Seeing the public node key of a Tailscale node
I’ve been doing some work on Tailscale key expiry, in particular renewing keys with tailscale up --force-reauth. As part of this work, I want to see when a node key has (or hasn’t) changed.
I’ve found some CLI commands that let me see the current node key. Note that these use unstable interface, so these commands might break on newer versions – I’m using v1.88.1.
Seeing your own node key
This is the public key of the current node:
$ tailscale status --self --json | jq -r .Self.PublicKey
nodekey:46f9c8656ef1224b5ce5220fbdf96ce38e52aaabeccc9b7358b06481e9481821
Here’s what the key prefixes mean:
- The
nodekey:prefix is for hex-encoded public keys (so safe to publish in a blog post) - The
np:prefix is for binary-encoded public keys - The
privkey:prefix is for hex-encoded private keys
Seeing a peer’s node key
This is the public key of the linode-vps node:
$ tailscale debug netmap | jq -r '.Peers | map(select(.ComputedName == "linode-vps")) | .[].Key'
nodekey:731cd9e2560f29c655b674e4033d7cdffeb210aea917b225099b2d601533502d
I’m sure this is possible with tailscale status --peers --json, but that doesn’t include MagicDNS names so it’s a bit less convenient for me – plus, I already had this command working.