Is it possible to boot an encrypted server remotely and securely?
Microsoft's 3rd immutable law: "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." So you have to trust the people running your data-centre. That's what trust means in information security: it's what you are reluctantly forced to do when you can't fully control, avoid, or transfer a risk.
Still, you will want to put as many controls in as you can. In this case, a TPM module is probably your best bet - the key is burned into the silicon of the chip when it's made, and so is very difficult to extract.
Windows and Linux both support TPM based full disk encryption; so does VMWare ESXi, which would also give you OS independence.
Lastly, @hopelessn00b et al point out something I should have remembered - the remote management cards you can get on enterprise-class servers use strong encryption. That's a great way to get ssh access to the console in hardware, so you don't have to mess with the config of your box.
The problem you describe is accurate. I have considered the same problem, and have come up with some "solutions" that can be helpful.
Lets start by listing some possible attacks:
- Copy SSH keys from storage (offline attack)
- Memory dumping - Cold boot attack
- Console access
- DMA Attack
Now, lets list some countermeasures.
TPM - Ideally, you would store the keys in a TPM module. This question covers how LUKS can be configured to support TPM. At this point, you would be able to "safely" store your SSH keys from most offline attacks.
Chassis Intrustion - You would be interested if someone opened your chassis. Many motherboards come with intrusion detection which can be connected to the chassis. Depending on your motherboard, you should be able to trigger a shutdown + key deletion if someone should open the computer chassis. Some explanation to this can be found in this question.
Glue - When the system is running, it is unencrypted. You would like to minimize the attack surface, by gluing it shut. USB peripherals, PCI busses, etc should be inaccessible. This, combined with chassis-intrusion, it would be hard to get to the memory before the computer starts shutting down.
Disabling other boot methods and peripherals- Cold boot attacks can use bootable USB devices to quickly dump the memory content before it looses state.
Disabling console access - If you are not using the console, disabling it will keep other from using it as well. You can also compile the kernel without VGA support to keep any connected monitors dark
These are some of the options you have, some more extreme and paranoid, but that is maybe what your setup requires.
If you have sensitive cryptographic key to be used on a server, you should use a Hardware Security Module. This is a device which offers tamper resistance against physical attack. Moreover an offline attack against this module is more difficult to perform (if the attacker removes the HSM from the server you eventually see it). Some models may also propose a secure channel for remote access in order to allows a remote user with valid credential to unlock the keys.