Full disk encryption, preferably with multi-factor authentication is the only way to do for defense against physical access.
provides full disk encryption, but unfortunately can't utilise the TPM (yet), so is limited to single-factor authentication... i.e. password. You could always use a device like a Yubikey
in static-password mode to enter a cryptographically strong password (long & random).