i use doble layer truecrypt. i created a standart container truecrypt disk on my harddrive, then my harddrive itself is whole-disk-encrypted 🙂
anyone who change the bootloader will only get password for the first layer encryption. but to get password for the second layer encryption, someone would have to plant a bug or keylogger, a system startup change which would be easily noticable and trigger an alarm (and easily repairable too). deepfreeze, everyone?