geli keyfile arguments / gpt partitions

Hello mailing list,

Im trying to realize a specific encrypted setup on my FreeBSD machine at 
home.

For now I've a raidz2 pool, which did contain root - however it doesnt 
boot anylonger.

I have a dedicated SATA disk with UEFI boot code and /boot data, so this 
works and I can bootup.

What I wanted to do now is now encrypt the devices of the pool,

which should work in general because I can boot the kernel and thus the 
kernel should be able to decrypt the required disk devices.


My issue is now that if I find anything on google etc, all examples want 
me to put the keyfile on /boot and then provide it as an argument like:
geli_<device>_keyfile0_name="/boot/encrypted.key"

This is something I dont want to do, instead I'd prefer that I put the 
keyfile data on a single gpt partition of an usb stick of my choice -

I can reach this device whenever I boot up... however it seems I can not 
provide a /dev/... device just like this as an argument.

I dont even know if the kernel is able to read raw data from a gpt 
partition... but well why not? It should be possible?


Has anyone a clue how to archive this or which arguments I need to provide?


regards,

Georg