Yes.

You run bitcoin using -datadirpath/to/usb/

Once encryption is added to wallets, then you'll be able to keep your RSA key on your computer, and your wallet on the USB stick. ATM still working on that.

I don't understand, what will prevent the virus from getting your key from your computer and use it when you connect your flash drive?

Actually...that's an interesting idea.

I've been working with a STM8S-DISCOVERY board to run GNUK on the STM32 part. I still have some bugs to work out on the GnuPG implementation, but it may be interesting to try to hack up some code to make a smartcard-like application that can do transaction signing on said hardware. There is a bit of work that would need to be done on hardware as well as getting a client to be able to read the wallet from the hardware.

May be an interesting proof of concept.

The terminal itself would do the signing and possess the keys and only cough up the signed transction so no way to spoof.

So what would the requirements be for such a device? The bitcoin software would still run on the PC, but instead of having the keys stored in the local wallet it would communicate with the device?

I can see myself getting a proof of concept going using a PIC32... would that be safe enough? The device would connect to the PC using USB but instead of providing a USB disk with the wallet, it would provide a serial interface or something alike that would allow the connected bitcon client to operate upon. So it would still be possible for a virus to take over the computer and ask the device to transfer whatever to wherever, but the serial API could use a password protection encryption step to make this harder. And because the keys are NEVER shared with the outside world, one could also set up hard limits (no transaction larger than 100btc, for example) so it would be safe to use the device on public computers.

Would this be safe enough?

But how do you know that the transaction the hardware device signed is actually the transaction you wanted to make?  You might THINK you're sending 100BTC to your brother, your computer will SAY you're sending 100BTC to your brother, but the trojan might change the destination address that goes in to the hardware device.

Unless the hardware device has some sort of display and physical button to OK the transaction.  In which case the hardware device sounds a lot like a smart phone.

The token would just provide a Mathematical algorithm based one time password and that's it. The client would only send when it confirmed this password. You could use OATH for this.
It's open source etc. Like mentioned above you could still be vulnerable to someone swapping the address. You wouldn't lose your entire wallet though and would be a start.

It would be like this.
1)turn on client and enter address of recipient
2) type amount and hit send
3) client asks you for token password
4) enter pin on token get password ex:447421
5) type 447421 in to client and the transfer starts

If someone was listening in or standing over your shoulder etc they wouldn't be able to replicate this because they don't have the token.
The token could be used manually like this or it could be connected via usb bluetooth whatever they make a variety.
The client would have to be modified to get the "go" on the transfer from the token is all.

How does this protect one from the virus scenario? I'm assuming the wallet will have to be loaded in memory in an unencrypted way for this to work, at least while sending a transfer.

And I don't know if this is an issue at all, but does this allow in any way for the mobility of the wallet? I mean, will the token and the wallet be paired in such a way that you can safely load your wallet into some bitcoin client, knowing that it will only be available if you use the token's OTP?