Please consider adding Yubikey anonymous authentication to the BootGuard component of Symantec Encryption Desktop
These products provide cheap and upgradable means of two factor authentication during boot to prevent "evil maid" attacks.
Please ensure if implemented that BootGuard specifically authenticates that the Yubikey module is present (and not just verifiy the One Time Password (OTP) that it outputs.
Thank you