I've thought about this while on vacation :P
LVM and dm-crypt, accelerated by omap-aes would be quite nice to use!

You could set up an encrypted LUKS partition on the bare eMMC device, then straight up LVM on top of it.

The key to unlock the LUKS would be part of Ubiboot - you'd probably have the device IMEI XOR'd with the user's passcode, then run through PBKDF2.

Unfortunately, to minimize modifications needed to Harmattan and other OSes, the kernel would need to be modified to accept a LUKS key passed in the kernel cmdline.

The real challenge is ensuring the entire bootchain is trusted - the inability for us to codesign our kernels and block unsigned code is a challenge.

From what I know, the OMAP on the N9/50 requires a signed primary boot loader, secondary AKA NOLO is allowed to be unsigned, breaking the chain of trust

If we could load our own code signing certificates, end-users themselves could trust the software that runs on their devices, and warn if unsigned software runs.

(Yes, I just described the reverse of a jailbreak - security functions, when used to protect user data are a godsend!)