Comment by bmandale
3 days ago
If windows is encrypted with keys from the TPM anyways, then tailscale doesn't need to encrypt a second time.
Windows also bit me in the ass with this feature, but tailscale not enabling encryption wouldn't have helped one iota.
Local software could be stealing plaintext secrets from your encrypted disk. Physical access is not the only attack vector.
The only way to protect against that is if a secure application boundary is enforced by the operating system. You can make it harder for other programs to uncover secrets by encrypting them, but any other application can reverse the encryption. I don't believe using the tpm meaningfully changes that situation.