To understand the best solution to your issue you need to clarify what you are trying to achieve. In other words, what's your threat-model? Who is your attacker? You mention that to get around the encryption would require 'taking the machine while live' (by which I assume you mean hacking it), but that is the most likely scenario for a colocated server. Disk encryption is mainly of use in the case of physical theft.
You also need to consider what data are you protecting. You mention 'fully encrypting a disk', but does this require encrypting e.g. /usr? If you're running a standard distribution there is nothing of interest there. Without knowing more about what the server will contain it's hard to make recommendation.
But to give a more concrete suggestion, consider the following hypothetical server. It contains the following:
- A simple website showing some products
- A basic CRUD order application written in Rails/Django/whatever
- A Postgres DB for customer information and orders
Of those components, only the database really needs protecting, so here's how I'd approach this:
- Leave most of the machine un-encrypted (but make as much of the FS read-only as possible)
- Create a separate partition for the database and encrypt it with a strong password using any of the available Linux encryption system (ecryptfs, etc).
- After each reboot, login and mount the partition with the key, which is stored elsewhere.
- On a reboot have the server alert me
You mention TPM, but TPM doesn't help you in a number of cases, such as if an attacker gains administration privileges. TrueCrypt have rejected support for TPM for this reason.
