Linux Encryption. Everywhere.

The control plane for Linux encryption at rest. Freedom to choose your infrastructure.

Get started

Works with the Linux encryption stack your team already trusts.

Ubuntu

Debian

Fedora

CentOS

Rocky Linux

AlmaLinux

Native packages

Uses the encryption stack already shipped by mainstream Linux distributions.

Standard format

Built on tried-and-true Linux Unified Key Setup (LUKS).

Local keys

The unlock key is created, wrapped, and stored on the host.

Existing LUKS

Already encrypted hosts bind an unused keyslot without custom agents.

Encryption is required.
Big Cloud tax is not.

100x

Lower egress fees

2.3x

Cheaper 8‑GPU H200

Disk keys in escrow

Cloud freedom

Use the providers with cheaper bandwidth and better GPUs without giving up the encryption controls your security team expects.

Reboot-safe operations

Headless servers come back on their own, unlocked only when your policy allows.

Audit-facing evidence

See what's covered, what changed, and what's been disabled, from one control plane.

Bring the controls.
Move the workload.

Outside Big Cloud, bandwidth costs less and new GPUs are easier to get. What's been missing is the encryption story your security team depends on. Panocrypt brings those controls with you, so the best infrastructure is no longer off-limits.

See how it works

Cloud freedom

Run where the workload fits.

Pick providers for bandwidth, GPUs, region, and capacity. Your encryption controls come with you.

Explore

Network economics

Stop paying the bandwidth markup

Hyperscaler egress feesbaseline

Bandwidth-first hostup to 100x cheaper

Traffic-heavy systems stay eligible.

Keep Linux encryption controls while evaluating providers by bandwidth economics.

Accelerated workloads

Choose hardware by fit

H200

8-GPU class

2.3x

cheaper in current benchmark

Disk

encrypted

Unlock

policy-controlled

Placement

Capacity where the workload belongs

Bare metal and VMs

Linux servers with the same encryption posture.

Regional clouds

Locality and availability outside a single hyperscaler.

On-prem systems

Evidence and lifecycle state for internal infrastructure.

Provider choice

Every provider competes on merit

Choose by workload fit

bandwidthGPU supplyregioncapacity

Encryption-at-rest controlsportable

Network economics

Stop paying the bandwidth markup

Hyperscaler egress feesbaseline

Bandwidth-first hostup to 100x cheaper

Traffic-heavy systems stay eligible.

Keep Linux encryption controls while evaluating providers by bandwidth economics.

Lower egress fees

Move bandwidth-heavy systems where data transfer doesn't carry the Big Cloud markup.

GPU supply

Dedicated capacity

Make Big Cloud compete

Get started

Make encryption the default.

Bind what's already encrypted, or set up a fresh host that encrypts itself.

Explore

Managed unlock

Anywhere Linux runs

Any cloud or on-prem

Bind without provider support, even in your own racks.

Bare metal and dedicated

Headless reboots under policy.

Edge devices

Field hardware that boots unattended.

Automatic encryption

Encrypted from the first boot

Provision

Create the server from a stock provider image.

Encrypt

The root disk is encrypted in place at first boot.

Ready

Full-disk encryption is enabled, managed unlock is connected, and the host is online.

Providers

Automatic encryption today

DigitalOcean

Droplets

Hetzner Cloud

Cloud servers

OVHcloud

VPS

Existing encrypted hosts

Start from the Linux stack

LUKS volumealready encrypted

Standard bindClevis path

Host agentnone required

Managed unlock

Anywhere Linux runs

Any cloud or on-prem

Bind without provider support, even in your own racks.

Bare metal and dedicated

Headless reboots under policy.

Edge devices

Field hardware that boots unattended.

Unlock anywhere

Managed unlock isn't tied to a provider list. Any Linux system with full-disk encryption can bind to Panocrypt: cloud, on-prem, even devices in the field. No agent.

Automatic encryption

Works with your provider

Bind existing hosts

Control plane

Make encryption operational.

Turn disk encryption, boot-time unlock, evidence, and decommissioning into a repeatable workflow.

Explore

Unlock policy

You decide who unlocks

Source networks

Allowlist the CIDRs that may unlock.

Lifecycle state

Active devices only.

Manual approvals

Add a human in the loop.

Verification

Trust it before you need it

Test unlock

Run a test unlock before a risky reboot.

Reboot

Planned window. No passphrase babysitting.

Confirm

The host returns on an encrypted root.

Reboot-safe operations

Unlock only when policy allows

Boot request

received

Source network

allowed

Lifecycle state

active

Managed unlock

allowed

Exit control

Remove managed unlock cleanly

Decommission started

Disable future managed unlock and keep the lifecycle record.

Panocrypt-managed unlock: disabled

Unlock policy

You decide who unlocks

Source networks

Allowlist the CIDRs that may unlock.

Lifecycle state

Active devices only.

Manual approvals

Add a human in the loop.

Set unlock policy

Choose which devices may unlock, from which source networks, in which lifecycle state.

Verify encrypted boot

Reboot by policy

Clean exit

Compliance

Make encryption auditable.

Security teams need visible controls before sensitive workloads leave the default cloud path.

Explore

Fleet coverage

Covered systems are visible

Registered

Bound

Allowed to unlock

Needs review

Unlock policy

Policy decides participation

Boot-time unlock request

device, lifecycle, source network

CIDR allowlist

Verified source networks.

Lifecycle

Active devices only.

Change history

Review what changed

09:14source network narrowed

08:52test unlock recorded

08:35device disabled

08:20setup completed

Security review

Give reviewers the control story

Encryption-at-rest state visible

Unlock policy scoped

Test event recorded

Decommission path defined

Fleet coverage

Covered systems are visible

Registered

Bound

Allowed to unlock

Needs review

Show coverage

Track which Linux systems are registered, bound, allowed to unlock, disabled, or decommissioned.

Control unlocks

Track changes

Security review

Safe and secure

Panocrypt is a Fraudmarc service from a team running production infrastructure since 2005 and authorizing billions of enterprise emails each month. We bring that same operating discipline to Linux encryption at rest.

Read our trust model

SOC 2
audited

Linux Encryption. Everywhere.

Native packages

Standard format

Local keys

Existing LUKS

Encryption is required.Big Cloud tax is not.

Cloud freedom

Reboot-safe operations

Audit-facing evidence

Bring the controls.Move the workload.

Run where the workload fits.

Lower egress fees

GPU supply

Dedicated capacity

Make Big Cloud compete

Make encryption the default.

Unlock anywhere

Automatic encryption

Works with your provider

Bind existing hosts

Make encryption operational.

Set unlock policy

Verify encrypted boot

Reboot by policy

Clean exit

Make encryption auditable.

Show coverage

Control unlocks

Track changes

Security review

Safe and secure

Encryption is required.
Big Cloud tax is not.

Bring the controls.
Move the workload.