diff --git a/README.md b/README.md
index 24b91e58..f882bd0b 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,7 @@ These are the variables that can be passed to the role:
 | `nbde_client_provider` | `clevis`| identifies the provider for the `nbde_client` role. We currently support `clevis`.|
 | `nbde_client_bindings` | | a list containing binding configurations, which include e.g. devices and slots. |
 | `nbde_client_early_boot` | `true` | by default nbde_client will configure the initrd to unlock the volume. This may need to be disabled if the managed host is using static IP addressing, or if the volume should be unlocked by clevis-luks-askpass |
+| `nbde_client_secure_logging` | `true` | If true, suppress potentially sensitive output from tasks that handle credentials, secrets, and other sensitive data. Set to false for debugging issues with credential handling or secret management, but be aware this may expose sensitive information in logs. |
 
 ### nbde_client_bindings
 
diff --git a/defaults/main.yml b/defaults/main.yml
index e560f5f5..220496dc 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -21,5 +21,6 @@ nbde_client_early_boot: true
 #        - http://server1.example.com
 #        - http://server2.example.com
 nbde_client_bindings: []
+nbde_client_secure_logging: true
 
 # vim:set ts=2 sw=2 et:
diff --git a/tasks/main-clevis.yml b/tasks/main-clevis.yml
index 75619195..2dc6a5e1 100644
--- a/tasks/main-clevis.yml
+++ b/tasks/main-clevis.yml
@@ -6,6 +6,7 @@
 
 - name: Get services
   service_facts:
+  no_log: "{{ ansible_verbosity < 2 }}"
 
 - name: Enable clevis askpass unit
   systemd:
@@ -29,7 +30,7 @@
     bindings: "{{ nbde_client_bindings | default([]) }}"
   check_mode: true
   register: __nbde_client_clevis_check_state
-  no_log: true
+  no_log: "{{ nbde_client_secure_logging }}"
 
 - name: Prepare key files, perform clevis operations and dispose of key files
   when:
@@ -55,7 +56,7 @@
       loop: "{{ nbde_client_bindings }}"
       loop_control:
         label: "{{ item.encryption_key_src | default('') }}"
-      no_log: true
+      no_log: "{{ nbde_client_secure_logging }}"
 
     - name: Perform clevis operations
       when:
@@ -65,7 +66,7 @@
         bindings: "{{ nbde_client_bindings | default([]) }}"
         data_dir: "{{ nbde_client_tempdir.path }}"
       notify: Handle nbde_client update initramfs
-      no_log: true
+      no_log: "{{ nbde_client_secure_logging }}"
 
   rescue:
     - name: Failed message