diff --git a/.sops.yaml b/.sops.yaml
index 4a221569584b12588892ce13bd46c4611c7c6b11..e926a0b50a59802a8cb2c08d4cda7827c38d3bd4 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,6 +1,6 @@
creation_rules:
- path_regex: (clusters|apps)/okd4/.*.yaml
- encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?)$
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang)$
pgp: >-
9D02A9AD73EF7F3D5F657AC2B392F6EB325E8C50,
286791FB6648539775DB31B8FCB98C2A3EC6F601
diff --git a/clusters/okd4/machine-config/kustomization.yaml b/clusters/okd4/machine-config/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..674f6efba9db50db91da16bc8a89885596784ec7
--- /dev/null
+++ b/clusters/okd4/machine-config/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- worker/99-worker-chrony.yaml
+- worker/99-worker-disk-encryption.yaml
+- master/99-master-chrony.yaml
+- master/99-master-disk-encryption.yaml
diff --git a/clusters/okd4/machine-config/master/99-master-chrony.yaml b/clusters/okd4/machine-config/master/99-master-chrony.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..66674416c377ef5fc4b61b60b5f3cb5c05411b9a
--- /dev/null
+++ b/clusters/okd4/machine-config/master/99-master-chrony.yaml
@@ -0,0 +1,17 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+ name: 99-master-chrony
+ labels:
+ machineconfiguration.openshift.io/role: master
+spec:
+ config:
+ ignition:
+ version: 3.2.0
+ storage:
+ files:
+ - contents:
+ source: data:,server%20time.cloudflare.com%20iburst%20nts%0Aserver%20nts.sth1.ntp.se%20iburst%20nts%0Aserver%20nts.sth2.ntp.se%20iburst%20nts%0A%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0Amakestep%201.0%203%0Artcsync%0Akeyfile%20%2Fetc%2Fchrony.keys%0Antsdumpdir%20%2Fvar%2Flib%2Fchrony%0Aleapsectz%20right%2FUTC%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A
+ mode: 420
+ overwrite: true
+ path: /etc/chrony.conf
diff --git a/clusters/okd4/machine-config/master/99-master-disk-encryption.yaml b/clusters/okd4/machine-config/master/99-master-disk-encryption.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..943c0cd2306c040e4bad208fc8fd7cfef5b1f0de
--- /dev/null
+++ b/clusters/okd4/machine-config/master/99-master-disk-encryption.yaml
@@ -0,0 +1,80 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+ name: 99-master-tang
+ labels:
+ machineconfiguration.openshift.io/role: master
+spec:
+ config:
+ ignition:
+ version: 3.2.0
+ storage:
+ luks:
+ - name: root
+ device: /dev/disk/by-partlabel/root
+ clevis:
+ tang:
+ - url: ENC[AES256_GCM,data:b/wCa4GtPLFVDNQJH2ixhDMJMCTYGN2GGxYrvMU2eIwd49Te,iv:3ogfJlgxyyV1ZVTPGUA/OSMgWk9NR2JQjU/LSrE/19U=,tag:84T+FTPRBHY20onFc/eFhg==,type:str]
+ thumbprint: ENC[AES256_GCM,data:2/2ii6uptjqAunn2gKxa9MfR6jrQoyoccS0EuMyXqnRUTHOdmXrDxyyDTg==,iv:Yk+/iYDfsxiOFvadl1kN7QQeFnW4YfesfLTZe8VqpY8=,tag:uJG9C7NlHR96v2IRrauUWw==,type:str]
+ options:
+ - --cipher
+ - aes-cbc-essiv:sha256
+ wipeVolume: true
+ filesystems:
+ - device: /dev/mapper/root
+ format: xfs
+ wipeFilesystem: true
+ label: root
+ kernelArguments:
+ - rd.neednet=1
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2021-08-16T18:44:40Z"
+ mac: ENC[AES256_GCM,data:FVzDsD2xS64sLy45DjWwzskoC1NSdzoknoYOCC1KhmYQpY8LjeUwqoKUUa7iK3ecaHSTwlacygefFLdAJGWCcvyPLLE9Zerjk+kw7O3mGOVoP+4BdwWYQQYbIhBJZ5ERo19Dr+wwQe8DHR3IrThouzrSASstQYiAGpN4DXz72sw=,iv:gckENeDJuaVn2lovZOk2NrUuqumYlPvFdfi67p5qS0c=,tag:zIHG/TWNHKbXTJCCZQCLqw==,type:str]
+ pgp:
+ - created_at: "2021-08-16T18:44:40Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA1u//sli4/n1ARAAg+39LJBPbxoHZeupBcpEocVYTxsXsdeH9cclDLzVy+oE
+ mpPYkoUBypXg8y+681Di6dUuDGp2z8rEa66a3e1DeJGaAUlGmRjz9i7YSb1vy9ds
+ Th3NgvDfUnV11EQWPUMVy5CSFOU6VAq52RHO6CbeoDrkFxbp3LwQVuwEfh3zLS8+
+ 3wC4KUGfbFvSvXH/7ULTsaGgibPXAw+XXHfQkkPM6Aywt4mDtlrbGAKT8zYSmqfc
+ LxmDYQ4HXK5hhL6cGNdVs0FasROAhZqYg9CnNQx0GraFVtP7pzt1OEOxY+ashgDb
+ SSz7OjxnfxSApZyHnF4g89b7bGD9yYbQ0jSYtHFoWp1Czj0osbHn2Ptpegc8sSv3
+ 1/Rgya6pzuFK85xo2ptJUnOU6rlgDmNIrpd1mk0Tdc1lTxKj7wXriLt97EPqtb1k
+ het2m2nfg6uzkcUWrfJsdDIlmrEWIYgPGtaZaRz49LyCwaociceGmAZKGmQX4A1d
+ 8GXS88LdZPR6+LOPBQxxq2Mmvr1aWIhyzDrXsZp/eAFvq/ek/XfuGmFiUfoBEis2
+ 8SYzBoulmizHm4kA0vc2+wDy3XdpkoojXWm2FoDASVSKgzIldwpHu4HzH9QM+XaA
+ EiecF//VhkScUiuQEyZ443t5Huyoo2lz4MELC5WEiRaXyvYcZEbgqKqJaFptS+7S
+ XAEQOvDAcDZyi+L5gl52tR+MdjYx4BlucWEgHRUGTRjQ6PuZ7IhbacBfZu0t9djT
+ KGMTj1mmy60so8BllBzCKSCUSlGxQUE0lpOMS6Nl5C2FJ/DtkWX4z4AV5x40
+ =szed
+ -----END PGP MESSAGE-----
+ fp: 9D02A9AD73EF7F3D5F657AC2B392F6EB325E8C50
+ - created_at: "2021-08-16T18:44:40Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcARAAgpvpN/X3e7svTUWOhWxKa1mIcuUScBvCgOIiwQJSEBOU
+ QFuckyf5KaaKgX6+WHbS7MBx+6PeBHsX1fZNQmsvYMQFYfw6vzpvJ8w2HUn0eSJy
+ I7RRXwJg3mpAcltZm2EK74GE1wF08+DW53n4uLAceTB2/2aA4KxVaYSL7Zuwd89o
+ 0cG8siyt+rCwzziGOxtTsUJwx9yrV5011ON7eBtbh73wjrhxwgdDMxb+yNyM6wSp
+ hfOrHI7hYrdETV3v085IQIghOUOokvVDjUmF22HCaIOnCniqyoKbg8rjwJtY9VaM
+ TgfiAThk8HLJ/0FKfUZspdMykhhSAWkoqKV0zjt+tPfkrggMLN7oe+ql9xyISMjl
+ LS3pKNUSceCoSHXadIXAgCaqcAJcnUXD9H6gK+IPbJ6GHSL9uPpK8fx12pWLoXH5
+ E+v2uyFTkS66YVqhnZaVuE5PyPNwp/Hqm7awv1WEnm7Lx3YSIaeR7FmDGkGnj79Y
+ Eru8ea5QItoujTnW2wOobNLB2RAdMETwqxY4CkGxWg6XyxeAq59icIijkXkwkm7l
+ tf5O87I+jFX0BTz90yYTP9GlSKbFdgriBWZIWChnFrHPXCwCtC+Rhdc/b1/rvVcq
+ CL5Hq41byxiXyW0i9KmQMzveTTnfsbi6708ppBh/pCGIhBzn7ptRgYOzBpQZ00rS
+ 5gEENb9DyHgvupo+FbfSDmj7wX46bcemFNLAiXGIO7HIy69RsmfqF7Fox2QLRkN7
+ Wjva8FEcH24hIEchgiP/Fg3k4c2++yVN34pPljwrS+GmIeLuv8CwAA==
+ =dKsE
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang)$
+ version: 3.7.1
diff --git a/clusters/okd4/machine-config/worker/99-worker-chrony.yaml b/clusters/okd4/machine-config/worker/99-worker-chrony.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0cfe5e8e0cef254768b67dc06b8fcb80cf240371
--- /dev/null
+++ b/clusters/okd4/machine-config/worker/99-worker-chrony.yaml
@@ -0,0 +1,17 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+ name: 99-worker-chrony
+ labels:
+ machineconfiguration.openshift.io/role: worker
+spec:
+ config:
+ ignition:
+ version: 3.2.0
+ storage:
+ files:
+ - contents:
+ source: data:,server%20time.cloudflare.com%20iburst%20nts%0Aserver%20nts.sth1.ntp.se%20iburst%20nts%0Aserver%20nts.sth2.ntp.se%20iburst%20nts%0A%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0Amakestep%201.0%203%0Artcsync%0Akeyfile%20%2Fetc%2Fchrony.keys%0Antsdumpdir%20%2Fvar%2Flib%2Fchrony%0Aleapsectz%20right%2FUTC%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A
+ mode: 420
+ overwrite: true
+ path: /etc/chrony.conf
diff --git a/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml b/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..345f3d40bb28c713568b947a93e29c68f2b5c7aa
--- /dev/null
+++ b/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml
@@ -0,0 +1,27 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+ name: 99-worker-tang
+ labels:
+ machineconfiguration.openshift.io/role: worker
+spec:
+ config:
+ ignition:
+ version: 3.2.0
+ storage:
+ luks:
+ - name: root
+ device: /dev/disk/by-partlabel/root
+ clevis:
+ tang:
+ - url: http://tang.shivering-isles.com:7500
+ thumbprint: lXbjdRq9-019gToeDgYaEA3UL0D8-aN5Wr8HKGoY1Z0
+ options: [--cipher, aes-cbc-essiv:sha256]
+ wipeVolume: true
+ filesystems:
+ - device: /dev/mapper/root
+ format: xfs
+ wipeFilesystem: true
+ label: root
+ kernelArguments:
+ - rd.neednet=1