If a miscreant has physical access to a machine for long enough to take it apart and remove / add bits, your security is fucked anyway, regardless of what was or was not encrypted at the time.
HINT: In the case you outline, it's far simpler, quicker and less likely to be detected to just add a monitor to take a copy of everything while it's decrypted for use and send it to you.
Biting the hand that feeds IT
