# Disable unlocks Disabling unlocks removes a device from the Panocrypt-managed unlock path for future managed boot unlock requests. ## What disabling changes - Panocrypt stops allowing future managed unlock for the device under its Panocrypt binding. - The device history and audit trail can show that managed unlock was disabled. - Operators can use this when systems leave the fleet, source policy changes, or a test needs to prove denied unlock behavior. ## What disabling does not change Disabling unlocks does not: - Lock a host that is already running. - Remove keys from memory. - Remotely modify a LUKS header. - Delete independent local recovery keyslots. - Wipe the server or destroy local LUKS keyslots. Customer-held recovery passphrases, independent keyslots, header backups, and local unlock paths remain the customer's responsibility. If you want to remove the local Panocrypt-bound LUKS keyslot entirely, use [Remove the Panocrypt binding](https://docs.panocrypt.com/trust/remove-panocrypt-binding/). That is a local LUKS/Clevis operation, not a Panocrypt approval flow. ## When to use it Use **Disable managed unlock** when: - A server leaves the fleet. - A device is being investigated and should not receive future managed unlocks. - A source policy is wrong and needs to be stopped before it is rebuilt. - You are running a proof that needs to show denied unlock behavior. For temporary exceptions, prefer **Allow once** when the operator intent is to permit exactly one future managed unlock and then return to the normal policy. ## Test denied unlock behavior For a test LUKS volume: 1. Prove allowed unlock first. 2. Disable managed unlock in the device detail page. 3. Close the LUKS mapper. 4. Retry `sudo clevis luks unlock -d "$LUKS_DEVICE" -n "$MAPPER"`. 5. Confirm the managed unlock is denied. 6. Review the device activity and audit trail. For a root disk, test only during a planned reboot window with customer-held recovery material and provider console or KVM access available. ## Restore managed unlock Open the device detail page and restore **Managed unlock** when the device is allowed to use Panocrypt-managed unlock again. Confirm the source policy still matches the expected boot-time source IP before the next planned reboot. ## Operational boundary Disabling managed unlock is a future-unlock control. It gives operators a clear way to stop Panocrypt from participating in later managed unlocks without claiming to lock, wipe, or change a running server.