I have a USB with Debian Linux installed on it. I've encrypted a folder with sensitive data...

• created a key
• tar'd a directory
• encrypted the tar file using openssl and key

If the folder is decrypted...

• decrypt the encrypted tar file using openssl and key
• untar the directory

...so I can run an executable from that decrypted folder and then in a worst case scenario if someone just unplugs the USB, how can I protect that sensitive data? Other scenarios that could leave the data unencrypted that I could imagine are shutdown now or reboot now commands. Someone could...

• mount the USB (and specific partition with the sensitive data) on a system they have root access to and pull the decrypted data off the drive
• plugin the USB and run Linux and access the data or send it somewhere else via rsync or some other method
• copy the entire image of the USB and flash it onto a new USB

Wondering if I can...

• prevent mounting the drive to another system
• or run a clean up script on mount
• run a cleanup script on shutdown now or reboot now

I've read and know I can...

• run a script to clean up the data on reboot (different than reboot now) or shutdown (different than shutdown now) or on startup.

I'd prefer...

• to and am only using a password keyfile and not a manually entered password (I understand the risks)
• to and am using a bash script (as opposed to a GUI) to decrypt sensitive data and run an executable
• not to encrypt a partition

Any help/ideas on cleaning up or protecting that sensitive data when the USB is unplugged are welcome!