I know of a clever variant of Option 1 called Mandos.
It uses a combination of a GPG key pair, Avahi, SSL and IPv6 all added to your initial RAM disk to securely retrieve its root partition’s key password. If the Mandos server isn’t present on the LAN your server is an encrypted brick or the Mandos server hasn’t seen a heartbeat from the Mandos client software for a given period of time it will ignore future requests for that key pair and the server is an encrypted brick next time it boots.
Mandos Homepage
Mandos README