Protecting file system contents with TPM and Encrypted File System

view story

http://unix.stackexchange.com – I have been assured that this is possible, but have so far not found any reference that will clue me as to how to do it. I need to deploy an "appliance" with software and data that the user is permitted to use, but which I would prefer to keep them from poking around inside. The user will not have root access, so the running system should be protected. I want to stop the HDD being pulled and mounted elsewhere. So far I have installed all but /boot into an Encrypted file system, and I am challenged for a password very early in the boot process. One of my colleagues heard from "somewhere" that (HowTos)