I know you can always backdoor it with the root key, and I decided to give up on this line because of that.

In theory you could guarantee the OTP going forward, but it would be impossible to protect going backward, which kind of kills the whole point.