I'm setting up some secure Ubuntu servers with full disk encryption. They have a small boot partition, and a large LUKS-encrypted disk with LVM to provide the rest of the partitions. Currently, they are configured to require a passphrase at boot. However, I was wondering if there was a way for them to get their decryption key from a TFTP server, NFS share, or similar, which would allow me to reboot my servers without the need for console access. I would still encrypt the key server and require console access and a passphrase to boot that, but I would then only have to deal with entering a passphrase for one box versus what will likely become 20 encrypted servers.
As this is all be in a virtual environment, I would create a completely separate network for key traffic that has no link to the rest of my network. It's still risky, yes, but the main goal is to make physical seizure of my servers fruitless, as exterior intrusion from my WAN is not something disk encryption can help with, anyway.
Is there a way to accomplish this? Does what I'm trying to do make sense?