A server is only secure when it remains protected even after someone touches it.
Most IT operations are far softer than they think.
People talk about firewalls, VPNs, SSH keys, EDR. But almost no one seriously designs for what happens after someone gains physical access to the server.
This is not a minor oversight. It is a critical failure point.
Unattended systems will be touched. They will be stolen, rebooted, opened, or connected to external devices.
This is not advanced hacking. It is the simplest and most reliable attack path. Yet many engineers ignore it.
SSH keys are enabled, so it is safe. It is Ubuntu Server, so it is minimal. It is inside a private network.
That thinking collapses the moment physical access is possible.
The real targets are not login prompts. The real targets are: the data itself, the boot chain, the management path, and the impossibility of local intervention.
Gratice OOTB server treats physical security as a primary design constraint. The principle is simple.
LUKS encryption is the baseline. TPM2 and Secure Boot are used so that decryption only happens under a valid and verified system state. Steal the machine, and you still cannot read the data. Remove the disk, and you still cannot read the data. Boot another OS, and you still cannot read the data. At best, the attacker gets used hardware.
Equally important, local access must not grant control. Local consoles are disabled. The physical display is not a management interface. Reboot shortcuts are blocked. Access is restricted to SSH with public key authentication.
Attach a keyboard, you still cannot get in. Attach a monitor, you still cannot get in.
This is not a collection of hardening tricks. It is a unified design. LUKS, TPM2, Secure Boot, Dropbear, SSH restrictions, console suppression are combined under a single principle: the system must remain secure even after physical contact.
A server is not secure just because the network is hardened. It is only secure when it remains protected even after someone touches it.