Why take anything out?
I can just copy it to the same flash drive when the disk is decrypted.

Here you need to take a comprehensive approach to the matter, while handing over the keys along with the data, you should not count on much. You can complicate the life of a hacker as follows:
1) Calculate the key from the IDs of the components, or use the IDs of the components to check the integrity, i.e. if something has changed, then clean everything up qualitatively.
2) Instead of screws, blind rivets, and in the body of the sensor to taste (for example, shock) on the open case, check accordingly at startup.
3) Think of what kind of thread is the "proprietary" power cord, respectively soldering the contacts on the SSD, so that the standard one would take it out of a standing position, or at least not work.
Well, everything like that ... in other words, it is not realistic to protect data, by software, giving them along with the keys!

Well ... They turned it down. What other keys are on the flash drive?
We stretch the section with links on LVM 'e on the ciphered section. It is desirable, of course, to stretch / usr (/ bin with / var and / tmp too) and / etc, and / boot is also better in a separate place. The big key is stored on the disk in encrypted form with some symmetric passphrase cipher. There is an even more advanced version with certificate mounting (that is, EDS), but I hope, if this is required, google it yourself.

You need something called a smart card or a crypto token - a complete analogue of the actual TPM without a couple of nuances, from the pros - non-recoverable private keys