Another way to go about it would be to use a KVM switch set up as a hidden service. Then you can use FDE with the chassis intrusion detection and something like Tresor perhaps. With a KVM switch you get remote access to the entire boot cycle, since you have full remote access to the keyboard monitor and mouse. Then you can do neat things like set bios passwords , and additionally and most importantly you can have FDE. Without a KVM switch you cannot have a remote server with FDE because if it powers off you have no ability to remotely type the password in. I think controlling the server with a hidden service KVM switch and disabling SSH all together would be the better solution.