One thing I would love to have that could be a solution to the worst case early boot encryption issues is an external crypto processor that generates and stores long term keys, implements authentication, and only releases temporary keys to the main system (to which it only connects via a simple serial connection). It has enough of a screen and input to receive a password and query the user before performing various actions. That is, something like Bitcoin Trezor but maybe a little more complex input and for more general crypto use. Ideally, such a device could even physically store the trusted stick (or several), although that trusted stick shouldn't interact with the rest of the system differently than any other device for maximum reliability. This way the most sensitive crypto is not performed on a general purpose system and the user could authenticate to the device once and then the device can authenticate the user and provide keys to multiple independent systems without hastle. It is an additional expense so hopefully wouldn't be necessary, but would be one way to solve the early boot encryption problem (if needed and less expensive solutions do not work) in a not completely special purpose way.