[donavanm]

And how do you trust the identity of the new server/instance during boot strapping?

[0x44]

You could leverage the TPM and some version of remote attestation and only permit key-requests from attested machines. Alternatively (or concurrently), you could PXE boot all devices with a parameterized shared-secret individualized for each node.