On Sat, Jan 24, 2026 at 04:09:25PM +0000, [email protected] wrote: > With the SSDs that are present on nearly all servers these days, > deleting data from the disk (e.g if it fails or if the disk is replaced) > is not possible to do reliably. The only solution is to encrypt all > system data (root, swap, etc) and then destroy the encryption key once > the disk is no longer needed.
If that is the problem you are trying to solve, you could simply use a hard-coded passphrase or a keydisk volume on a permanently connected USB drive or even the same disk, (depending on the exact level of destroyability you want for the key data). If you have a specific threat model that you are trying to protect against, and you believe that the only thing preventing you from doing that is the inability to enter a passphrase at the bootloader without being at a keyboard which is physically connected to the server, this suggests to me that your logic is flawed elsewhere. So it might be worth explaining exactly what you are trying to do.
