[cantfindmypass]

> I suspect they have a base OS installation and then have a post-boot encrypted partition which requires manual passphrase entry over ssh or console to unlock, containing all the relevant data. That's a pretty normal way to set up remotely-adminned fairly secure servers.

Debian and Ubuntu both support this pretty painlessly.

1) Do the base install with full disk encryption.

2) Put an ssh public key into /root/.ssh/authorized_keys

3) Install dropbear.

4) Force a initramfs rebuild if it doesn't happen automatically.

You'll get an initramfs that has dropbear ssh embedded which you can log into and unlock the disk.

[rdl]

Right, but there's no real proof the dropbear/sh/etc. you talk to is untampered after reboot; it could easily be logging, if someone shut your system down and replaced the boot drive. ssh vs. serial console at least requires they extract some (unencrypted) key from the drive, though.