Trusted End Node Security

Trusted End Node Security (TENS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). TENS boots a thin Linux operating system from removable media without mounting a local hard drive. Administrator privileges are not required; nothing is installed. TENS turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity or malware can be written to the local computer. Simply plug in your USB smart card reader to access CAC and PIV-restricted US government websites.

TENS differs from traditional operating systems in that it isn't continually patched. TENS is designed to run from read-only media and without any persistent storage. Any malware that might infect a computer can only run within that session. A user can improve security by rebooting between sessions, or when about to undertake a sensitive transaction. For example, boot TENS immediately before performing any online banking transactions. TENS should also be rebooted immediately after visiting any risky websites, or when the user has reason to suspect malware might have been loaded. In any event, rebooting when idle is an effective strategy to ensure a clean computing session.

TENS is updated on a regular basis. Be sure to update to the latest version to have the latest protection and most recent drivers.


Each of the TENS products (TENS-Public, TENS-Professional, and Bootable Media) was created to address particular use cases.

TENS-Public is a safe, general-purpose solution for using web-based applications and accessing CAC and PIV-enabled web pages. TENS-Public Deluxe includes the open-source LibreOffice software suite. Both operating systems are available to download for free on the TENS website, as we contribute to the open source community. CAC middleware is integrated into the TENS operating system. TENS-Public is not intended to be an obfuscation tool; it is designed to be a safe operating environment for web-based activity. Encryption Wizard Public Edition is included in TENS-Public. Customizations are not available for this product.

TENS-Professional is similar to TENS-Public but is offered exclusively to non-DoD federal organizations. It is customized by TENS engineers. Customization options include selecting specific applications, pre-configured settings for VPN and/or VDI, firewall configuration, web proxy, time zone, desktop background, browser bookmarks, etc. Encryption Wizard Government Edition is included in this build. TENS-Professional is currently used by several Federal organizations, primarily to help remote users securely connect to their organization's private networks. TENS-Professional customization is available via annual subscription, which includes customization for your organization and quarterly patches.

Bootable Media is the secure, DoD version of TENS. Bootable Media has a strong legacy of providing secure remote access to DoD civilian, military, and contractor personnel. Bootable Media is the TENS flagship product and has a supported user base numbering in the hundreds of thousands. Development, sustainment, and configuration is centrally funded by DISA, so each DoD organization doesn't need to pay for this product. Customization is available and completed for all the features included in TENS-Professional, in addition to including DoD-specific accreditation controls. Bootable Media has an Authorization to Operate (ATO) for DoD networks; the ATO can be found on the DoD Portal link.

Operating Requirements

In order to use TENS, you need:

  1. A computer system with x86 processor supporting Physical Address Extensions (PAE). TENS is supported on standard PCs and Intel-based Macs. Beginning with version 3.0, TENS is a 64-bit-only OS and thus is incompatible with 32-bit hardware.
  2. 1 GB RAM (1.5 GB for Deluxe and Bootable Media). Remember that system RAM will be used for the in-memory filesystem as well as for running whatever software you use.
  3. For networking, (a) wired Ethernet, (b) wireless (Wifi) connectivity, and (c) tethered cellular broadband are supported. We highly recommend providing some kind of DHCP service.
  4. The ability to boot from either USB or CD/DVD; TENS is usable from either medium. This may require changing BIOS settings and is not something that TENS can perform automatically.
  5. For accessing CAC/PIV-enabled websites,
    • a CAC/PIV (the TENS office does not provide these)
    • a USB CCID-compliant smartcard reader with updated firmware
  6. For printing, either a networked or a local USB-connected printer.

Configure your BIOS to either ask which boot media to use (often pressing F12 or F9 during boot) or to always attempt to boot from USB or CD-ROM. Ensure that the boot media is inserted. Power up or boot the computer.

Once booted, you will be presented with a desktop environment with a Start menu. The applications may be started either from the menu or by double-clicking desktop icons. The Firefox web browser is a good place to begin using TENS.

These are the instructions for using USB sticks, either for storing your own data while running TENS, or for booting TENS itself from a USB device. We also have some introductory notes on burning the ISO image to a CD.