freebsd security - Mar 2006 - Complete GBDE / GELI encryption for systems without removable local boot tokens (aka USB drives)

Speaking of GELI / GBDE.  I was reading Marc's excellent paper on
Complete harddrive encryption for FreeBSD using GBDE/GELI and the
problem I have is it all depends on a bootable removable token that can
by physically secured.  While an excellent solution for laptop /
desktop users it just doesn't work with a remote colo users.  No way
you can physically remove your unsecure boot token or at least not
remove it and hope to recover remotely from a panic / reboot / failure
in a timely manner.  Anybody have any ideas on a solution how to do
this with a colo'd server.  Ideally you could, during boot, send some
token (or lock file) via ssh or other secure method but boot does not
currently support this.

Other ideas considered and thrown out:

- Boot your system as you would a headless system.  The problem is how
do you securely get your unsecure boot image from A to B (as it
contains your keys and lock files).  This fails as some local attacker
could just stick a hub between your boot server and server and pull
your unsecure image during a reboot.

- Intel's secure boot (forgot what the tech is called, want to say
PXE).  Doesn't work as this only verifies the images checkum.  Sure we
know the image wasn't tampered with but the attacker still has your
keys.

Cheers,

-Peter