Full disk encryption + TPM
There are known ways to do full disk encryption on Linux using the TPM to prevent offline access to the data saved on the disk. The idea is that the key used to encrypt/decrypt the disk is either stored at the tpm, or a checksum of the key stored at the tpm is used. So unless the bootchain is trusted, and the OS boots properly, it is very difficult to read the data.
Implement this kind of security as a mandatory policy to make it much harder to access the data offline.