If the encryption doesn't protect him, or he learns better after you sell it to him, he will be
very upset. So I'd try the
key on drive method then, to avoid misleading them.
As far as I can tell the USB drive would become the magic key that lets it boot. Without it, they need a password.