> Each disk has 5 partitions – 2 unencryped (UEFI + /boot), 3 encrypted.
> That's 12 geli devices. All flagged for boot and having keyfiles
associated to their respective `gpt/<label>` in `loader.conf`.

I don't understand this setup.

What you should do as you don't seem to want /boot to be encrypted is:

- UEFI+/boot unencrypted on each drive

- the rest of the root (mounted at /) partitions sharing the same GELI key so the same passphrase decrypts them. Only these 3 should be marked bootable so any one of these 3 can be found during boot and accept the passphrase, meanwhile the other 2 will automatically unlock with that passphrase

- on your encrypted / you should put the GELI keys for the other partitions somewhere like /etc/geli/*.key files

- in /etc/rc.conf tell it to use these keys (safely stored on your encrypted root so they're safe if someone takes your computer) to automatically decrypt these partitions like this:

# this is one of my servers
geli_devices="gpt/zdata01a gpt/zdata01b gpt/zdata02a gpt/zdata02b gpt/zbackup00 gpt/zdata03a gpt/zdata03b gpt/pgdata"
geli_gpt_zbackup00_flags="-p -k /etc/geli/backup01.key"
geli_gpt_zdata01a_flags="-p -k /etc/geli/zdata.key"
geli_gpt_zdata01b_flags="-p -k /etc/geli/zdata.key"
geli_gpt_zdata02a_flags="-p -k /etc/geli/zdata.key"
geli_gpt_zdata02b_flags="-p -k /etc/geli/zdata.key"
geli_gpt_zdata03a_flags="-p -k /etc/geli/zdata.key"
geli_gpt_zdata03b_flags="-p -k /etc/geli/zdata.key"
geli_gpt_pgdata_flags="-p -k /etc/geli/pgdata.key"

And it will handle the rest automatically on boot.

So in conclusion, this setup would require you to only put in your GELI passphrase once and it will only ask for it on one of 3 valid root filesystem devices. Everything else will work automatically.