If you want to boot from an encrypted root partition that is encrypted using geli, you must boot from an unencrypted partition that includes a /boot/ directory and /etc/fstab. The geli(8) man page mentions the /boot/ directory requirement, but omits the /etc/fstab Fix: I have attached a patch that mentions the /etc/fstab requirement in the geli(8) man page. Patch attached with submission follows: How-To-Repeat: Install FreeBSD onto a geli encrypted provider that was created with "geli init -b" Then copy only the /boot/ directory to the unencrypted area that you will use to boot. Boot the machine, and see the errors where it can't find the / partition to decrypt.
Responsible Changed From-To: freebsd-doc->eadler I'll take it.
Responsible Changed From-To: eadler->freebsd-doc I won't be looking at this PR for a while and I need to clear some out of my queue
An unencrypted /etc/fstab isn't actually necessary, you can specify the root partition/pool with vfs.root.mountfrom. For details see: /boot/defaults/loader.conf and /usr/src/sys/kern/vfs_mountroot.c. I agree that geli(8) could be a bit more specific about how to boot from an encrypted root partition/pool, though.
Also, geliboot support now exists, which works with an encrypted /etc/fstab
Close as overcome by events?
I still think geli(8) should be improved. The "geliboot support" Allan mentioned seems to lack documentation as well.
(In reply to Fabian Keil from comment #6) > I still think geli(8) should be improved. … Agreed (coincidentally, I asked a question in Discord not long before your comment). If I understand correctly, such improvements will be out of scope for this bug report: >> geli(8) needs to mention unencrypted /etc/fstab requirement for encrypted root
I have no strong feelings about whether or not this bug report stays open, but at least on stable/13 geli(8) still doesn't mention /etc/fstab so IMHO the report has not actually been "overcome by events".