Scary and amazing.
On the side note Mac Books unexpectedly turned out to be partly resistant to this attack because of integrated nature of elements.
As a more advanced example for measures against cold boot attacks, the research project TRESOR provides a patch for the Linux kernel that enables you to keep the encryption key for your hard disk in CPU registers all the time, without ever leaking them to RAM.
Perhaps the solution could be a small usb dongle containing an embedded arm soc with a kind of RAM that doesn't persist at all -- maybe even no RAM at all, just the cpu. The dongle would support just three commands: init, encrypt, decrypt. Init sets the key and algorithm, after which the device doesn't let you change them until the system is powered off. En/decrypt do block-level crypto.
TRESOR uses the four x86 debug registers to store a 128 or 256 bit key and then uses this key to calculate the AES round keys on-the-fly on each block of encryption using Intel AES-NI instructions. Also, they patched the kernel not to touch these registers at all. Therefore, after the initial loading of the encryption key, it never leaves the CPU again.
This approach also means you cannot use the ptrace(2) syscall anymore to attach to a program using a debugger such as gdb. However, if you don't want to debug a program, this proof-of-concept already works quite nice.
I noticed the PDF link to the paper on their site is broken, so please see the USENIX publication for details: https://www.usenix.org/legacy/event/sec11/tech/full_papers/M...