If you want to boot from an encrypted root partition that is encrypted using geli, you must boot from an unencrypted partition that includes a /boot/ directory and /etc/fstab.
The geli(8) man page mentions the /boot/ directory requirement, but omits the /etc/fstab
Fix: I have attached a patch that mentions the /etc/fstab requirement in the geli(8) man page.
Patch attached with submission follows:
How-To-Repeat: Install FreeBSD onto a geli encrypted provider that was created with "geli init -b"
Then copy only the /boot/ directory to the unencrypted area that you will use to boot.
Boot the machine, and see the errors where it can't find the / partition to decrypt.
I'll take it.
I won't be looking at this PR for a while and I need to clear some out
of my queue
An unencrypted /etc/fstab isn't actually necessary, you can specify
the root partition/pool with vfs.root.mountfrom.
For details see:
I agree that geli(8) could be a bit more specific about how to
boot from an encrypted root partition/pool, though.
Also, geliboot support now exists, which works with an encrypted /etc/fstab