> Unless the "encrypted data" is simply being stored on that server, and not used, this seems like a hopeful statement to make. If a server process is accessing it, then it must have the key, at the very least, in memory (which root can access, though finding the key might be somewhat of a feat)
The attacker got access via a reboot, so something as simple as passphrase-protected private keys would probably be sufficient here - "manual actions" could well refer to "enter the passphrase after startup". Or using something like kerberos, where credentials have to be fetched/validated via a separate server.
The attacker got access via a reboot, so something as simple as passphrase-protected private keys would probably be sufficient here - "manual actions" could well refer to "enter the passphrase after startup". Or using something like kerberos, where credentials have to be fetched/validated via a separate server.