Turning Compliance into Capability with Clevis and Tang
Encrypt because you must? Then do it right the first time. Security mandates aren’t usually designed with engineer happiness in mind. More often, they introduce friction — manual steps, clunky workarounds, and a constant battle between compliance and convenience. But every now and then, a requirement leads to something unexpectedly useful. When a customer’s security appliance went through a penetration test, Full disk encryption (FDE) became non-negotiable. That’s reasonable, but how do you implement it in line with best practices without needing someone to type a passphrase on every boot? Especially in environments where Red Hat is the standard, like major telecom providers, the challenge is enabling scalable security without compromising operational efficiency. The answer was simpler than expected: Clevis and Tang. Two open-source tools that make automated, policy-driven disk unlocking possible, with security in mind.
The challenge: balancing compliance with usability
After a penetration test, one of our clients needed to encrypt disks across several key systems. Meeting encryption standards wasn’t the hard part; keeping servers fully autonomous during boot cycles without sacrificing security was the real challenge. The constraints were clear:
- No user input (no keyboard attached, no manual passphrase);
- No locally stored decryption keys;
- Full compatibility with Red Hat Enterprise Linux (RHEL).
This led us to Clevis and Tang — a lightweight, flexible combination that solves exactly this problem.
Why this approach works and why it matters
Encrypting disks securely without disrupting operations can seem complex. Clevis and Tang provide a straightforward solution that meets both security demands and operational needs. Here’s why it works, and why it deserves your attention.
Strong security, even in worst-case scenarios
One of the major concerns with full disk encryption is what happens if a device is stolen. Traditional methods can sometimes leave encryption keys vulnerable. Clevis and Tang eliminate this risk in a practical way.
Tang servers do not store private keys, which makes them stateless and inherently more secure. As a result, even if a device is physically removed from its environment, it cannot decrypt itself unless it is within the trusted network where the Tang server is accessible. This significantly reduces the risk of data breaches caused by lost or stolen hardware, as confirmed by Red Hat’s official documentation (Red Hat Security Hardening Guide).
For those who want to explore the full technical scope of Clevis and Tang within Red Hat environments? Red Hat provides comprehensive guidance on Network-Bound Disk Encryption (NBDE), including how it integrates with LUKS and how it supports secure booting across OpenShift and other platforms.
Fully automated, no manual intervention required
Encrypting disks is one thing; ensuring they boot unattended after a restart is another challenge entirely. Clevis makes it possible to automate the unlocking process during system boot by communicating securely with the Tang server.
Encrypting disks is one thing, but ensuring they can boot unattended after a restart presents a different kind of challenge. Clevis addresses this by enabling the automated unlocking of encrypted volumes during system boot, using a secure connection with the Tang server. This eliminates the need for manual passphrase entry at startup, making the process entirely hands-free.
The Dracut tool plays a crucial role in this setup by embedding both the Clevis configuration and the necessary network settings into the system’s initial boot process. As a result, the integration feels native and seamless, especially in environments running Red Hat Enterprise Linux 8 or newer.
Seamless integration into Red Hat infrastructure
Organizations that rely on Red Hat technologies expect security solutions that integrate smoothly without disrupting existing workflows. Clevis and Tang deliver on that expectation by offering native support within Red Hat Enterprise Linux 8 and later versions. Their integration with tools like Ansible, Satellite, and Kickstart is straightforward, making it easy to incorporate into automated provisioning pipelines.
Because these tools align closely with Red Hat’s ecosystem, implementing them requires minimal changes to existing deployment processes. This ensures that teams can strengthen their encryption posture without introducing unnecessary complexity or delays.
Scalable architecture ready for future growth
Unlike other methods, Clevis and Tang do not rely on fragile unlocking mechanisms such as TPMs or USB keys. This makes them particularly well-suited for dynamic environments like edge deployments, hybrid clouds, and modern data centers where resilience, flexibility, and operational simplicity are essential.
Why this matters for modern infrastructure
In today’s environments, where downtime, manual processes, and data breaches represent serious risks, Clevis and Tang offer a solution that strengthens security without adding operational overhead.
Who benefits most from Clevis and Tang?
These tools are particularly valuable for enterprises managing on-premises or hybrid cloud infrastructures, where maintaining control over encryption and access is critical. Organizations pursuing ISO certifications or undergoing regular security audits and penetration tests will also benefit from this approach, as it supports robust compliance without complicating workflows. For companies building or expanding private cloud environments, Clevis and Tang provide a scalable and secure encryption method that aligns well with modern infrastructure demands.
Service providers delivering secure infrastructure appliances to their customers can rely on this solution to ensure that sensitive data remains protected, even in the event of physical hardware loss. Finally, businesses that prioritize data sovereignty and regulatory compliance can implement Clevis and Tang to safeguard data without compromising on operational flexibility.
Ready to strengthen your disk security strategy?
Clevis and Tang offer a powerful way to improve disk encryption and protect sensitive data, but implementing them effectively and ensuring they truly strengthen your environment requires the right expertise. That is where SUE comes in.
Our engineers and consultants have extensive experience with Linux security, Red Hat infrastructures, and encryption solutions like LUKS, Clevis, and Tang.
We can help your organization design, implement, and optimize an automated disk encryption strategy that fits seamlessly into your existing operations, without adding unnecessary complexity.
Whether you’re looking to improve compliance, enhance sovereignty over your data, or simply strengthen your infrastructure against modern threats, SUE has the people and the knowledge to support your goals.
