> ## Documentation Index
> Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# The insecure flag

> Learn how to use the insecure flag.

export const VersionWarningBanner = () => {
  const latestVersion = "v1.13";
  const [latestUrl, setLatestUrl] = useState(null);
  const [currentVersion, setCurrentVersion] = useState(null);
  const [isBeta, setIsBeta] = useState(false);
  const parseVersion = v => v.replace("v", "").split(".").map(Number);
  const isGreaterVersion = (a, b) => {
    const [aMajor, aMinor] = parseVersion(a);
    const [bMajor, bMinor] = parseVersion(b);
    if (aMajor > bMajor) return true;
    if (aMajor === bMajor && aMinor > bMinor) return true;
    return false;
  };
  useEffect(() => {
    if (typeof window === "undefined") return;
    const {pathname, hash, search} = window.location;
    const match = pathname.match(/\/talos\/(v\d+\.\d+)\//);
    if (!match) return;
    const detectedVersion = match[1];
    if (detectedVersion === latestVersion) return;
    setCurrentVersion(detectedVersion);
    if (isGreaterVersion(detectedVersion, latestVersion)) {
      setIsBeta(true);
    }
    const newPath = pathname.replace(`/talos/${detectedVersion}/`, `/talos/${latestVersion}/`);
    setLatestUrl(`${newPath}${search}${hash}`);
  }, []);
  if (!latestUrl || !currentVersion) return null;
  return <div className="not-prose sticky top-6 z-50 my-6">
      <div className="border border-yellow-500/30 bg-yellow-500/10 px-4 py-3 rounded-xl">
        <div className="text-sm">
          {isBeta ? <>
              ⚠️ You are viewing a <strong>beta version</strong> of Talos ({currentVersion}).
              This version may be unstable.
              <a href={latestUrl} className="ml-2 underline text-yellow-400 hover:text-yellow-300 font-medium">
                View latest stable version {latestVersion} →
              </a>
            </> : <>
              ⚠️ You are viewing an older version of Talos ({currentVersion}).
              <a href={latestUrl} className="ml-2 underline text-yellow-400 hover:text-yellow-300 font-medium">
                View the latest version {latestVersion} →
              </a>
            </>}
        </div>
      </div>
    </div>;
};

<VersionWarningBanner />

The `--insecure` flag is a per-command argument that allows the `talosctl` client to communicate with the Talos API when a node is in maintenance mode, that is, before it has been configured with a machine configuration.

Talos normally uses mutual TLS (mTLS) for all API communications.
This means that both the `talosctl` client and the node verify each other’s identity using certificates provided in the machine configuration.

However, when a node is in maintenance mode, it still serves the Talos API over TLS, but with some key differences:

* The node uses a self-signed TLS certificate.
* The client (talosctl) does not present a certificate.
* Neither side can verify the other's identity.

In this case, the `--insecure` flag tells `talosctl` to skip verifying the server’s certificate, allowing the connection to proceed.

Only a small subset of Talos API commands support the `--insecure` flag, specifically those required for initial setup and maintenance operations.

However, once you've applied a machine config, you must stop using the `--insecure` flag for all subsequent operations.
The node will now expect secure communication using certificates stored in a talosconfig file.

**Note**: The `--insecure` flag is used in a different context by the `talosctl image cache-create` command.
This command is not used for interacting with the Talos node, but for allowing access to insecure image registries that do not support TLS.

## Validate the node identity in `--insecure` Mode

When using `--insecure`, `talosctl` cannot automatically verify the identity of the remote node.
However, Talos still provides a way to manually confirm that you are communicating with the intended machine.

### Certificate fingerprint

When a Talos node boots into maintenance mode, it generates a temporary, self-signed TLS certificate.
The certificate fingerprint is printed directly to the machine’s console logs during boot.

You can view this fingerprint via:

* Physical console access
* VM console
* Serial console
* IPMI or other out-of-band management interfaces

### Using the fingerprint with `talosctl`

Once you have obtained the fingerprint from the console, you can explicitly pass it to talosctl:

```bash theme={null}
talosctl apply-config
--insecure
--cert-fingerprint <fingerprint>
--nodes <node_ip>
--file machine.yaml
```

This allows you to confirm that the configuration is being applied to the intended node, even though full authentication has not yet been established.

## In Omni-managed clusters

The `--insecure` flag works differently when you're using Omni to manage Talos clusters.

Here, the flag is used for nodes that haven't joined a cluster yet.
These nodes will only listen for communication over the SideroLink connection, a secure, point-to-point connection between Omni and the Talos node.

So the SideroLink connection is the only way you can run commands against a node connected to Omni.

This architecture provides a unique security advantage because if a machine is managed by Omni, you cannot send configurations to it from another machine without authentication, even if they are on the same network.
This is because the Talos machine does not listen on any general network interface and only communicates with Omni through the secure SideroLink tunnel.

## Supported commands with the insecure flag

The following commands can be used with the `--insecure` flag:

`talosctl apply-config`

Use this command alongside the `--insecure` flag to apply a machine configuration for the first time.

`talosctl version`

Check the Talos version running on the node.

`talosctl get`

Retrieves resources from the node.
Verify which resources are retrievable in `--insecure` mode by following these steps:

1. Set your Talos node IP address as a variable (replace `<node_ip>` with the IP address of your Talos node):

   ```bash theme={null}
   NODE_IP=<node_ip>
   ```

2. List resources available in `--insecure` mode:

   ```bash theme={null}
   talosctl get rd --insecure --nodes $NODE_IP -o json \
   | jq -r 'select(.spec.sensitivity == null) | .spec.aliases[0]'
   ```

3. List resources not available in `--insecure` mode:

   ```bash theme={null}
   talosctl get rd --insecure --nodes $NODE_IP -o json \
   | jq -r 'select(.spec.sensitivity != null) | .spec.aliases[0]'
   ```

`talosctl meta`

Manages key-value pairs in the META partition.

`talosctl reset`

Resets the nodes in Omni.

`talosctl wipe disk`

Erase data from disk partitions on a Talos node.

Refer to the [CLI reference](../../reference/cli) for full CLI details.

## Usage example

Here is an example of how to use the `--insecure` flag in Talos:

```bash theme={null}
# First time applying configuration (requires --insecure)

talosctl apply-config --insecure --nodes 192.168.1.100 --file controlplane.yaml

# After configuration is applied, subsequent commands are secure

talosctl get disks --nodes 192.168.1.100 --talosconfig=./talosconfig
```