with a passphrase of course, but that's what gets tricky.
Every physical box should be fully encrypted. and you should NEVER remotely reboot a server without known working console/serial console/ipmi/whatever access.
Instead of storing the crypto passwords write a tool for your team that auto-generates the FDE passphrase based on system hostname and the service tag and some salt that only your team members know. This way it should be easy to write the script from memory if you lost access to it.
$ /tmp/fdepass.sh -h bikeshed.party
Generating password for bikeshed.party
Please enter the service tag: abc123
This is what i did @ a previous job but i don't know if the team kept up with it. Made it super easy to have FDE passphrases without a password manager that can be compromised. It requires an awful lot of information that an attacker would need to know to decrypt the drive AND they'd need physical access to the server anyway.
If somehow one drive was brute forced it doesn't let them decrypt any drives from your other servers.
Remember, you don't need to encrypt the VMs or containers themselves, just the physical hardware they're running on -- whether that be the server itself or the SAN/NAS where the data storage lies.