Skip to content
Panocrypt Docs

Scratch volume disk encryption setup

Most supported provider images can be set up in place. Some cannot, because their root filesystem or layout does not have a safe way to shrink the root filesystem.

For those images, Panocrypt disk encryption setup uses an attached scratch volume as temporary working space.

When a scratch volume is used

Section titled “When a scratch volume is used”

DigitalOcean CentOS Stream 9 and 10 currently require a scratch volume for Panocrypt disk encryption setup.

The reason is practical: those images use an XFS root layout that does not have a safe in-place shrink path. Panocrypt still sets up LUKS and managed unlock, but it needs temporary space to preserve and restore the root filesystem while the server root disk is rebuilt.

What happens during setup

Section titled “What happens during setup”

At a high level, the setup helper:

  1. Confirms the server root disk and scratch device.
  2. Copies the root filesystem to the scratch volume.
  3. Rebuilds the server root disk layout for a LUKS-backed root.
  4. Restores the filesystem to the encrypted root disk.
  5. Binds one LUKS keyslot to Panocrypt-managed unlock through Clevis.
  6. Verifies fallback unlock and managed unlock.
  7. Reboots and verifies the encrypted root path.

The scratch volume is temporary working space. It is not part of the normal managed unlock path after setup.

Before and after setup

Section titled “Before and after setup”

Use a scratch volume only when the provider guide or supported setup page calls for one.

Before setup:

  • Attach a disposable block volume to the server.
  • Make sure you select the scratch device, not the root device.
  • Expect the scratch volume to be overwritten.
  • Keep normal backups and recovery access for anything you care about.

After setup:

  • Verify encrypted boot.
  • Preserve the customer-held LUKS recovery material outside Panocrypt.
  • Wipe, detach, and delete the scratch volume according to your provider’s normal cleanup process.

Setup result

Section titled “Setup result”

Scratch-volume setup is still the same Panocrypt disk encryption setup outcome: LUKS-backed root, one Panocrypt-bound keyslot, managed boot unlock, and customer-held recovery material. The scratch volume only changes how Panocrypt gets there for image layouts that cannot be safely set up in place.