> When the encrypted server gets grabbed, the staff should (!)
If the people doing the grabbing are LEO then they have ways of taking running servers such that they keep running or otherwise don't lose what's in RAM. And if it's LEO then "the staff" should absolutely not do things that can be construed as destroying evidence.
> ways of taking running servers such that they keep running
That's an interesting point. Wonder how complete that approach is, and if it maintains network connectivity between the servers they're grabbing?
Some clustering solutions automatically reboot a server if it loses network connectivity for a short period of time (ie 1 min). That would really mess up the "preserve stuff in ram" thing, if it's purely just designed to keep a server running.
There's at least two ways. One is to keep the servers powered even after they are unplugged from wall power (they have special adaptors for portable PSUs). The other is to cryogenically cool the RAM then cut the power, keep the RAM cooled, and then read it later in a lab.
Sure, if its LEO. That's not the threat model for most organisations encrypting their data at rest though. :)
---
> should absolutely not do things that can be construed as destroying evidence.
It'd be a very long stretch to successfully argue "removing access to the key" is destroying evidence. The data would still be intact, and available, to anyone with the key.
Just not to whoever physically grabbed the server. ;)
Of course. And I'm just pointing out a commonly implemented approach.
LEO isn't generally the consideration of places encrypting their stuff. Businesses dealing with sensitive data (PII, etc) are required to as a matter of course.
If the people doing the grabbing are LEO then they have ways of taking running servers such that they keep running or otherwise don't lose what's in RAM. And if it's LEO then "the staff" should absolutely not do things that can be construed as destroying evidence.