An idea: a USB device that holds the key in a secure element
(specialized crypto chip), which itself is secured with a password so in
normal usage it would work like a standard 2FA … you need the USB key
and the password to decrypt the laptops hard drive.
The twist: when entering the duress password the USB device irreversibly
deletes the key (secure elements already have this function when they
detect attempts to access the silicon).
So unless the adversary can clone the secure element, which by design
shouldn’t be possible: it’s game over.
I guess the problem here is that all those chips are proprietary and in
order to trust it, we would need an open hardware version of it.