This post ended up being longer than I expected
Let me respond to your post first and then make an alternative suggestion that may do what you need.
Responses:
What data would leak when encrypting a jail partition instead of /home etc.?
I'm not quite sure what you mean. What are you trying to protect? Hard disk encryption protects your data at rest, that is, when your computer is powered off. The most obvious use is on laptops, which might be lost or stolen. For servers, it's useful if you're worried about the hard disks being stolen or thrown away at end-of-life without being securely destroyed. It can also be used to verify the integrity of the data, such that you can detect if someone has tried to maliciously modify the encrypted files. The configuration you have at the moment can't guarantee integrity since an attacker could modify the files on the unencrypted
/boot partition, which could then report false results about file integrity.
Once your encrypted disks are mounted, they can be read like any other device and therefore don't offer any protection against network attacks (or unauthorised access to the machine locally) whilst the computer is running.
Maybe boot from a small unencrypted root partition, unlock the main encrypted root partition and chroot
?
An interesting idea. I believe this would work though I'm not sure what benefit it would give you. The machine would still be running an unencrypted
/boot and root partition; you would just be using a different userland after the
chroot(8) call.
There is an operating system where it's possible to load a small RAMdisk that enables networking and a small SSH server before booting the real system.
The concept is sound, though you would need a way of communicating the decryption key to GELI when booting FreeBSD. It might be possible to pass it as a variable to the kernel, though I don't know how you could get GELI to pick up that variable.
Suggestion for an alternative approach:
If I understand correctly, you want the hard disks of your machines to be fully encrypted at rest. The encryption keys should be held centrally and handed out on demand when the machines on the network boot.
Have you considered
PXE boot? My idea here is that your machines have a fully encrypted root partition on their local hard disks. The
/boot partition, including the kernel and GELI keys, resides on a read-only network share. Your machines boot from that network share, unlock the local hard drive and then continue the boot process from there. The vulnerability here would be if an attacker had access to your network, since the GELI keys would be freely available for anyone on the network. However, if a machine were to be stolen, all the data on the hard disk would be safely encrypted and the key would remain on your network share.