# Assisted fresh-server encryption setup

Use this page when a server starts from a fresh, unencrypted provider image and
you want the Panocrypt setup helper to set up LUKS, bind managed boot unlock,
and verify encrypted boot.

There are two ways to use Panocrypt:

| Path | Use it when | What it depends on |
|---|---|---|
| Bind Panocrypt to an existing LUKS device | Your server or volume already uses LUKS, or you want to set up LUKS yourself. | Your distro's `cryptsetup`, Clevis, and the standard Clevis `tang` pin. |
| Let Panocrypt set up disk encryption | Your server starts from a normal unencrypted provider image. | A provider image that Panocrypt's setup helper already supports. |

Already using LUKS? You do not need the setup helper or Panocrypt host
software. Bind an unused keyslot with your distro's `cryptsetup`, Clevis, and
the standard Clevis `tang` pin through
[Bind an existing LUKS volume](https://docs.panocrypt.com/setup/existing-luks-volume/) or
[Bind an existing encrypted root disk](https://docs.panocrypt.com/setup/existing-luks-root-disk/). For
an encrypted root disk, boot unlock still depends on an initramfs that can run
Clevis, bring up networking, and reach Panocrypt over TLS.

## When to use fresh-server setup

The supported-image list is only for assisted disk encryption setup: the path
where the temporary Panocrypt setup helper starts from a fresh, unencrypted
provider image, sets up LUKS on the root disk, connects managed boot unlock,
verifies encrypted boot, then leaves future boot unlock to LUKS, Clevis, the
distro's initramfs hooks, and Panocrypt policy.

Provider images change. Partition layouts, filesystem defaults, bootloader
behavior, and initramfs assumptions can shift between image revisions. That is
why the setup helper lists specific providers, distros, and versions.

## Assisted setup providers

Use [Assisted setup providers](https://docs.panocrypt.com/providers/) when you want to know whether
Panocrypt can set up disk encryption on a fresh server from a specific
provider.

## What Panocrypt sets up

For a supported fresh provider image, the setup helper can:

- Register the device from an enrollment key or device setup command.
- Generate or use customer-held LUKS recovery material.
- Set up LUKS on the root disk.
- Prepare initramfs networking and CA trust so early boot can reach Panocrypt
  over TLS.
- Bind one LUKS keyslot to Panocrypt-managed unlock through Clevis.
- Reboot and verify the encrypted root path.
- Report setup progress and unlock decision evidence to Panocrypt.

Panocrypt does not receive the LUKS recovery passphrase, disk plaintext, or the
local unlock key. Preserve the generated recovery material outside
Panocrypt.

## After assisted setup

After assisted setup, routine boot unlock does not depend on a Panocrypt host
agent.

The server keeps the normal Linux encryption pieces: LUKS, `dm-crypt`,
`cryptsetup`, Clevis, distro initramfs hooks, the local LUKS header, and the
Panocrypt-bound Clevis metadata. The Panocrypt setup helper performs and
verifies the setup run. It is not the boot-time unlock mechanism.

At boot, Clevis contacts Panocrypt from `initramfs` and opens the
Panocrypt-bound LUKS keyslot only when policy allows. If Panocrypt is
unavailable or policy denies unlock, use your break-glass path: a
customer-held recovery passphrase, another independent LUKS keyslot, provider
console or rescue access, or another local unlock path you control.

## Assisted setup recovery material

Setup can use either customer-supplied or generated local recovery material.
Panocrypt does not store that recovery passphrase or show it later.

After setup, retrieve the customer-held recovery material, test it, store it
outside Panocrypt, and remove any on-host copy. Use
[Assisted setup recovery material](https://docs.panocrypt.com/setup/recovery-material/) for the exact path,
commands, cleanup, and rotation guidance.

## Setup path

At a high level, a fresh-server setup run follows this path:

1. Check [Assisted setup providers](https://docs.panocrypt.com/providers/) for the exact
   provider image.
2. Create a device or enrollment key in Panocrypt.
3. Copy the generated setup command or cloud-init/user-data.
4. Run setup on the target, then watch progress in the console.
5. Preserve [customer-controlled recovery material](https://docs.panocrypt.com/setup/recovery-material/)
   from the target.
6. Verify encrypted boot, test managed unlock policy, and keep rollout
   evidence outside Panocrypt.

## Verification

After setup completes and the host returns, run:

```sh
sudo panocrypt disk verify
findmnt / -o SOURCE,FSTYPE
sudo cryptsetup status cryptroot
```

Expected signs:

| Check | Expected result |
|---|---|
| `panocrypt disk verify` | The setup verifier reports success. |
| `findmnt /` | Root is mounted from a LUKS mapper source such as `/dev/mapper/cryptroot`. |
| `cryptsetup status cryptroot` | The root LUKS device is active. |
| Panocrypt device activity | Managed unlock and setup evidence are visible. |

## Rollout boundary

A successful verification proves the setup path for one supported fresh
provider image. That is different from proving every image in your fleet.
Treat production rollout as a staged infrastructure change with recovery
access, backups, provider-specific checks, and audit evidence for each target
class.