# Automatic full disk encryption for DigitalOcean

The supported-image table below is for one path: assisted setup on fresh,
unencrypted DigitalOcean Droplet images. It is not the full Panocrypt-managed
unlock compatibility boundary.

If a Linux system already uses LUKS, or you set up LUKS yourself on another
provider or distro, you can usually bind an unused keyslot to Panocrypt with
your distro's `cryptsetup`, Clevis, and the standard Clevis `tang` pin. No
Panocrypt host software is required for that path. Start with
[Bind an existing LUKS volume](https://docs.panocrypt.com/setup/existing-luks-volume/) or
[Bind an existing encrypted root disk](https://docs.panocrypt.com/setup/existing-luks-root-disk/).

Use this page when you want the Panocrypt setup helper to run from user-data,
set up LUKS on the root disk, bind managed boot unlock, and verify encrypted
boot.

## Supported DigitalOcean images

| Distribution | Versions or images | Notes |
|---|---|---|
| Ubuntu | 22.04, 24.04, 25.10 |  |
| Debian | 12, 13 |  |
| Fedora | 42, 43 |  |
| CentOS Stream | 9, 10 | Requires an attached scratch volume. |
| Rocky Linux | 9.2, 10.0 |  |
| AlmaLinux | 9.7, 10.1 |  |
| Ubuntu GPU images | AMD AI/ML, H100x1, H100x8 |  |

## Scratch-volume setup

DigitalOcean CentOS Stream 9 and 10 use a scratch-volume setup path because the
image layout does not have a safe in-place shrink path for the root filesystem.
Attach a disposable scratch volume before setup and remove it after the setup
has verified encrypted boot.

Read [Scratch volume disk encryption setup](https://docs.panocrypt.com/setup/scratch-volume-setup/)
before using those CentOS Stream images.

## Try it on a disposable Droplet

DigitalOcean is a good first test when you want the full journey from
user-data to encrypted boot on a small disposable server.

Provider billing minimums apply. For a short disposable test, the cost is often
small, but the exact billing interval and price are controlled by DigitalOcean.

Start with [Try a fresh test server](https://docs.panocrypt.com/getting-started/fresh-test-server/).

## Related guides

| Goal | Guide |
|---|---|
| Understand the two Panocrypt paths | [What runs on your server](https://docs.panocrypt.com/concepts/managed-unlock-vs-setup/) |
| Understand assisted setup | [Assisted fresh-server setup](https://docs.panocrypt.com/setup/supported-disk-encryption/) |
| Preserve recovery material | [Assisted setup recovery material](https://docs.panocrypt.com/setup/recovery-material/) |
| Compare provider setup paths | [Assisted setup providers](https://docs.panocrypt.com/providers/) |
| Learn how LUKS keyslots make removal simple | [LUKS keyslots](https://docs.panocrypt.com/concepts/luks-keyslots/) |