diff --git a/stand/libsa/geli/geliboot.c b/stand/libsa/geli/geliboot.c
--- a/stand/libsa/geli/geliboot.c
+++ b/stand/libsa/geli/geliboot.c
@@ -41,7 +41,8 @@
 SLIST_HEAD(known_dev_list, known_dev) known_devs_head = 
     SLIST_HEAD_INITIALIZER(known_devs_head);
 
-static geli_ukey saved_keys[GELI_MAX_KEYS];
+#define GELI_SAVED_KEYS_SIZE (GELI_MAX_KEYS * sizeof(geli_ukey))
+static geli_ukey *saved_keys;
 static unsigned int nsaved_keys = 0;
 
 /*
@@ -59,7 +60,7 @@
 		    G_ELI_USERKEYLEN);
 	}
 	fkeybuf->kb_nents = nsaved_keys;
-	explicit_bzero(saved_keys, sizeof(saved_keys));
+	explicit_bzero(saved_keys, GELI_SAVED_KEYS_SIZE);
 }
 
 /*
@@ -71,6 +72,9 @@
 {
 	unsigned int i;
 
+	if (saved_keys == NULL)
+		saved_keys = calloc(1, GELI_SAVED_KEYS_SIZE);
+
 	for (i = 0; i < skeybuf->kb_nents && i < GELI_MAX_KEYS; i++) {
 		memcpy(saved_keys[i], skeybuf->kb_ents[i].ke_data,
 		    G_ELI_USERKEYLEN);
@@ -90,6 +94,9 @@
 	 * If we run out of key space, the worst that will happen is
 	 * it will ask the user for the password again.
 	 */
+	if (saved_keys == NULL)
+		saved_keys = calloc(1, GELI_SAVED_KEYS_SIZE);
+
 	if (nsaved_keys < GELI_MAX_KEYS) {
 		memcpy(saved_keys[nsaved_keys], key, G_ELI_USERKEYLEN);
 		nsaved_keys++;
@@ -102,6 +109,7 @@
 	u_int keynum;
 	int i;
 
+	/* XXX should we check that gdev->keybuf_slot < nsaved_keys ? */
 	if (gdev->keybuf_slot >= 0) {
 		if (g_eli_mkey_decrypt_any(&gdev->md, saved_keys[gdev->keybuf_slot],
 		    mkey, &keynum) == 0) {