Automatic full disk encryption for DigitalOcean
The supported-image table below is for one path: assisted setup on fresh, unencrypted DigitalOcean Droplet images. It is not the full Panocrypt-managed unlock compatibility boundary.
If a Linux system already uses LUKS, or you set up LUKS yourself on another
provider or distro, you can usually bind an unused keyslot to Panocrypt with
your distro’s cryptsetup, Clevis, and the standard Clevis tang pin. No
Panocrypt host software is required for that path. Start with
Bind an existing LUKS volume or
Bind an existing encrypted root disk.
Use this page when you want the Panocrypt setup helper to run from user-data, set up LUKS on the root disk, bind managed boot unlock, and verify encrypted boot.
Supported DigitalOcean images
Section titled “Supported DigitalOcean images”| Distribution | Versions or images | Notes |
|---|---|---|
| Ubuntu | 22.04, 24.04, 25.10 | |
| Debian | 12, 13 | |
| Fedora | 42, 43 | |
| CentOS Stream | 9, 10 | Requires an attached scratch volume. |
| Rocky Linux | 9.2, 10.0 | |
| AlmaLinux | 9.7, 10.1 | |
| Ubuntu GPU images | AMD AI/ML, H100x1, H100x8 |
Scratch-volume setup
Section titled “Scratch-volume setup”DigitalOcean CentOS Stream 9 and 10 use a scratch-volume setup path because the image layout does not have a safe in-place shrink path for the root filesystem. Attach a disposable scratch volume before setup and remove it after the setup has verified encrypted boot.
Read Scratch volume disk encryption setup before using those CentOS Stream images.
Try it on a disposable Droplet
Section titled “Try it on a disposable Droplet”DigitalOcean is a good first test when you want the full journey from user-data to encrypted boot on a small disposable server.
Provider billing minimums apply. For a short disposable test, the cost is often small, but the exact billing interval and price are controlled by DigitalOcean.
Start with Try a fresh test server.
Related guides
Section titled “Related guides”| Goal | Guide |
|---|---|
| Understand the two Panocrypt paths | What runs on your server |
| Understand assisted setup | Assisted fresh-server setup |
| Preserve recovery material | Assisted setup recovery material |
| Compare provider setup paths | Assisted setup providers |
| Learn how LUKS keyslots make removal simple | LUKS keyslots |