• freebsd
  • zfs
  • geli
  • zroot

Ya, This doesn’t work any more. The freebsd gpt Bootloader can now quite easily boot of geliencrypted ZFS pools. These instructions are quite terse.

  • Install using the latest 11-Current ISO, When choosing disk-layout choose auto root on ZFS with encryption.

  • Remove all GELI_* entries and change geom_eli_passphrase_prompt=”YES” to geom_eli_passphrase_prompt=”NO” in loader.conf

vi /boot/loader.conf
  • Grab the latest sources
  • recompile and install the latest 11-Current. with boot-parts
  • Copy /boot from bootpool to zroot and destroy the bootpool, we’ll be booting from zroot encrypted from now on.
  • Install the latest gptzfsboot and remove the key-encryption on zroot partition.
  • Finally we destroy the partition holding the old boot environment.
svn checkout https://svn.freebsd.org/base/head/ /usr/src/
cd /usr/src
make -j 4 buildworld
make -j 4 buildkernel KERNCONF=GENERIC-NODEBUG
make -C sys/boot install
make installworld
gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0
geli setkey /dev/ada0p4
rm /boot
cp -r /bootpool/boot/ /
zpool destroy bootpool
gpart delete -i 2 ada0 #Remove zfs-boot partition

Good Luck and have fun! I tested on a virtualbox

Credit goes to Allan Jude and his persistance in implementing the bootcode. Allan Jude - AsiaBSDCon2016_geliboot.pdf