Add an example how to use keyfiles for encrypted providers which should be

attached before the root file system is mounted.

MFC after:	3 days

sbin/geom/class/eli/geli.8

@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd April 11, 2005
+.Dd February 11, 2006
 .Dt GELI 8
 .Os
 .Sh NAME
@@ -511,10 +511,46 @@ Encrypted swap partition setup:
 # geli onetime -d -a 3des ad0s1b
 # swapon /dev/ad0s1b.eli
 .Ed
+.Pp
+The example below shows how to configure two providers which will be attached
+on boot (before the root file system is mounted).
+One of them is using passphrase and three keyfiles and the other is using only a
+keyfile:
+.Bd -literal -offset indent
+# dd if=/dev/random of=/dev/da0 bs=1m
+# dd if=/dev/random of=/boot/keys/da0.key0 bs=32k count=1
+# dd if=/dev/random of=/boot/keys/da0.key1 bs=32k count=1
+# dd if=/dev/random of=/boot/keys/da0.key2 bs=32k count=1
+# cat /boot/keys/da0.key0 /boot/keys/da0.key1 /boot/keys/da0.key2 | geli init -b -K - da0
+Enter new passphrase:
+Reenter new passphrase:
+# dd if=/dev/random of=/dev/da1s3a bs=1m
+# dd if=/dev/random of=/boot/keys/da1s3a.key bs=128k count=1
+# geli init -b -P -K /boot/keys/da1s3a.key da1s3a
+.Ed
+.Pp
+The providers are initialized, now we have to add those lines to
+.Pa /boot/loader.conf :
+.Bd -literal -offset indent
+geli_da0_keyfile0_load="YES"
+geli_da0_keyfile0_type="da0:geli_keyfile0"
+geli_da0_keyfile0_name="/boot/keys/da0.key0"
+geli_da0_keyfile1_load="YES"
+geli_da0_keyfile1_type="da0:geli_keyfile1"
+geli_da0_keyfile1_name="/boot/keys/da0.key1"
+geli_da0_keyfile2_load="YES"
+geli_da0_keyfile2_type="da0:geli_keyfile2"
+geli_da0_keyfile2_name="/boot/keys/da0.key2"
+
+geli_da1s3a_keyfile0_load="YES"
+geli_da1s3a_keyfile0_type="da1s3a:geli_keyfile0"
+geli_da1s3a_keyfile0_name="/boot/keys/da1s3a.key"
+.Ed
 .Sh SEE ALSO
 .Xr crypto 4 ,
 .Xr gbde 4 ,
 .Xr geom 4 ,
+.Xr loader.conf 5 ,
 .Xr gbde 8 ,
 .Xr geom 8 ,
 .Xr crypto 9