Skip to content
Panocrypt Docs

Disable unlocks

Disabling unlocks removes a device from the Panocrypt-managed unlock path for future managed boot unlock requests.

What disabling changes

Section titled “What disabling changes”
  • Panocrypt stops allowing future managed unlock for the device under its Panocrypt binding.
  • The device history and audit trail can show that managed unlock was disabled.
  • Operators can use this when systems leave the fleet, source policy changes, or a test needs to prove denied unlock behavior.

What disabling does not change

Section titled “What disabling does not change”

Disabling unlocks does not:

  • Lock a host that is already running.
  • Remove keys from memory.
  • Remotely modify a LUKS header.
  • Delete independent local recovery keyslots.
  • Wipe the server or destroy local LUKS keyslots.

Customer-held recovery passphrases, independent keyslots, header backups, and local unlock paths remain the customer’s responsibility.

If you want to remove the local Panocrypt-bound LUKS keyslot entirely, use Remove the Panocrypt binding. That is a local LUKS/Clevis operation, not a Panocrypt approval flow.

When to use it

Section titled “When to use it”

Use Disable managed unlock when:

  • A server leaves the fleet.
  • A device is being investigated and should not receive future managed unlocks.
  • A source policy is wrong and needs to be stopped before it is rebuilt.
  • You are running a proof that needs to show denied unlock behavior.

For temporary exceptions, prefer Allow once when the operator intent is to permit exactly one future managed unlock and then return to the normal policy.

Test denied unlock behavior

Section titled “Test denied unlock behavior”

For a test LUKS volume:

  1. Prove allowed unlock first.
  2. Disable managed unlock in the device detail page.
  3. Close the LUKS mapper.
  4. Retry sudo clevis luks unlock -d "$LUKS_DEVICE" -n "$MAPPER".
  5. Confirm the managed unlock is denied.
  6. Review the device activity and audit trail.

For a root disk, test only during a planned reboot window with customer-held recovery material and provider console or KVM access available.

Restore managed unlock

Section titled “Restore managed unlock”

Open the device detail page and restore Managed unlock when the device is allowed to use Panocrypt-managed unlock again. Confirm the source policy still matches the expected boot-time source IP before the next planned reboot.

Operational boundary

Section titled “Operational boundary”

Disabling managed unlock is a future-unlock control. It gives operators a clear way to stop Panocrypt from participating in later managed unlocks without claiming to lock, wipe, or change a running server.