All the Linux based laptops on my workplace which I am responsible for use an encryption scheme with a trusted kernel/initrd/key+password combination on personal USB flash drives. People usually carry them seperated from their laptops as keyring or such.
The system itselfs consists of a LUKS encrypted harddrive without any bootloader installed. To get them running the flash drives are used (I offer booting from our cooperate LAN as an additional feature).
The only thing I would like to get worked out is to add kexec. This way I would be able to make this stuff independent of distributions and kernels of the running system.