Skip to content

v0.8.0 — Device::new_with_secret (SecretString auth key)

Choose a tag to compare

View all tags
@GeiserX GeiserX released this 10 Jun 01:21
· 8 commits to main since this release
v0.8.0
bf07c25

Added

  • Device::new_with_secret(&Config, Option<secrecy::SecretString>) — a back-compat secret-typed constructor for embedders that hold the registration auth key as a secrecy::SecretString (e.g. a daemon keeping the key zeroized end-to-end). The caller no longer materializes the secret into a plain String at the engine boundary. Device::new(Option<String>) is unchanged. (Honest scope: the engine still resolves the key to a String internally for registration — this closes the caller's plaintext window; engine-side key zeroization is tracked separately.) Adds a secrecy dependency (pure-Rust — no aws-lc/openssl/ring, the ring-only egress invariant is preserved) and re-exports tailscale::SecretString. Minor bump (additive API).
  • docs/LIVE_SETTABLE_PREFS.md — documents which Device prefs are live-settable on a running device (set_exit_node, set_serve_config, logout) vs which require a Device::new rebuild.

This project is not associated with Tailscale Inc.

Assets 4
Loading