Whole disk encryption and the boot partition

In most cases, so-called "whole disk encryption" does not in fact encrypt the whole disk. A small part of the disk is used for the boot partition, which must be stored unencrypted. This creates a potential attack vector. One description of this problem comes from Micah Lee in an interesting report originally published in 2600:

Pwning Past Whole Disk Encryption

In a nutshell: If an antagonist gets physical access to your computer (say, if you go to the bathroom and leave your laptop laying around, even if it is powered off), malicious software can be installed on the boot partition, e.g. a keylogger which grabs your hard drive decryption password the next time you enter it and/or any other kind of malware.

The suggested solution to this problem is to eliminate the local boot partition. Instead, have the boot partition on a flash drive which you insert temporarily every time you reboot your compuer (much like you insert a physical key to start your car). To prevent tampering with the flash drive, and to make sure it is not close to the computer when you are not, buy a nice and durable one and keep it on your keychain.

My personal setup costs less than $10 and involves the following hardware:

Kingston DataTraveler SE9

Stainless Steel 2.9mm Curb Chain