geli remote password entering - md approach

[brouci tykadylko]

> ------------ Pôvodná správa ------------
> Od: Xin Li <delphij at delphij.net>
> Predmet: Re: geli remote password entering
> Dátum: 25.8.2012 11:19:54
> ----------------------------------------

> It would be interesting to implement initrd alike feature in FreeBSD,
> however, but it's not totally impossible to do similar thing "right
> now"-ish by using a mdroot while having it chroot into the new / with
> devfs and friends mounted, it's like a kluge but still do-able.


When / is encrypted, I still have /sbin/init on encrypted partition. At least in my current setup, when unencrypted is only /boot. Geli devices are mounted by kernel as defined in loader.conf:
geom_eli_load="YES"
geom_label_load="YES"
geom_mirror_load="YES"
geom_part_gpt_load="YES"
zfs_load="YES"
geli_ad4p4_keyfile0_load="YES"
geli_ad4p4_keyfile0_type="ad4p4:geli_keyfile0"
geli_ad4p4_keyfile0_name="/boot/keys/boot.key"
geli_ad6p4_keyfile0_load="YES"
geli_ad6p4_keyfile0_type="ad6p4:geli_keyfile0"
geli_ad6p4_keyfile0_name="/boot/keys/boot.key"
vfs.root.mountfrom="zfs:system"

If I understand it right, the md-approach would be:
0) prepare mfsroot image with kernel + zfs & geli modules and staticaly linked dropbear (for example with http://mfsbsd.vx.sk/)
1) load mfsroot from loader.conf
2) execute kernel from mfsroot
3) execute dropbear and wait for login and geli mount done by hand (maybe similary to your rc script - dropbear can hold it's own network config) - and maybe even SCP-in the keys for both partitions, so I don't need to keep them in unencrypted /boot
4) mount the new root from encrypted filesystem
5) chroot to new root
6) execute init from encrypted root

right? 
i'm not the sort of hacker able to modify the kernel code, so this is at the edge of my kung-fu.