Mandos[0] does this, and allows you to configure a policy for how long the server is allowed to be offline without requiring an administrator to authorize boot. You could also cook up something for debian/ubuntu's support for embedding dropbear in the initramfs to supply a key.

0. https://wiki.recompile.se/wiki/Mandos - note that you'll probably get an SSL warning because the site uses CACert.

I am a co-author of Mandos – thanks for the plug! ☺

The canonical link is (https://www.recompile.se/mandos), which currently redirects into our MediaWiki instance.

(Regarding CACert; we are planning to move to Let’s Encrypt whenever they become available, but for now CACert is at least better than self-signed.)

I saw your talk at FOSDEM this year and Mandos was one of the biggest take-aways this year for me.

I am assuming you're morally opposed to paying $10/yr for a certificate, but why not use StartSSL and avoid what is probably a very high bounce rate?

1. The web page is not the primary entry point for the program; the Debian package is. So I don’t think the “bounce rate” is that large of a problem.

2. CAcert was chosen when the system was used for different purposes, in a different environment, by a different audience, and at a time when Debian shipped browsers with CACert’s root cert included. After that, it’s just been inertia.

3. I quote from the StartSSL F.A.Q.¹: “The Terms and Conditions of StartCom and the StartCom Certification Policy requires subscribers to provide the correct and complete personal details during registration.”. I generally don’t create accounts with external services, and as a sysadmin, I can and do run everything myself.

① https://www.startssl.com/?app=25#1

The only way to do this is to have the server only operate on encrypted data to begin with. Any scheme where the server can read the unencrypted data by itself can be subverted.

As with DRM, it is impractical to store both a lock and its key in the same place and expect it to be secure.

Doesn't this defeat the purpose of encryption? If someone steals your server, they can just reboot it and get access to everything.

Exactly, that's why the password shouldn't be on the server, but having to type it in every time is inconvenient. Nothing I've been able to think about is secure so I was asking. I also understand that any attacker gaining access to the server while it's running (the usual scenario) gets access to the unencrypted file system so maybe it doesn't make much sense to encrypt servers. Still I'm curious.

> Exactly, that's why the password shouldn't be on the server, but having to type it in every time is inconvenient. Nothing I've been able to think about is secure

That’s what I said to a friend of mine when we had numerous servers with encrypted disks and frequent power outages requiring us to type in passwords. He then suggested many different schemes to fix this, each of which I shot down as being insecure. Then he came up with something which I couldn’t shoot down, and he made a first proof-of-concept implementation, which is how Mandos¹ got started. This was many years ago; Mandos has since become available in Debian and Ubuntu; just do "apt-get install mandos".

① https://www.recompile.se/mandos