I have the best of both worlds. Turn my laptop on and it will automatically boot into Windows without even so much as a password prompt. From there I have Prey installed so I can track it.
I never use this Windows installation though and it contains no valuable/personal data. It's effectively a honey-pot operation system. I have a Linux installation on there too (my "real" os) which takes up the vast majority of the drive and uses full disk encryption. I insert a USB stick at startup which contains the boot partition+loader and boot from that.
Absolutely. My previous laptop was a Macbook that I used to just suspend to RAM. When I decided to start taking my security/privacy seriously I decided I would start shutting down my machine when not in use. Even though TRESOR keeps my encryption key out of RAM, my RAM is still going to contain sensitive information when suspended. I can't suspend to disk because I've disabled swap. I did this because I use an SSD and wanted to avoid unnecessary wearing.
I suspected that I might be frustrated by having to boot up my machine every time I use it, because I'd become accustomed to suspend to ram. It hasn't turned out that way. It doesn't bother me at all.
I almost never shut it down. Probably only once a month.
Waking from sleep is faster and I don't have to re-open my applications and documents. Shutting it down would save a small amount of power but that's rarely an issue (I'd shut it down if I was flying somewhere).
Are there some benefits to shutting it down I'm overlooking?
If you suspend, you are vulnerable to reading decryption key from RAM (firewire, ram freezing). If you are doing full disk encryption, then only shutdown or hibernate are secure.
My encryption key doesn't live in RAM because I use TRESOR. It's hidden in the debug registers of my CPU. There is still going to be other sensitive information in RAM though which I wouldn't want to be accessed.
With SSD, on OSX, it's pretty fast to reboot. Most OSes can now be tuned to boot very quickly; the big thing was getting rid of the BIOS for EFI I think.
I speculate an ugly not-too-distant future: Mike crosses US border from Canada to US. Fancy government computers "lookup" Mike and flag his name because of suspicious posts on "hacker" news. Fun ensues, when agents discover hidden/encrypted partitions on computer. Computer impounded for further investigation. Mike has a bad day.
I'll just overwrite that partition with random garbage and use the Windows honey-pot OS for the duration of my visit, restoring when I get home. Well I might. Or I might not. Plausible deniability anybody?
The random garbage will probably get you in deeper trouble than the encrypted data -- they'll think that it is encrypted data, and ask you to decrypt it. Since it's garbage, you won't be able to; and then... I'll leave the rest to you imagination ;)
Overall, it's probably better to just give them your encrypted data. If you're not doing anything illegal, you don't have much to worry about. In my case, my data consists of software projects, personal diary/e-mails, etc. Nothing incriminating.
In principle what they're doing is wrong (violating your privacy and searching you without a warrant), but in the long run it'll probably just save you time to comply. Unless you're doing anything illegal, giving them your data shouldn't really be a problem.
If they "accidentally" share / release NDA'd corporate data (never heard of this happening), you can always take them to court. Heck, you can even take them to court for searching you without a warrant.
They just keep him in prison until he gives them a password.
Luckily he's not identified as a terrorist. Because those people are subject to extraordinary rendition and intense interrogation techniques, and detained without trial.
Pair that with a slightly stronger form of data hiding by using TrueCrypt's hidden partition feature to encrypt the second OS partition. Just make sure not to ever boot into the honeypot os afterwards, or it could overwrite parts of the hidden partition. You can safely load the honeypot os by typing in the hidden password as well so that true crypt can load the proper partition boundaries.
