This doesn't work with secure boot and UKIs, since the entire "pre-rootfs switch" is signed in a single binary. If your threat model is what you have that is the least you should have.

> Just pull one hdd out,

That only works with RAID 1. If the server uses RAID 5 or RAID 6, this won’t work.

> extract what you need

Well, yes. This is addressed in the FAQ.

> or change the image.

> Then you turn off the server, and just start a vm with the captured init and capture the key.

Well, as explained in the FAQ, an attacker will have to do so quickly, before the Mandos server decides that the Mandos client has been offline for too long, and disables that client. The default value is five minutes, but is configurable per client.