I haven't bothered encrypting my OS lately since the only important stuff is stored in encrypted password containers anyway, but I was thinking of setting it up again just because.
Anyway, I started by reading this article:
http://madduck.net/docs/cryptdisk/ - a basic tutorial on setting up dm-crypt/LUKS to boot Debian and preload multiple encrypted volumes by way of a stored keychain. All well and good, but something I found interesting was near the bottom, it indicated you could save the bootloader to a USB device and boot from there, so there'd be no clear /boot partition on the drive. I'd find it rather useful to have the bootloader on a mini USB stick so the system simply would not boot (even to ask for a key) if it was removed - but taking it a step further, we could potentially load the bootstrap via PXE, meaning that the bootloader could be housed on a networked device so it'd only boot if it was connected.
the actual interesting part - Coreboot (
http://www.coreboot.org) writes open source BIOS, and includes a module (with very limited support) that allows you to boot PXE over a WLAN connection. Ideally what I'd want to do is create an encrypted DM/LUKS system and save the bootloader as a PXE image - move the PXE image to your phone handset, set it up as a PXE host (ie.
https://play.google.com/store/apps/details?id=com.bukerservebeer.bukerpxelite&hl=en), set a boot script on Coreboot to boot from your set APN and path... if all goe to plan, your computer will only ever boot when your phone is nearby with wireless switched on. Because it's the bootloader, you can turn wireless off once the system has started and will only need to turn it back on again if you reboot.
