On my way home from work today I was trying to figure out a secure and
yet handy way of encrypting my laptop's filesystems so that in the event
that it is stolen, I know that the perpetrator will never see my files.

Here's what I came up with followed up with some questions that I hope
to get answers for. I would like to use a USB fob ("thumb" drive) to
store the cryptographic keys used by an encrypted filesystem drivers.
The plan would be to only encrypt my /home partition and my /usr/local
partition using either CFS or TCFS. I would like for my user account to
not be useable unless the USB fob is inserted. I want to have to insert
the FOB, login with my username and password, and have my encrypted
filesystems mounted at login. I would also like to set it up so that
all I have to do is yank the fob out and my encrypted partitions would
be unmounted (re-encrypted) and my account logged off.

I'm quite familiar with linux (7 years of experience) but since this is
my first laptop, I've never really dealt with hardening a system against
mallicous users with physical access to the system. I'm not too
familiar with CFS, is it possible to store the CFS keys in another
filesystem like a USB fob? How would I have to modify the login system
so that it would run a script to unlock and mount the encrypted
filesystem so that the log in procedure can procede (running .profile
etc...)

One way I was thinking about doing this was to have my /home/me be the
mount point for my home directory partition. I would put the files
necessary to grab the keys from the fob then unlock and mount my
encrypted file system in the /home/me directory. That way I could log
in, my shell would execute the .profile in /home/me which would check
for the fob, get the keys and then mount the encrypted partition at
/home/me. Then
when the .profile was done, the encrypted filesystem would be decrypted
and in place at /home/me. I would also have a script that gets run when
the fob is disconnected that would do the reverse, unmount the encrypted
partition and then log me out.

Ideas, suggestions? Thanks.