Manage the installation and configuration of the tang server for NBDE.

Jeffrey Miller



4,139 latest version

5.0 quality score

Version information

  • 1.0.0 (latest)
released Sep 11th 2018
This version is compatible with:
  • Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.7.0 < 6.0.0
  • RedHat

Start using this module


millerjl1701/tang — version 1.0.0 Sep 11th 2018


master branch: Build Status

Table of Contents

  1. Module Description - What the module does and why it is useful
  2. Setup - The basics of getting started with tang
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Module Description

This module manages the installation and configuration of the TANG server service - the server side component of Network Bound Disk Encryption (NBDE).

Documentation concerning the TANG service on RHEL/CentOS systems may be found at:

Note: NBDE was initilly released with RedHat/CentOS version 7.4 with complete support arriving with RedHat/CentOS 7.5.


What tang affects

  • Packages: tang (yum will also install jose and libjose as dependencies)
  • Service: tangd.socket

Beginning with tang

In order to install and configure the TANG server, all that is needed in a puppet code manifest is include ::tang.


Install a particular version of the TANG server service

  class { 'tang':
    package_ensure => '6-1.el7',


Generated puppet strings documentation with examples is available from https://millerjl1701.github.io/millerjl1701-tang.

The puppet strings documentation is also included in the /docs folder.


For RedHat/CentOS systems, the TANG server service will only run on version 7.4 or higher. Attempting to use this class with lower versions will likely be problematic.

The RedHat recommended HA configuration for the TANG server service is to deploy two or more TANG servers and register clients to both (all) servers. The alternative approach to HA is to share the TANG server keys between all the servers. While Puppet could allow for this, it will not be implemented at this time due to risk of key compromise.


Please see the CONTRIBUTING document for information on how to get started developing code and submit a pull request for this module. While written in an opinionated fashion at the start, over time this can become less and less the case.


To see who is involved with this module, see the GitHub list of contributors or the CONTRIBUTORS document.