Why, TrueCrypt!
Encrypts an entire partition or storage device such as USB flash drive or hard drive.
Using TrueCrypt Without Administrator Privileges
In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows.
After a system administrator installs TrueCrypt on the system, users without administrator privileges will be able to run TrueCrypt, mount/dismount any type of TrueCrypt volume, load/save data from/to it, and create file-hosted TrueCrypt volumes on the system. However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in portable mode.
.
System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.
Domain access is after the pre-boot login.
However, if the user needs to change the password and the employer expects to know that password, it is a matter of the employer trusting the user/employee.
Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
Best Answer
To understand the best solution to your issue you need to clarify what you are trying to achieve. In other words, what's your threat-model? Who is your attacker? You mention that to get around the encryption would require 'taking the machine while live' (by which I assume you mean hacking it), but that is the most likely scenario for a colocated server. Disk encryption is mainly of use in the case of physical theft.
You also need to consider what data are you protecting. You mention 'fully encrypting a disk', but does this require encrypting e.g. /usr? If you're running a standard distribution there is nothing of interest there. Without knowing more about what the server will contain it's hard to make recommendation.
But to give a more concrete suggestion, consider the following hypothetical server. It contains the following:
Of those components, only the database really needs protecting, so here's how I'd approach this:
You mention TPM, but TPM doesn't help you in a number of cases, such as if an attacker gains administration privileges. TrueCrypt have rejected support for TPM for this reason.