I've switched back from such a setup to having an unencrypted UFS boot partition. The external boot medium works nicely, but then you think about a USB stick being your SPOF too much, then you create backup sticks. Which means you have to secure them at least as good as the one "you are always carrying". But you can not simply carry the backup as well, as that would subject it to the same wear and tear. Which spawns the second backup. It is a rabbit hole.
That said, I am really looking forward to Allan Jude's last patches hitting CURRENT, at which point I will rebuild that Laptop with UEFI booted, full disk encrypted root on ZFS without any unencrypted bootpartition.
There will still be the issue of the unencrypted bootloader that does the initial decryption to load the kernel, but that will likely end up an irrelevant attack vector compared to the Laptop's BIOS anyway...
It's a Dell Latitude E6430 aka whatever my workplace gave out at the time I got a new one. Which means I can not claim that any sort of research went into choosing this one or that that it runs FreeBSD dis-proportionally well - which it does not. It just runs it, with the occasional hickup here and there.
For example on boot, it always prints that the boot device is invalid, since it gets confused by finding GPT partitioning without UEFI. Then you press enter and it happily continues to boot...
I never fully configured the UMTS modem in it I think, that entire class of hardware is just soul crushingly awful.
And as I am running CURRENT, every once in a while there is commit that throws i915kms into a suspend/resume tantrum (refusing to shut down, not coming back up). But since I do actually power down the laptop instead of suspending it, so that the disk encryption actually has a chance to help me out, I am not too bothered by it.
My use case for the laptop is mainly being a glorified ssh terminal multiplexer. It just needs to provide a comfortable, familiar runtime that I can navigate blindly at 3am, still partially asleep and without any coffee. All the tools need to be there, in the correct drawer, with the correct label and all the right marker labels on the man pages.
I tried running a Linux laptop/workstation combination at work since that is what our boxes predominantly run, but it just feels like running around in somebody else's slippers all day.
That said, I am really looking forward to Allan Jude's last patches hitting CURRENT, at which point I will rebuild that Laptop with UEFI booted, full disk encrypted root on ZFS without any unencrypted bootpartition.
There will still be the issue of the unencrypted bootloader that does the initial decryption to load the kernel, but that will likely end up an irrelevant attack vector compared to the Laptop's BIOS anyway...