While the original poster doesn't enable it, GEOM_ELI can authenticate the storage using a HMAC, with HMAC/SHA256 the recommended algorithm. If you don't overwrite the entire encrypted volume (e.g., `dd if=/dev/zero of=/dev/da0s1a.eli bs=4k`), reads from uninitialized sectors fail due to data integrity verification errors, which might be interpreted by the file system as a bad sector instead of an empty one.