From compliance to capability with Clevis and Tang
Encryption because you have to? Then do it right. Security requirements are rarely designed with engineers' happiness in mind. More often than not, they cause friction—manual steps, cumbersome workarounds, and a constant battle between compliance and convenience. But every now and then, such a requirement leads to something unexpectedly useful. When a customer's security appliance underwent a penetration test, full disk encryption (FDE) became non-negotiable. That makes sense, but how do you implement this according to best practices without someone having to enter a password at every reboot? Especially in environments where Red Hat is the standard, such as at large telecom providers, the challenge revolves around scalable security without compromising operational efficiency. The answer turned out to be simpler than expected: Clevis and Tang. Two open-source tools that enable automated, policy-driven disk unlocking — with security as the starting point.
The challenge: balancing compliance with user-friendliness
After a penetration test, one of our customers had to encrypt disks on several critical systems. Complying with encryption standards was not the biggest problem; the real challenge was to allow servers to start up completely autonomously, without compromising security. The preconditions were clear:
- No user input (no keyboard connected, no manual passphrase);
- No locally stored decryption keys;
- Full compatibility with Red Hat Enterprise Linux (RHEL).
This led us to Clevis and Tang—a lightweight and flexible combination that solves precisely this problem.
Why this approach works and why it matters
Securely encrypting disks without disrupting operations can seem complex. Clevis and Tang offer a simple solution that meets both security requirements and operational needs. Here's why it works—and why it deserves your attention.
Strong security, even in worst-case scenarios
One of the biggest concerns with full disk encryption is what happens if a device is stolen. Traditional methods can sometimes expose encryption keys. Clevis and Tang eliminate this risk in a practical way.
Tang servers do not store private keys, making them stateless and inherently more secure. As a result, a device cannot decrypt itself when physically removed from its environment unless it is within the trusted network where the Tang server is accessible. This significantly reduces the risk of data leaks due to lost or stolen hardware, as confirmed in Red Hat's official documentation (Red Hat Security Hardening Guide).
For those who want to dive deeper into the technical details, Red Hat offers extensive documentation on Network-Bound Disk Encryption (NBDE), including integration with LUKS and support for secure booting within OpenShift and other platforms.
Fully automated, no manual intervention required
Encrypting disks is one thing; ensuring that systems start up without intervention after a reboot is a completely different challenge. Clevis makes it possible to automate the unlocking of encrypted volumes during the boot process by communicating securely with the Tang server.
This means that no manual entry of a passphrase is required at startup. The process is completely hands-free, which is essential for headless servers and large-scale environments.
The Dracut tool plays a crucial role in this by incorporating both the Clevis configuration and the necessary network settings into the initial boot process. This makes the integration feel native and seamless, especially in environments running Red Hat Enterprise Linux 8 or newer.
Seamless integration into Red Hat infrastructure
Organizations working with Red Hat technologies expect security solutions that integrate smoothly without disrupting existing workflows. Clevis and Tang meet that expectation by offering native support within Red Hat Enterprise Linux 8 and above. Integration with tools such as Ansible, Satellite, and Kickstart is straightforward, allowing them to be easily incorporated into automated provisioning pipelines.
Because these tools are closely aligned with the Red Hat ecosystem, minimal adjustments are required to existing deployment processes. This allows teams to strengthen their encryption posture without unnecessary complexity or delay.
Scalable architecture, ready for growth
Unlike other methods, Clevis and Tang do not rely on vulnerable unlocking mechanisms such as TPMs or USB keys. This makes them particularly suitable for dynamic environments such as edge deployments, hybrid clouds, and modern data centers, where resilience, flexibility, and operational simplicity are essential.
Tang servers do not store private keys, which makes them stateless and inherently more secure. As a result, even if a device is physically removed from its environment, it cannot decrypt itself unless it is within the trusted network where the Tang server is accessible. This significantly reduces the risk of data breaches caused by lost or stolen hardware, as confirmed by Red Hat’s official documentation (Red Hat Security Hardening Guide).
Why this is important for modern infrastructure
In today's environments, where downtime, manual processes, and data breaches pose serious risks, Clevis and Tang offer a solution that enhances security without adding additional operational overhead.
Who benefits most from Clevis and Tang?
These tools are particularly valuable for enterprises that manage on-premises or hybrid cloud infrastructures, where control over encryption and access is crucial. Organizations seeking ISO certifications or undergoing regular security audits and penetration tests also benefit from this approach, as it supports strong compliance without complicating workflows. For companies building or expanding private cloud environments, Clevis and Tang offer a scalable and secure encryption method that aligns well with modern infrastructure requirements.
Service providers that deliver secure infrastructure appliances to customers can rely on this solution to protect sensitive data, even in the event of physical hardware loss. Finally, organizations that prioritize data sovereignty and regulatory compliance can leverage Clevis and Tang to secure data without compromising operational flexibility.
Ready to improve your disk security strategy?
Clevis and Tang offer a powerful way to enhance disk encryption and protect sensitive data. But to implement them effectively and ensure that they actually strengthen your environment, you need the right expertise. That's where SUE comes in.
Our engineers and consultants have extensive experience with Linux security, Red Hat infrastructures, and encryption solutions such as LUKS, Clevis, and Tang. We help your organization design, implement, and optimize an automated disk encryption strategy that fits seamlessly into your existing operations without adding unnecessary complexity.
Whether you want to improve compliance, gain more control over your data sovereignty, or strengthen your infrastructure against modern threats, SUE has the people and expertise to support your goals.
