TL;DR
Tailscale's v1.92.5 update stops enabling state file encryption and hardware attestation keys by default on Linux and Windows. The client will also start even if hardware attestation keys fail to load; related changes were made to container, Kubernetes operator, and certificate renewal behavior.
What happened
Tailscale published v1.92.5 on Jan. 6, 2026, with several changes to how client state and attestation keys are handled. On Linux and Windows, state file encryption and hardware attestation keys are no longer turned on by default, and clients will continue to start if hardware attestation keys fail to load (for example, after a TPM reset or replacement). The container image for v1.92.5 is available via Docker Hub and GitHub packages; the image and the Kubernetes Operator releases stop adding hardware attestation keys to Kubernetes state Secrets, allowing operators to move Tailscale containers between nodes. The Kubernetes Operator also changed certificate renewal behavior: renewal is no longer performed as an ARI order by default, a change intended to avoid failures when ACME account keys are recreated. A tsrecorder release was published as well, comprising only library updates.
Why it matters
- Clients will not be blocked from starting if hardware attestation keys cannot be loaded, reducing startup failures after TPM resets or replacements.
- Removing hardware attestation keys from Kubernetes state Secrets makes node redeployment or node changes for Tailscale containers possible without secret-bound keys.
- State file encryption no longer being enabled by default alters the default security posture for new or upgraded clients.
- Certificate renewal no longer using ARI orders by default is intended to reduce failures when ACME account keys are recreated.
Key facts
- Release: Tailscale v1.92.5, published Jan 6, 2026.
- On Linux and Windows, state file encryption and hardware attestation keys are no longer enabled by default.
- Failure to load hardware attestation keys no longer prevents the client from starting.
- Tailscale container image v1.92.5 is available on Docker Hub and GitHub packages.
- Hardware attestation keys are no longer added to Kubernetes state Secrets in the v1.92.5 container image and Kubernetes Operator.
- Tailscale Kubernetes Operator v1.92.5 was released with guidance to consult installation instructions for updates.
- Certificate renewal is no longer performed as an ARI order by default to avoid renewal failures if ACME account keys are recreated.
- Tailscale tsrecorder v1.92.5 was released; it contains only library updates.
What to watch next
- Whether administrators choose to re-enable state file encryption manually after the default change — not confirmed in the source.
- Potential operational or support impacts from the default configuration change, such as incidents related to unencrypted state files — not confirmed in the source.
- Adoption and upgrade rates of v1.92.5 in production environments and any subsequent patches or clarifications from Tailscale — not confirmed in the source.
Quick glossary
- State file encryption: Encrypting a client’s local state data so that stored configuration and credentials are protected at rest.
- Hardware attestation (TPM): A process using a hardware module such as a TPM to prove properties about a device or to protect cryptographic keys.
- Kubernetes Secret: A Kubernetes object used to hold sensitive information, such as passwords or keys, which can be mounted into pods.
- ACME: Automated Certificate Management Environment, a protocol used by certificate authorities for automated domain validation and certificate issuance.
Reader FAQ
Is state file encryption removed entirely in v1.92.5?
No — the source states it is no longer enabled by default, not that it has been removed.
Will a client fail to start if hardware attestation keys cannot be loaded?
No — v1.92.5 explicitly notes that failure to load hardware attestation keys no longer prevents the client from starting.
Are hardware attestation keys still stored in Kubernetes Secrets?
According to the release, attestation keys are no longer added to Kubernetes state Secrets.
Where can I get the updated container images?
The v1.92.5 container image is available on Docker Hub and the project's GitHub packages repository.
Has certificate renewal behavior changed?
Yes — renewal is no longer done as an ARI order by default to avoid failures if ACME account keys are recreated.
Jan 6, 2026 Tailscale v1.92.5 Update instructions Linux State file encryption and hardware attestation keys are no longer enabled by default. Failure to load hardware attestation keys no longer prevents…
Sources
- Tailscale state file encryption no longer enabled by default
- TPM attestion cannot be disabled once used · Issue #17653
- Encrypting data at rest, one OS at a time
Related posts
- Single Sign On for Furries: Building an Open Source Convention SSO
- Inside Target’s Minneapolis forensics lab: retailer aids police with video forensics
- VaultSandbox: In-VPC production-like email testing for real SMTP services