Assisted fresh-server encryption setup
Use this page when a server starts from a fresh, unencrypted provider image and you want the Panocrypt setup helper to set up LUKS, bind managed boot unlock, and verify encrypted boot.
There are two ways to use Panocrypt:
| Path | Use it when | What it depends on |
|---|---|---|
| Bind Panocrypt to an existing LUKS device | Your server or volume already uses LUKS, or you want to set up LUKS yourself. | Your distro’s cryptsetup, Clevis, and the standard Clevis tang pin. |
| Let Panocrypt set up disk encryption | Your server starts from a normal unencrypted provider image. | A provider image that Panocrypt’s setup helper already supports. |
Already using LUKS? You do not need the setup helper or Panocrypt host
software. Bind an unused keyslot with your distro’s cryptsetup, Clevis, and
the standard Clevis tang pin through
Bind an existing LUKS volume or
Bind an existing encrypted root disk. For
an encrypted root disk, boot unlock still depends on an initramfs that can run
Clevis, bring up networking, and reach Panocrypt over TLS.
When to use fresh-server setup
Section titled “When to use fresh-server setup”The supported-image list is only for assisted disk encryption setup: the path where the temporary Panocrypt setup helper starts from a fresh, unencrypted provider image, sets up LUKS on the root disk, connects managed boot unlock, verifies encrypted boot, then leaves future boot unlock to LUKS, Clevis, the distro’s initramfs hooks, and Panocrypt policy.
Provider images change. Partition layouts, filesystem defaults, bootloader behavior, and initramfs assumptions can shift between image revisions. That is why the setup helper lists specific providers, distros, and versions.
Assisted setup providers
Section titled “Assisted setup providers”Use Assisted setup providers when you want to know whether Panocrypt can set up disk encryption on a fresh server from a specific provider.
What Panocrypt sets up
Section titled “What Panocrypt sets up”For a supported fresh provider image, the setup helper can:
- Register the device from an enrollment key or device setup command.
- Generate or use customer-held LUKS recovery material.
- Set up LUKS on the root disk.
- Prepare initramfs networking and CA trust so early boot can reach Panocrypt over TLS.
- Bind one LUKS keyslot to Panocrypt-managed unlock through Clevis.
- Reboot and verify the encrypted root path.
- Report setup progress and unlock decision evidence to Panocrypt.
Panocrypt does not receive the LUKS recovery passphrase, disk plaintext, or the local unlock key. Preserve the generated recovery material outside Panocrypt.
After assisted setup
Section titled “After assisted setup”After assisted setup, routine boot unlock does not depend on a Panocrypt host agent.
The server keeps the normal Linux encryption pieces: LUKS, dm-crypt,
cryptsetup, Clevis, distro initramfs hooks, the local LUKS header, and the
Panocrypt-bound Clevis metadata. The Panocrypt setup helper performs and
verifies the setup run. It is not the boot-time unlock mechanism.
At boot, Clevis contacts Panocrypt from initramfs and opens the
Panocrypt-bound LUKS keyslot only when policy allows. If Panocrypt is
unavailable or policy denies unlock, use your break-glass path: a
customer-held recovery passphrase, another independent LUKS keyslot, provider
console or rescue access, or another local unlock path you control.
Assisted setup recovery material
Section titled “Assisted setup recovery material”Setup can use either customer-supplied or generated local recovery material. Panocrypt does not store that recovery passphrase or show it later.
After setup, retrieve the customer-held recovery material, test it, store it outside Panocrypt, and remove any on-host copy. Use Assisted setup recovery material for the exact path, commands, cleanup, and rotation guidance.
Setup path
Section titled “Setup path”At a high level, a fresh-server setup run follows this path:
- Check Assisted setup providers for the exact provider image.
- Create a device or enrollment key in Panocrypt.
- Copy the generated setup command or cloud-init/user-data.
- Run setup on the target, then watch progress in the console.
- Preserve customer-controlled recovery material from the target.
- Verify encrypted boot, test managed unlock policy, and keep rollout evidence outside Panocrypt.
Verification
Section titled “Verification”After setup completes and the host returns, run:
sudo panocrypt disk verifyfindmnt / -o SOURCE,FSTYPEsudo cryptsetup status cryptrootExpected signs:
| Check | Expected result |
|---|---|
panocrypt disk verify | The setup verifier reports success. |
findmnt / | Root is mounted from a LUKS mapper source such as /dev/mapper/cryptroot. |
cryptsetup status cryptroot | The root LUKS device is active. |
| Panocrypt device activity | Managed unlock and setup evidence are visible. |
Rollout boundary
Section titled “Rollout boundary”A successful verification proves the setup path for one supported fresh provider image. That is different from proving every image in your fleet. Treat production rollout as a staged infrastructure change with recovery access, backups, provider-specific checks, and audit evidence for each target class.