The geli manpage has an example for preloading keyfiles during boot.
There is no detail though on how the lookup of these variables actually works.
There seems to be some magic "geli_$device_..." pattern.
I've checked the source to find out how it works because i've wasted quite a bit of time trying to make sense and come up with the correct magic of the geli/device/keyfile combination.
Turns out none of that matters.
I propose to add something like (sorry I know nothing about manpage syntax):
diff --git a/lib/geom/eli/geli.8 b/lib/geom/eli/geli.8
index 43ca9a2928c..ee994d544cf 100644
@@ -1013,6 +1013,12 @@ geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
+By convention, these loader variables are called geli_$device_load. However, the
+actual name prefix before _load/_type/_name does not matter. At boot time, the
+geli module will search through all $something_type that have a value of
+"$device:geli_keyfile", leading to $something_name with has the path to the keyfile.
+In the example above, $something is "geli_da1s3a_keyfile".
Not only configure encryption, but also data integrity verification using
.Nm HMAC/SHA256 .
.Bd -literal -offset indent