Encrypted ufs root partition, passphrase entered during installation will not be accepted at boot

Hello, I have some trouble getting an encrypted root ufs to work properly.
I install the (efi) boot partition on a usb-stick (/dev/da5), with both a keyfile, and a passphrase. The (root) partition is /dev/ad0p1, the swap /dev/ad0p2.
After that, because I use the vSphere hypervisor with FreeBSD 11.0/x64 as a guest, I have to convert the usb-stick into a bootable iso-file, vSphere does not allow me to boot from usb.
I got a lot of information from someone, who posted a howto on a site, which I will not mention, because of the FreeBSD Forum rules.
During installation I enter my passphrase, when I enter exactly the same passphrase when booting from the iso file, FreeBSD tells me it's not correct.

During installation, I start a shell at partitioning time, and enter the following commands:
gpart destroy -F da5
gpart destroy -F da0
gpart create -s gpt da5
gpart add -t freebsd-boot -s 512k -a 4k da5
gpart add -t freebsd-ufs -l boot -s 900M -a 1M da5
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da5
gpart create -s gpt da0
gpart add -t freebsd-ufs -l root -b 1M -s 23G da0
gpart show da0
gpart add -t freebsd-swap -l swap -s 8GB da0
dd if=/dev/random of=/tmp/da0.key bs=64 count=1
geli init -b -e AES-XTS -l 256 -K /tmp/da0.key -i 1 -s 4096 da0p1
Here I enter the passphrase twice.

geli attach -k /tmp/da0.key da0p1
Here I enter the passphrase once, and it's accepted.

newfs -U /dev/da5p2
newfs -U /dev/da0p1.eli
mount /dev/da0p1.eli /mnt
mkdir /mnt/unenc
mount /dev/da5p2 /mnt/unenc
mkdir /mnt/unenc/metadata_restore_files
cp /var/backups/da0p1.eli /mnt/unenc/metadata_restore_files/
cp /tmp/da0.key /mnt/unenc/
mkdir /mnt/unenc/boot
ln -s unenc/boot /mnt/boot
Edit the file: /tmp/bsdinstall_etc/fstab
/dev/da0p1.eli    /       ufs     rw    1    1
/dev/da0p2.eli    none    swap    sw    0    0
Edit the file: /tmp/bsdinstall_boot/loader.conf
From here I complete the installation, pull out the usb-stick, connect it to another freebsd box, and make a bootable efi iso this way:
cd ~
mkdir usbtoiso
Mount the usb-stick to /mnt
cp -aR /mnt/* usbtoiso
dd if=/dev/zero of=efiboot.img bs=4k count=150
mdconfig -a -t vnode -f efiboot.img
newfs_msdos -F 12 -m 0xf8 /dev/md0
mount -t msdosfs /dev/md0 /mnt
mkdir -p /mnt/efi/boot
cp ~/usbtoiso/boot/loader.efi /mnt/efi/boot/bootx64.efi
umount /mnt
mdconfig -d -u 0
makefs -t cd9660 -o bootimage='i386;efiboot.img' -o no-emul-boot -o rockridge -o label="Cryptoboot" -o publisher="Crypt" crypt-o-boot.iso usbtoiso
after booting from this iso, at some time it asks me for my passphrase, I enter
exactly the same passphrase, but it simply does not work.
I hope someone sees the problem, and I don't cause people a headache!
Hint to non-US keyboard users : Do not set a passphrase with accents or special characters that the US keyboard cannot address. The keymap is loaded AFTER you have to enter your passphrase at boottime.
I use a us international keyboard, and already tried leaving out special character, even spaces.
I found the solution...
First move ~/usbtoiso/da0.key to ~/usbtoiso/boot/
or do this earlier, replace cp /tmp/da0.key /mnt/unenc/
with cp /tmp/da0.key /mnt/unenc/boot/
(put the line mkdir /mnt/unenc/boot above the previous line! :) )

The following lines need to be added to loader.conf (at the end of the lines already added in my first post)

Thanks for reading my post, hope this one helps others...