Linux Encryption-at-Rest Control Plane
Panocrypt is the control plane for Linux encryption at rest. It helps teams deploy Linux disk encryption, govern managed unlock, review unlock history and encryption-at-rest evidence, and disable unlocks when systems leave the fleet.
Two ways to use Panocrypt
Section titled “Two ways to use Panocrypt”Panocrypt’s first job is managed unlock. If your server already uses LUKS, you
can use Panocrypt without installing Panocrypt software on the host. Bind an
unused LUKS keyslot with your distribution’s cryptsetup, Clevis, and the
standard Clevis tang pin. Panocrypt then operates policy-controlled remote
unlock, approvals, unlock decision evidence, and managed unlock revocation.
Panocrypt’s optional second job is disk encryption setup. Use it when a fresh provider image listed in assisted setup providers starts from an ordinary unencrypted provider image and you want Panocrypt’s setup helper to enroll the device, set up LUKS, bind managed unlock, verify encrypted boot, and leave future boot unlock to LUKS, Clevis, initramfs, and Panocrypt policy.
| Part | Best when | What runs on the server |
|---|---|---|
| Managed unlock | The server already uses LUKS, or you want to bind manually with distro tools. | Existing-LUKS bind uses distro cryptsetup, Clevis, and the Clevis tang pin. No Panocrypt host agent is required for the bind or unlock path. |
| Assisted disk encryption setup | The server starts from a supported unencrypted provider image. | The Panocrypt setup helper runs temporarily, sets up LUKS and managed unlock, verifies encrypted boot, then leaves future boot unlock to LUKS, Clevis, initramfs, and Panocrypt policy. |
Read LUKS keyslots if you want to see exactly how Panocrypt uses one removable LUKS keyslot while your recovery material stays separate.
Start with the smallest proof
Section titled “Start with the smallest proof”If you are evaluating Panocrypt for the first time, start with the path that answers your trust question while touching the least infrastructure.
| Trust question | Start here | What you provide | Does not prove |
|---|---|---|---|
| Smallest trust proof | Test Panocrypt unlock | A Linux host with distro LUKS and Clevis packages. | Root-disk boot unlock or initramfs readiness. |
| Use an existing encrypted data volume | Bind an existing LUKS volume | An encrypted data volume and recovery material. | Automatic root-disk unlock at boot. |
| Use an existing encrypted root disk | Bind an encrypted root disk | Initramfs networking, CA certificates, Clevis hooks, console access, and recovery material. | That every distro image is already initramfs-ready. |
| Watch assisted setup end to end | Test assisted setup | A throwaway supported cloud server and cloud-init/user-data or the provider setup path. | Production rollout readiness for your own fleet. |
Read Automatic unlocks if you want the boot-time model before testing. Read What runs on your server if you want the top-level split first.
Set up real systems
Section titled “Set up real systems”After the first proof, use the setup guide that matches the system you are touching.
| Setup guide | Use it for |
|---|---|
| Existing LUKS volume | Binding a real encrypted data volume with distro LUKS and Clevis packages, with no Panocrypt host agent. |
| Existing LUKS root disk | Advanced unattended root-disk unlock when initramfs networking and CA trust are ready. |
| Assisted fresh-server setup | Using Panocrypt’s setup helper to turn a supported fresh provider image into a LUKS-backed server. |
| Assisted setup providers | Provider-specific fresh-image setup paths, requirements, and supported distro versions. |
| Assisted setup recovery material | Finding, testing, storing, and removing the local LUKS recovery passphrase after assisted setup. |
| Scratch volume setup | DigitalOcean CentOS Stream setup where an attached scratch volume is required. |
Operate unlocks
Section titled “Operate unlocks”After a device is bound to Panocrypt, each setup path uses the same managed unlock controls.
| Operations guide | Use it for |
|---|---|
| Source IP and one-time unlocks | Allow or block source IPs and grant one controlled unlock without broadening normal policy. |
| Approval groups | Require human approval for tagged devices and decide who can approve, deny, or defer unlock requests. |
| Mobile notifications | Register a browser or phone browser for unlock approval notifications. |
| Disable unlocks | Stop future Panocrypt-managed unlock for a device, then restore it when the device should rejoin policy. |
Trust boundary
Section titled “Trust boundary”Panocrypt does not escrow disk keys, LUKS passphrases, recovery passphrases, or disk plaintext. Customers must preserve customer-controlled LUKS recovery material. See No custody of disk keys for the binding and boot-time recovery exchange. If you use assisted setup, retrieve and store the generated recovery passphrase from Assisted setup recovery material.
If you stop using Panocrypt-managed unlock, you can keep the server encrypted and remove the Panocrypt-bound LUKS keyslot with ordinary Linux tools. See Remove the Panocrypt binding.
Compatibility boundary
Section titled “Compatibility boundary”Existing LUKS systems can generally bind to Panocrypt through the standard
Clevis tang pin. Panocrypt is not limited to the provider images listed
below. That list only applies when you want Panocrypt to take a fresh,
unencrypted cloud image and set up LUKS for you.
See Assisted setup providers before using assisted disk encryption setup on a new provider image.