I would like to have an eCryptfs directory "securely" automatically mounted on boot without logging in. My scenario is this: I have an embedded ArchLinux server (ARM-based) that uses a removable microSD card for persistent storage and the file system.

I would like to have an encrypted directory on the microSD card so that if someone pops out the microSD card and tries to copy it, they can't access the files in the encrypted directory.

My thought was this:

Use dmidecode to get the ID and "hardware fingerprint" of a server and use a hash of the dmidecode output as the passphrase to encrypt the directory.

So what I want to do is, on boot, have dmidecode pull the information, hash it, then use eCryptfs to automount using the hash as the passphrase.

So the passphrase isn't stored anywhere, it is pulled on boot and used to unlock it. The obvious weakness is someone looking at the boot sequence could see how it works, and then get the passphrase by having physical access to the server. Since it is specific to the server (assuming a unique serial number for the processor), they couldn't get a similar embedded server hardware, they would need the one tied to the specific microSD card.

Primarily this is to act as a deterrent for someone stealing the microSD card (but not the embedded server) and copying it.

I guess my bottom line question is: how would I add this to the boot sequence? I'm using Arch Linux v3 on ARM-based hardware.