Ehmmmm I still don’t grasp what you mean.

In any case, mandos has a possibility to do it automatically via rsa encryption, so you have the possibility of totally unattended restart.

Because the server is (ideally) in a different location, if one of yiur systems is stolen / compromised then you only delete / revoked the certificates ID and then that machine would not be able to decrypt its own luks system.

I never deployed this system on my own, but I know a few guys who did it

Regards