Automatic full disk encryption for Hetzner Cloud
The supported-image table below is for one path: assisted setup on fresh, unencrypted Hetzner Cloud images. It is not the full Panocrypt-managed unlock compatibility boundary.
If a Linux system already uses LUKS, or you set up LUKS yourself on another
provider or distro, you can usually bind an unused keyslot to Panocrypt with
your distro’s cryptsetup, Clevis, and the standard Clevis tang pin. No
Panocrypt host software is required for that path. Start with
Bind an existing LUKS volume or
Bind an existing encrypted root disk.
Use this page when you want the Panocrypt setup helper to run from cloud-init/user-data, set up LUKS on the root disk, bind managed boot unlock, and verify encrypted boot.
Supported Hetzner images
Section titled “Supported Hetzner images”| Distribution | Versions |
|---|---|
| Ubuntu | 22.04, 24.04, 26.04 |
| Debian | 12, 13 |
| openSUSE Leap | 16.0 |
| Fedora | 43, 44 |
| CentOS Stream | 9, 10 |
| Rocky Linux | 9.7, 10.1 |
| AlmaLinux | 9.7, 10.1 |
Try it on a disposable server
Section titled “Try it on a disposable server”Hetzner is a good first test because a small server can usually show the full journey quickly: enroll from cloud-init, set up disk encryption, reboot on encrypted root, then test managed unlock controls in Panocrypt.
Provider billing minimums apply. For a short disposable test, the cost is often small, but the exact billing interval and price are controlled by Hetzner.
Start with Try a fresh test server.
Related guides
Section titled “Related guides”| Goal | Guide |
|---|---|
| Understand the two Panocrypt paths | What runs on your server |
| Understand assisted setup | Assisted fresh-server setup |
| Preserve recovery material | Assisted setup recovery material |
| Compare provider setup paths | Assisted setup providers |
| Learn how LUKS keyslots make removal simple | LUKS keyslots |