archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

cmd/tailscaled: only default enable state encryption if it will work

Browse Source 
Change-Id: I0a4c5c7cad93fa720c84e20b78f4126dfba5c695
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
tomhjp/default-state-encryption
Tom Proctor 2 months ago
parent e0f222b686
commit 574ad20bea
No known key found for this signature in database
1 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File

40
cmd/tailscaled/tailscaled.go
Unescape Escape View File

@ -273,29 +273,27 @@ func main() {
} }
} }
if !args.encryptState.set { defaultEnc := defaultEncryptState()
args.encryptState.v = defaultEncryptState() var conflict string
} if args.encryptState.v || defaultEnc {
if args.encryptState.v { switch {
if runtime.GOOS != "linux" && runtime.GOOS != "windows" { case runtime.GOOS != "linux" && runtime.GOOS != "windows":
log.SetFlags(0) conflict = fmt.Sprintf("--encrypt-state is not supported on %s", runtime.GOOS)
log.Fatalf("--encrypt-state is not supported on %s", runtime.GOOS) case !store.HasKnownProviderPrefix(store.TPMPrefix + "/"): // Check if we have TPM support in this build.
} conflict = "--encrypt-state is not supported in this build of tailscaled"
// Check if we have TPM support in this build. case !hostinfo.New().TPM.Present(): // Check if we have TPM access.
if !store.HasKnownProviderPrefix(store.TPMPrefix + "/") { conflict = "--encrypt-state is not supported on this device or a TPM is not accessible"
log.SetFlags(0) case args.statepath != "" && store.HasKnownProviderPrefix(args.statepath): // Check for conflicting prefix in --state, like arn: or kube:.
log.Fatal("--encrypt-state is not supported in this build of tailscaled") conflict = "--encrypt-state can only be used with --state set to a local file path"
} }
// Check if we have TPM access. }
if !hostinfo.New().TPM.Present() { if args.encryptState.v && conflict != "" {
log.SetFlags(0)
log.Fatal("--encrypt-state is not supported on this device or a TPM is not accessible")
}
// Check for conflicting prefix in --state, like arn: or kube:.
if args.statepath != "" && store.HasKnownProviderPrefix(args.statepath) {
log.SetFlags(0) log.SetFlags(0)
log.Fatal("--encrypt-state can only be used with --state set to a local file path") log.Fatal(conflict)
} }
// Only allow default enabled to take effect if there's no conflict.
if !args.encryptState.set && defaultEnc && conflict == "" {
args.encryptState.v = true
} }
if args.disableLogs { if args.disableLogs {

Write Preview
Loading…
Cancel
Save