Source IP and one-time unlocks
After a device is bound to Panocrypt, source policy controls which observed network sources may use Panocrypt-managed unlock. Use this page when a device needs a source allowlist update or one planned unlock exception.
These controls affect future Panocrypt-managed network-bound unlock requests. They do not lock a running host, remove keys from memory, change independent local recovery keyslots, or replace customer-held recovery material.
For the technical model behind binding and boot-time recovery, read Automatic unlocks.
Source IP allowlists
Section titled “Source IP allowlists”Panocrypt checks the source IP it observes for a managed unlock request. A device can unlock through Panocrypt only when the request matches its source policy and the device is otherwise eligible.
Use source IP controls when:
- A server will boot from a fixed source network.
- You want to prove that Panocrypt allows one source and denies another.
- A server moved networks and needs its future unlock path updated before the next planned reboot.
In the console, open Maintain -> Devices, choose the device, and edit Source IP allowlist. For shared network policy work, use Maintain -> Network Access.
Saving the allowlist changes future managed unlock decisions. It does not test the full LUKS unlock path by itself, and forwarding headers are not used as the trusted source for authorization.
Allow one unlock
Section titled “Allow one unlock”Allow once creates a single-use allowance for the next qualifying managed unlock attempt. After that attempt is spent, the device returns to its prior unlock policy.
Use it when:
- A server needs one planned reboot from a known source.
- A disabled device needs one controlled unlock before normal policy is restored or rebuilt.
- You want to demonstrate a narrow exception without permanently broadening the source allowlist.
In the console, open Maintain -> Devices, choose the device, and use Allow once.
The allowance is device-scoped and single-use. Lifecycle state, rate limits, and manual approval still apply. It does not change local LUKS recovery material.
Related Controls
Section titled “Related Controls”Use the narrower operation page for the control you need.
| Control | Guide |
|---|---|
| Stop or restore future managed unlock | Disable unlocks |
| Require a human approval decision | Approval groups |
| Receive approval prompts on a browser or phone | Approval notifications |