Installing FreeBSD on an encrypted volume

[Robert Simmons]

I have been trying to get FreeBSD installed on an encrypted volume and I've
run into an annoying problem.  Before I describe the problem, let me explain
what I have done so far.

first I used gpart to make GPT partitions: one freebsd-boot, two
freebsd-ufs.  The freebsd-boot is 64k and the following command installed
the boot code:
# gpart bootcode -b /mnt2/boot/pmbr -p /mnt2/boot/gptboot -i 1 ad0

The second freebsd-ufs is 200M for /boot and the third is for the GELI based
encrypted swap and /.  I used geli to encrypt ad0p3 and again used gpart to
carve it into two BSD slices, one 512m for swap and the other the rest of
the disk for /.

After everything is newfs'd and ad0p1 and ad0p3.elib are mounted as
/mnt/boot and /mnt/root respectively, I did "export DESTDIR=/mnt/root" and
ran the install.sh scripts in /dest/8.2-RELEASE/base and
/dest/8.2-RELEASE/kernels.

The next thing I did was to modify the /mnt/root/boot/loader.conf file so
that it loads the geom_eli module and edit the /mnt/root/boot/device.hints
file so that the password on boot works correctly for the encrypted volume.
 And I moved /mnt/root/boot/GENERIC to /mnt/root/boot/kernel.

Then I copied the contents of /mnt/root/boot to /mnt/boot.  I created a
directory /mnt/boot/etc and made a fstab and put one copy there and another
copy in /mnt/root/etc

This works great, however, I am left with /boot in two different places and
/etc/fstab in two places as well.  I would like to know if someone can come
up wth a more elegant solution to this.  At the moment I am mounting
/dev/ad0p2 as /bootdir and whenever I update the system, once the update is
done, I just do an archival copy of the contents of /boot into /bootdir/boot
and if there is a change to fstab I make the change in both places.

I understand that /boot cannot be encrypted (at the moment, until things
change).  But I would like to have /boot mounted directly from /dev/ad0p2 so
there is only one copy of it.

Any thoughts?