hello and thanks
i was curious where the keys are stored.
i found folder
in that folder is a plain text file
server-state.conf with the contents.
- are those the wireguard keys?
- if not, where are the keys stored.
if those are wireguard and other keys*,
- they seem to be stored as plain text, perhaps encoded?
are they encrypted?
- the file permissions seem too permissive, the
administrators group has full control and thus can read and edit the contents of the file.
i read that tailscale runs as system user, so why does
administrators group have full control?
Tailscale stores keys in the filesystem, yes. There is no way to securely encrypt the keys in the filesystem without creating a new problem where we need to store the keys used to encrypt the keys, which would bring us back to square one.
It would be possible to store keys in TPM hardware, for example, but this is not as secure as it sounds: if Windows users are allowed to sign requests using the TPM, then they will be able to act as if they have the keys. And administrators are allowed to use the TPM.
In general, the administrator of a system is able to do all kinds of nasty things such as injecting code into running processes. As a result, if an attacker ever has admin rights on your system, it’s generally considered game over - they can get access to anything. Typical attackers already have access to public “rootkit” software that will automate the entire attack beyond that point.
In general, the best an encryption layer such as Tailscale can hope to do, in the face of such an attack, is at least detect (if not prevent) so-called credential theft. The way we do this is by rotating the Tailscale keys periodically (handing in the current key, in exchange for a new key), so that anyone who has stolen the old key will no longer be able to use it. This narrows the window of attack to just slightly longer than the time the attacker controlled your device, which is not much worse than that they got access to your device in the first place. For more on key rotation, see our blog posts: https://tailscale.com/blog/rotate-ssh-keys/ and https://tailscale.com/blog/tailscale-key-management/
Hope this helps!