tse Hi Tse, nice to see you here too (I'm sehnsucht); of all the BSDs, encrypted boot is available on FreeBSD+geli only AFAICT.
That said, as you mentioned, bootloader (either boot(8)/boot.cfg, or grub2) can perfectly reside on a separate unecrypted boot partition.
I successfully accomplished this on BIOS/MBR,but never tried on UEFI; I don't see why it shouldn't be possible; why not ask directly for a proof-of-concept walkthrough on netbsd-users mailing list?
and in fact it's not ?; want root encryption on NetBSD? old-school manual bootstrap/install; my tutorial could be a good starting point
tse the installer fails when trying to mark the partitions as bootable and specifying the mount points (/boot /boot/UEFI/boot) (both 8.0 and 8.99).
I'm positive you're doing it wrong here:
boot/UEFI/boot is a Linux/Grub ESP layout, not NetBSD's; EFI bootstrap code should rathet reside on /EFI/boot
unlike on Linux , on *BSD ESP doesn't need to be specified on /etc/fstab and is never mounted on a booted system (there's no /boot partition; once UEFI finds the ESP on the selected disk, the BSD EFI bootstrap code takes care of booting the specified root). In this case particular case, I'd dare guess that the cgdroot.kmod and ramdisk should be located at /EFI/boot as well, so as to mount the ESP at /boot/EFI/etc/cgd