Hmm, that requires USB booting though, if you disable that from the BIOS and password protect it, they can't really use this method. If they pull the battery the machine needs to be turned off and so the RAM will clear.

You don't get BIOS access to low cost dedicated servers on OVH, even though they're dedicated, you can't KVM them.

mid to high range ones you can though so that might be a workable solution there.

Also, they can still rip the ram out and nitrogen it.

Interesting stuff. TRESOR might not be overkill after all.