[floatingatoll]

Either your application requires an in-memory-only decryption password at each start, or it requires a plaintext cached-on-disk decryption password for headless startup, or it requires a hardware security module (HSM) through which all encrypted storage requests are routed for decryption.

Encrypted filesystems are necessary for #2 to be safe, but merely move the problem of #1 up one step in the chain to OS boot rather than app boot. #3 isn't necessarily safe as the HSM could be used to decrypt data when an attacker has gained access and is undiscovered, unless you use it to issue a temporary decryption key at OS/app boot, at which point you're effectively back to #1 again.

In practice, if you're a server application author, either use the secure credentials storage service offered by your cloud provider or store your secure tokens encrypted on-disk with the decryption key either stored in a local config file elsewhere or entered at app startup.