Simple HOWTO of creation an encrypted ZFS pool under FreeBSD using geli + 256-bit AES-XTS encryption + a 4 kb random data partial key and a secondary passphrase (required to type on each boot).

## ZFS_geli_freebsd
root@rizzo ~$ uname -a
FreeBSD rizzo.heimdall.pl 9.1-RELEASE FreeBSD 9.1-RELEASE #0: Wed Mar 13 21:02:32 CET 2013 root@rizzo.heimdall.pl:/sys/amd64/compile/rizzo  amd64
root@rizzo ~$ kldload opensolaris
root@rizzo ~$ kldload zfs
root@rizzo ~$ kldload geom_eli
root@rizzo ~$ gpart destroy -F da0
da0 destroyed
root@rizzo ~$ gpart create -s gpt da0
da0 created
root@rizzo ~$ gpart add -t freebsd-zfs -a 4096 da0
da0p1 added
root@rizzo ~$ mkdir /boot/encryption
root@rizzo ~$ dd if=/dev/random of=/boot/encryption/storage.key bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes transferred in 0.000111 secs (36945955 bytes/sec)
root@rizzo ~$ geli init -b -B /boot/da0p1.eli -e AES-XTS -K /boot/encryption/storage.key -l 256 -s 4096 /dev/da0p1
Enter new passphrase:
Reenter new passphrase:

Metadata backup can be found in /boot/da0p1.eli and
can be restored with the following command:

	# geli restore /boot/da0p1.eli /dev/da0p1

root@rizzo ~$ geli attach -k /boot/encryption/storage.key /dev/da0p1
Enter passphrase:
root@rizzo ~$ zpool create storage /dev/da0p1.eli
root@rizzo ~$ zfs set mountpoint=/storage storage
root@rizzo ~$ zfs create storage/movies
root@rizzo ~$ zfs create storage/music
root@rizzo ~$ zfs create storage/others
root@rizzo ~$ zfs set mountpoint=/storage/movies storage/movies
root@rizzo ~$ zfs set mountpoint=/storage/music storage/music
root@rizzo ~$ zfs set mountpoint=/storage/others storage/others
root@rizzo ~$ echo 'zfs_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'aesni_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geom_eli_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_type="da0p1:geli_keyfile0"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_name="/boot/encryption/storage.key"' >> /boot/loader.conf
root@rizzo ~$ shutdown -r now

Done!
	root@rizzo ~$ uname -a
	FreeBSD rizzo.heimdall.pl 9.1-RELEASE FreeBSD 9.1-RELEASE #0: Wed Mar 13 21:02:32 CET 2013 root@rizzo.heimdall.pl:/sys/amd64/compile/rizzo amd64
	root@rizzo ~$ kldload opensolaris
	root@rizzo ~$ kldload zfs
	root@rizzo ~$ kldload geom_eli
	root@rizzo ~$ gpart destroy -F da0
	da0 destroyed
	root@rizzo ~$ gpart create -s gpt da0
	da0 created
	root@rizzo ~$ gpart add -t freebsd-zfs -a 4096 da0
	da0p1 added
	root@rizzo ~$ mkdir /boot/encryption
	root@rizzo ~$ dd if=/dev/random of=/boot/encryption/storage.key bs=4096 count=1
	1+0 records in
	1+0 records out
	4096 bytes transferred in 0.000111 secs (36945955 bytes/sec)
	root@rizzo ~$ geli init -b -B /boot/da0p1.eli -e AES-XTS -K /boot/encryption/storage.key -l 256 -s 4096 /dev/da0p1
	Enter new passphrase:
	Reenter new passphrase:

	Metadata backup can be found in /boot/da0p1.eli and
	can be restored with the following command:

	# geli restore /boot/da0p1.eli /dev/da0p1

	root@rizzo ~$ geli attach -k /boot/encryption/storage.key /dev/da0p1
	Enter passphrase:
	root@rizzo ~$ zpool create storage /dev/da0p1.eli
	root@rizzo ~$ zfs set mountpoint=/storage storage
	root@rizzo ~$ zfs create storage/movies
	root@rizzo ~$ zfs create storage/music
	root@rizzo ~$ zfs create storage/others
	root@rizzo ~$ zfs set mountpoint=/storage/movies storage/movies
	root@rizzo ~$ zfs set mountpoint=/storage/music storage/music
	root@rizzo ~$ zfs set mountpoint=/storage/others storage/others
	root@rizzo ~$ echo 'zfs_load="YES"' >> /boot/loader.conf
	root@rizzo ~$ echo 'aesni_load="YES"' >> /boot/loader.conf
	root@rizzo ~$ echo 'geom_eli_load="YES"' >> /boot/loader.conf
	root@rizzo ~$ echo 'geli_da0p1_keyfile0_load="YES"' >> /boot/loader.conf
	root@rizzo ~$ echo 'geli_da0p1_keyfile0_type="da0p1:geli_keyfile0"' >> /boot/loader.conf
	root@rizzo ~$ echo 'geli_da0p1_keyfile0_name="/boot/encryption/storage.key"' >> /boot/loader.conf
	root@rizzo ~$ shutdown -r now

	Done!