If Linux, use LUKS but you need to enter the passphrase at boot, you can securely put the key in TPM2 I think (à la Windows) but it may be complicated to setup, or just seal the phrase in TPM2 but if you boot on grub you can break grub and replace init with a shell in boot option and have access to the system I think :-/ but a simple crackhead thief would not understand that.
You can also have the key on a USB key, but if on the server and the server get stolen, it’s useless. You can setup a “anywhereUSB” and have your USB key in another room/place, etc, there is others possibilities.
I wanted to unlock with bluetooth but having the bluetooth HW driver and stack in initramfs was nightmarish a little bit :-/
If Windows, use BitLocker.
If Linux, use LUKS but you need to enter the passphrase at boot, you can securely put the key in TPM2 I think (à la Windows) but it may be complicated to setup, or just seal the phrase in TPM2 but if you boot on grub you can break grub and replace init with a shell in boot option and have access to the system I think :-/ but a simple crackhead thief would not understand that.
You can also have the key on a USB key, but if on the server and the server get stolen, it’s useless. You can setup a “anywhereUSB” and have your USB key in another room/place, etc, there is others possibilities.
I wanted to unlock with bluetooth but having the bluetooth HW driver and stack in initramfs was nightmarish a little bit :-/