# Source IP and one-time unlocks

After a device is bound to Panocrypt, source policy controls which observed
network sources may use Panocrypt-managed unlock. Use this page when a device
needs a source allowlist update or one planned unlock exception.

These controls affect future Panocrypt-managed network-bound unlock requests.
They do not lock a running host, remove keys from memory, change independent
local recovery keyslots, or replace customer-held recovery material.

For the technical model behind binding and boot-time recovery, read
[Automatic unlocks](https://docs.panocrypt.com/concepts/automatic-unlocks/).

## Source IP allowlists

Panocrypt checks the source IP it observes for a managed unlock request. A
device can unlock through Panocrypt only when the request matches its source
policy and the device is otherwise eligible.

Use source IP controls when:

- A server will boot from a fixed source network.
- You want to prove that Panocrypt allows one source and denies another.
- A server moved networks and needs its future unlock path updated before the
  next planned reboot.

In the console, open **Maintain** -> **Devices**, choose the device, and edit
**Source IP allowlist**. For shared network policy work, use **Maintain** ->
**Network Access**.

Saving the allowlist changes future managed unlock decisions. It does not test
the full LUKS unlock path by itself, and forwarding headers are not used as the
trusted source for authorization.

## Allow one unlock

**Allow once** creates a single-use allowance for the next qualifying managed
unlock attempt. After that attempt is spent, the device returns to its prior
unlock policy.

Use it when:

- A server needs one planned reboot from a known source.
- A disabled device needs one controlled unlock before normal policy is
  restored or rebuilt.
- You want to demonstrate a narrow exception without permanently broadening
  the source allowlist.

In the console, open **Maintain** -> **Devices**, choose the device, and use
**Allow once**.

The allowance is device-scoped and single-use. Lifecycle state, rate limits,
and manual approval still apply. It does not change local LUKS recovery
material.

## Related Controls

Use the narrower operation page for the control you need.

| Control | Guide |
|---|---|
| Stop or restore future managed unlock | [Disable unlocks](https://docs.panocrypt.com/operations/disable-unlocks/) |
| Require a human approval decision | [Approval groups](https://docs.panocrypt.com/operations/approval-groups/) |
| Receive approval prompts on a browser or phone | [Approval notifications](https://docs.panocrypt.com/operations/mobile-notifications/) |