This is my story on (almost) full disk encryption. I followed Pierre Proncher's instruction from Mar 2013. To my surprise, it worked on the first boot. However, networking didn't work because the kernel couldn't load iwm firmware.
After a couple of attempts to fix firmware loading, I gave up on cgdroot ramdisk and switched to a fake root on wd0a. It's similar to cgdroot but with modules and firmware files. I hard-linked few binaries including init from /rescue. My setup has not one but two cgd devices: cgd0 for a real root and cgd1 for other partitions. cgd0's key is stored on unencrypted wd0a, cgd1's key is stored on the real root cgd0a. I have to enter two passwords instead of one but this setup gives me some protection from an unsophisticated keylogger. Since wd0a is read-only, I can add wd0a integrity check before running the second cgdconfig -C command and abort before entering the second password if the check fails. A real rootkit can easily fool the integrity checker, though. Alex
