Please help refine this by pointing out shortcomings of this scheme.
The shortcomings is that the encryption is visible to the average guard and unnecessarily raises eyebrows.
How about this (on Android)? You install two operating system images on the phone, say, two instances of CyanogenMod, one encrypted, and the other non-encrypted, and you setup the boot loader TWRP so that it usually boots the unencrypted one. So, if the unsuspecting guard boots the phone, he'll be able to login and see a perfectly regular OS. But if YOU want to access your confidential files, you reboot the phone into TWRP with the usual key combo, and then you boot into the encrypted instance of the OS. Added bonus: you modify TWRP so that it doesn't even display that encrypted OS in the list of available bootable partitions.
Shortcomings: forensics will show that there is an encrypted partition on the phone... if they ghosted it. But if it is just the guard booting up the phone and nosing around a little bit, you're pretty safe.