use nacl/secretbox for the actual data and (2) seal the secretbox key using the TPM. @nickkhyl could you test this latest version on Windows please?

Talked to @nickkhyl, this state implementation is opt-in for the foreseeable future, so I'll merge it as-is. We will evaluate the real user experience on Windows and see if we...

cc @knyar @icio

QNAP clients know how to [auto-update](https://tailscale.com/kb/1067/update#auto-updates), but only using the QNAP app store. IMO, our options to improve QNAP updates, in decreasing order of preference, are: 1. work with QNAP...

@arnecls if you're using shielded VMs in GCE, this is sort of "working as expected". Node state sealing exists to prevent copying the state file between machines (which is essentially...

For everyone reporting the issue: the part of the error message after `failed to unseal encryption key with TPM:` matters a lot, as it can point to very different underlying...

@kiyospace the log output you showed is from `tailscaled --cleanup` which runs from `ExecStartPre` and `ExecStopPost` hooks in systemd. Can you paste the logs after `Program starting: v1.90.6-t0238943bb-g1851f6203, Go 1.25.3:...

@kiyospace the weird thing is that [the implementation is identical](https://github.com/tailscale/tailscale/blob/d349370e5500e6f583a15e38ad945199e5e11ea1/feature/tpm/tpm.go#L391-L480) on Linux and Windows, except for the underlying OS interface they use to communicate with the TPM. Can you also...

We believe that this issue only affects older macOS versions (before macOS 14). There's a fix in progress, cc @patrickod @barnstar If your device is supported, try upgrading macOS to...