Yes, the client can do the decrypting, or the server (over a secure line connected to client). I seriously doubt a NIT can outperform a fileserver in this regard, but I like to be surprised!

Good point, on the unmounting but the encrypted HDD can remain mounted while its running as long as the system is not remotely exploitable. If one has physical access, they'd first need to perform say a cold boot attack method. USB access can be disabled.

I certainly recommend people not typing in their password in public. Which is one reason S/Key, OPIE or SSH keys are so useful. Sometimes the solution is less elegant. For example, I use Devicescape to log in to my WiFi hotspots.

I don't know if TrueCrypt supports some kind of key management (or even S/Key or OPIE itself), but I know LUKS does provide some basic key management which is very useful in (possible) hostile environments.