OpenBSD Journal

Home Archives About

Submit Story Create Account Login

Initial support for guided disk encryption in the installer

The OpenBSD installer now has basic support for configuring disk encryption during the regular installation process. Previously, disk encryption needed to be set up manually by dropping to the shell from the installer.

Initial support, likely to be expanded upon, was committed by Klemens Nanni (kn@) on March 7, 2023. The commit reads,

Subject:    CVS: cvs.openbsd.org: src
From:       Klemens Nanni <kn () cvs ! openbsd ! org>
Date:       2023-03-07 17:29:42

CVSROOT:	/cvs
Module name:	src
Changes by:	[email protected]	2023/03/07 10:29:42

Modified files:
	distrib/amd64/common: install.md 
	distrib/i386/common: install.md 
	distrib/miniroot: install.sub 
	distrib/riscv64/ramdisk: install.md 
	distrib/sparc64/common: install.md 

Log message:
Initial support for guided disk encryption

One new question to cover the most common use case, such that manual setup
in (S)hell or '!' prior to install is no longer required:

Encrypt the root disk? (disk, 'no' or '?' for details) [no] ?

Create a passphrase protected CRYPTO softraid volume to be used as root disk.

Available disks are: sd0.
Encrypt the root disk? (disk, 'no' or '?' for details) [no]

Use of keydisk or different disciplines are not covered.
Only asked in interactive installations;  no autoinstall(8) or upgrades.
Only reachable on i386, amd64, sparc64 and riscv64 for now (arm64 WIP).

Tested by cheloha naddy and a few users
Feedback from cheloha deraadt claudio
OK cheloha
"get it in now" deraadt

We very much look forward to seeing further development on this!

If you feel up to it, please test and report.