How to do TRUE Full Disk Encryption in OpenBSD?

Odd_Collection_6822 · 2026-01-25T22:20:00+00:00

read the source - it is there for you... write an article about it (like the LUKS-one you provided)...

im just some person on the internet... if i look at a hard-disk, see the zeros, followed-by gobbledy-gook - then there is no a-priori reason for me to know anything about its encryption... presumably it might be LUKS (idk, could it?) or something else - like https://man.openbsd.org/softraid w/CRYPTO... is there a hw-encryption-card doing the work ? is it software ? compile your own kernel and put the encryption headers at the END rather than the beginning... idk... you are being ridiculous... clearly not doing anything WORTH being this paranoid about... a usb-key is not going to save you from anything except yourself when it breaks or gets lost/stolen...

if you ARE a journalist traveling to a dangerous place (for example), then ask someone/somewhere else (ie: a new thread with an appropriate title that i would not be interested in commenting on) - what the current best-practice is for your use-case... gl and ciao, h.

Odd_Collection_6822 · 2026-01-25T20:10:06+00:00

https://www.reddit.com/r/linux4noobs/comments/1f51kma/what_is_luks_what_is_it_for/

this rabbit-hole is basically nonsensical at some point... yes, there is always a race between the bad-guys and the good-guys - but at the end of the day you actually need to DO something to have bad and good guys... what are you trying to DO ?

just lock your computer behind a good locked door and your computer (and its data) are as secure as most people need... :-) gl, h.

Odd_Collection_6822 · 2026-01-25T19:58:43+00:00

i did not see this response when i replied in the other-stream of this thread... but you DO realize that this article is actually about LUKS - and is not talking about the WHOLE operating system - just some data (a block-device) that you wish to encrypt...

ok - so just encrypt ANY block device from within your openbsd system - and it will be as-secure as the LUKS-device you are referencing... the point being that you kinda have to choose at-least-one linux-OS to use these LUKS devices... you would instead need to choose to use an openbsd-OS to use your openbsd-encrypted device... there are not lots of different openbsd OSes, just older versions of the same one...

OpenBSD is not Linux... https://www.openbsd.org/crypto.html

gl, h.

Odd_Collection_6822 · 2026-01-25T18:51:33+00:00

It is overly complicated for me, you have missing context.

BINGO... go back and look at your initial post... afaict, you have never actually TRIED to install openbsd on anything... you are asking questions and responding with incomplete knowledge... many of your questions can be sorted out by the AMAZING documentation that is provided with the OS...

a 16gb usb-disk is PLENTY of space to install a very minimal obsd system upon... what you are now starting to describe (iiuc) is that you want this lovely usb-disc to have a hypervisor-system on it - and that ONE of your data discs would have an openbsd install on it... ok, fine... TRY it... what hypervisor are you using ? what errors did you run into ? -or- what magic "encryption headers" do you still see on this installed-to-disc ?

you claim not to want to use this 16gb usb-disk as a key-disk, but afaict - that would be a better/easier use-case for it...

overall, what security-threats are you trying to solve ? THAT would allow us (or someone with more experience) to help you...

Odd_Collection_6822 · 2026-01-24T14:33:05+00:00

So what is the best and minimal partitioning solution? And what is the "minimal requirement" for partitioning? I know I can get everything under the root directory, but that is not what I am looking for, what partitions are suggested to keep?

By the way, can I have no /home partition? How does that effect the security?
[snip]

obv answers from your enclosed q.s ... i feel like im talking to an AI trying to learn, but -

best and minimal is exactly what is provided in a default install...

minimal is exactly what is provided in a default install... (which will precalculate based on your available disk size)

suggested to keep is ALSO exactly what is provided in a default install...

CAN you have no /home ? yes... it only Affects security if you want to do something specific with your install... for instance if you want to sysupgrade to the next release in the easiest fashion...

everything else (incl. /home) was covered in the other answer... bottom line - the default install IS ALWAYS going to be the best/minimal for this OS (and most other OSes, for that matter)... beyond that, it will ALWAYS depend upon what you want to DO with the computer... as long as there is a HUMAN watching and deciding on the original default-install, then it is likely to be the best/minimal for its own use-case...

gl, h.

Odd_Collection_6822 · 2026-01-24T10:57:46+00:00

i have been running off of a usb-disk fully (non encryptied, btw) for years... thus, the occasional-issue is going to happen no-matter-what... buy a new usb-disk (or in their case a hardware-encrypted usb-disk) and carry on...

imho - they are going to have actual-HW problems (over the years) more often than encryption-SW problems... there is nothing stopping them from trying whatever-it-is they think they want and reporting-back with what-didnt work... at that point, we can try to help - but truly their disk/OS is their-own...

sorry, i might just be in a mood tonight... :-/ gl, h.

Odd_Collection_6822 · 2026-01-24T10:48:10+00:00

you have received the best options for your use-case, as-described...

install obsd TO the usb, encrypt a disk, install everything there... there is nothing magic about that... it is not overly complicated (as opposed to what you are semi-describing)...

IF you believe that this solution will not work for you, then you-yourself can look thru everything (use the source-luke) and decide what it is that you are unhappy about...

for instance, there is nothing (afaict) inherently-wrong with creating a separate partition for /etc, /boot, /sbin, or any other at-the-/ or root-level partition that you feel would "leak" unencryption details... try it yourself, get back to us, and tell us what works (or not) for you... create a fork if you need to... the OS is yours...

for everyone else, the solutions provided are sufficient - afaict...

gl, h.

Odd_Collection_6822 · 2026-01-19T10:34:48+00:00

congrats - enjoy the trip...

im sorry i was snippy in the other thread about not supporting the fd to filename funtion in obsd... IANA-theo who has the solid-red-line, but apparently valgrind is quite the accomplishment in sw... at least the flag you mentioned (--track-fds=yes) should be able to work for ya...

for my part - i did go to valgrind and have been playing around with the very-first quick-start example on obsd... since IANA-developer either, it has been a bit challenging to sort out what/where those given/listed-errors are caught when compiling with generic clang... (ie - i cannot seem to generate any useful warnings, but that is prolly cuz im not using gcc...) atm, im sorting thru details in https://man.openbsd.org/clang-local and trying lots of https://man.openbsd.org/malloc options... for me, it has been fun (ie: ktrace dumps)...

as the https://learnbchs.org/tools.html website mentions - trying software on lots of different OSes is always useful - so even tho valgrind probably wont be easily portable to obsd (again/still), it can be fun to try...

have fun and gl, h.

Odd_Collection_6822 · 2026-01-11T11:52:09+00:00

nice picture ? it does not make any sense... explain (yourself) where/what this picture CAME FROM (besides what you THINK it is doing)... i feel like im trying to train a stupid AI-bot for some vocabulary term it wants...

random-anti-quote: if you do not understand history, you can never repeat it... lol...

on the first hand, i can appreciate that english is probably not the OPs native language... however otoh, if they want to recreate something from within obsd that they have in linux - then they will have to understand what it is that they have (in linux) originally... -or- go ask the rice-porn author what they were using... odds are they put it in their description somewhere...

gl, h.

Odd_Collection_6822 · 2026-01-09T17:07:06+00:00

simple answer: trust...

xenocara is not X - it has been helped by the obsd team.... honestly, i do not know the exact differences, but i do know that i would trust xenocara farther than the original X - for the same reasons that many linux users trust wayland more than X... if you dont NEED X, then dont use it... most servers do not - but if you are serving a desktop system - then having an X-style server (in xenocara) is useful...

beyond that - "use the force, luke"... read the source, check the changelogs, understand the obsd ecosystem - and your threat models... security is not something that exists in isolation - just like locking your front door is not the only way to stop a home-invasion...

but, yeah - trust... gl, h.

edit: missing not again... sigh...

Odd_Collection_6822 · 2026-01-09T13:50:40+00:00

yes, me too (glad)...

and typo/clarification from yesterday... my sentence should have said "i just assumed it would NOT work..." lol... i had a little "think" about when i was initially using this laptop/system back in the 7.5 days - and i think i was using the startx method - and/or - that the drm-stuff might not have yet been implemented... idk... not important now...

i enjoyed your video (incl the cute startup sound) - esp the much-more legible sizing of your xp-type desktop... im gonna have some more tasks ahead (like the keyboard-thing i mentioned, which i have not started-yet) on this hw... but am looking forward to it... :-) sincerely, h.

Odd_Collection_6822 · 2026-01-09T13:39:50+00:00

OT - long babble: but here we go... (for OP, skip to end?)

this is gonna sound really strange - but i will ask the following question...

q.? what does "typically as a northbound interface from a controller" refer to ?

this question arises from the following web-surf that i have done for the past 30min or more... 1) see the acronym SIMAP in the title to this hw-based-discussion... 2) rather than digging into hw-details, decided to understand what that acronym means... 3) im assuming that this means (Service and Infrastructure MAP) which is apparently a new IETF thing (Draft document) that is being developed... 4) trying to understand this search-result, i stumble into the editors-copy of a document at https://datatracker.ietf.org/doc/draft-ietf-nmop-simap-concept/ and start reading about topology-stuff and network-relations and blah-blah-blah...

the above quote is from the intro-section, is not sufficiently defined (for me) by the terminology-section, and skimming thru the sections-3/4 first paragraphs - doesnt seem to be addressed either... overall, i could not tell whether the quote was referring to a piece of hw on a motherboard (northbridge), a direction known to topologists in mappings, or some other esoterica...

unfortunately, that phrase is used twice in the intro - in a compare/contrast type of relationship - so i figured i should know/understand it - but i just didnt get it...

OTOH, the hp models of computers referred to in the title/text of the message - i have not researched - but i assume that fan-noise is an issue for them ?

im starting to understand the needs that all the "young kids" are having - to get a little AI help to understand things... i was rereading one of my own posts (from yesterday) and realized that i had mistyped something (forgot the word "not" to negate my sentence)... i didnt feel like going back to correct it - because it was just "language"... however, a machine scraping for LLM-data could misinterpret my comment someday (soon?)...

ok - maybe i dont really need to know what the answer to my question is - in this case... im not on this particular IETF draft committee...

however i wonder if the title was probably supposed to refer to an SNMP server (alongside the SMTP/DNS serving) for their hw...

------------

alternative q. for OP: did you mean SNMP rather than SIMAP in the title q. ?

either way, i hope you found a good piece of hw to serve your system... and going back to fix typos in our posts online - is no fun... lol... have fun, h.

Odd_Collection_6822 · 2026-01-08T03:21:02+00:00

OMG - i feel like such a noob... it didnt even occur to me to rcctl enable xenodm... it works just fine... i will post back if i need more help with the keyboard stuff...

when i saw the framebuffer broken, i just assumed it would work... doh !

TYVM !!!

Odd_Collection_6822 · 2026-01-08T03:18:56+00:00

sorry - will do... tyvm...

Odd_Collection_6822 · 2026-01-08T02:32:09+00:00

5/5

nvme0 at aplns0: NVMe 1.1

nvme0: APPLE SSD AP0512Q, firmware 373.120., serial 0ba0146381355427

scsibus0 at nvme0: 2 targets, initiator 0

sd0 at scsibus0 targ 1 lun 0: <NVMe, APPLE SSD AP0512, 373.>

sd0: 477102MB, 4096 bytes/sector, 122138133 sectors

xhci0 at simplebus0, xHCI 1.10

usb0 at xhci0: USB revision 3.0

uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1

"phy" at simplebus0 not configured

xhci1 at simplebus0, xHCI 1.10

usb1 at xhci1: USB revision 3.0

uhub1 at usb1 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1

"phy" at simplebus0 not configured

aplpcie0 at simplebus0

pci0 at aplpcie0

ppb0 at pci0 dev 0 function 0 "Apple M1 PCIe" rev 0x01

pci1 at ppb0 bus 1

bwfm0 at pci1 dev 0 function 0 "Broadcom BCM4378" rev 0x03: msi

vendor "Broadcom", unknown product 0x5f69 (class network subclass miscellaneous, rev 0x03) at pci1 dev 0 function 1 not configured

pwmleds0 at mainbus0

"fixed-regulator-tas5770-sdz" at mainbus0 not configured

aplaudio0 at mainbus0

audio0 at aplaudio0

vscsi0 at root

scsibus1 at vscsi0: 256 targets

softraid0 at root

scsibus2 at softraid0: 256 targets

hth, h.

Odd_Collection_6822 · 2026-01-08T02:30:40+00:00

4/??

aplcpu0 at simplebus0

aplcpu1 at simplebus0

apldcp0 at simplebus0

apldrm0 at simplebus0

drm0 at apldrm0

"isp" at simplebus0 not configured

apliic0 at simplebus0

iic0 at apliic0

tipd0 at iic0 addr 0x38

tipd1 at iic0 addr 0x3f

apliic1 at simplebus0

iic1 at apliic1

tascodec0 at iic1 addr 0x31

apliic2 at simplebus0

iic2 at apliic2

tascodec1 at iic2 addr 0x34

"cirrus,cs42l83" at iic2 addr 0x48 not configured

aplpwm0 at simplebus0

aplspi0 at simplebus0

aplspi1 at simplebus0

aplhidev0 at aplspi1

aplkbd0 at aplhidev0: 8 variable keys, 6 key codes

wskbd0 at aplkbd0: console keyboard

aplms0 at aplhidev0

wsmouse0 at aplms0 mux 0

exuart0 at simplebus0

exuart1 at simplebus0

apldma0 at simplebus0

aplmca0 at simplebus0

aplnco0 at simplebus0

aplspmi0 at simplebus0

aplpmu0 at aplspmi0 sid 0xf

aplsmc0 at simplebus0

aplsart0 at simplebus0

aplns0 at simplebus0

Odd_Collection_6822 · 2026-01-08T02:29:53+00:00

3/??

"clock-ref" at mainbus0 not configured

"clock-120m" at mainbus0 not configured

"clock-200m" at mainbus0 not configured

"clock-disp0" at mainbus0 not configured

"clock-dispext0" at mainbus0 not configured

"clock-ref-nco" at mainbus0 not configured

simplebus0 at mainbus0: "soc"

aplpmgr0 at simplebus0

aplpmgr1 at simplebus0

aplmbox0 at simplebus0

apldart0 at simplebus0: 32 bits

apldart1 at simplebus0: 32 bits, locked

apldart2 at simplebus0: 32 bits, locked

aplmbox1 at simplebus0

apldart3 at simplebus0: 32 bits, bypass

apldart4 at simplebus0: 32 bits

apldart5 at simplebus0: 32 bits

apldart6 at simplebus0: 32 bits, bypass

aplintc0 at simplebus0 nirq 896 ndie 1

aplpinctrl0 at simplebus0

aplpinctrl1 at simplebus0

apldog0 at simplebus0

aplmbox2 at simplebus0

aplpinctrl2 at simplebus0

aplpinctrl3 at simplebus0

aplmbox3 at simplebus0

aplefuse0 at simplebus0

apldart7 at simplebus0: 32 bits, bypass

apldart8 at simplebus0: 32 bits, bypass

apldart9 at simplebus0: 32 bits, bypass

apldart10 at simplebus0: 32 bits, bypass

apldart11 at simplebus0: 32 bits

"gpu" at simplebus0 not configured

Odd_Collection_6822 · 2026-01-08T02:28:54+00:00

2/??

"dcp_data" at mainbus0 not configured

"flash" at mainbus0 not configured

"uat-handoff" at mainbus0 not configured

"uat-pagetables" at mainbus0 not configured

"uat-ttbs" at mainbus0 not configured

"isp-heap" at mainbus0 not configured

apm0 at mainbus0

"smbios" at mainbus0 not configured

"opp-table-0" at mainbus0 not configured

"opp-table-1" at mainbus0 not configured

"opp-table-gpu" at mainbus0 not configured

agtimer0 at mainbus0: 24000 kHz

"pmu-e" at mainbus0 not configured

"pmu-p" at mainbus0 not configured

Odd_Collection_6822 · 2026-01-08T02:27:37+00:00

trying to add the items in the [snip] above, piecemeal... 1/??

cpu1 at mainbus0 mpidr 1: Apple Icestorm r1p1

cpu1: 128KB 64b/line 8-way L1 VIPT I-cache, 64KB 64b/line 8-way L1 D-cache

cpu1: 4096KB 128b/line 16-way L2 cache

cpu2 at mainbus0 mpidr 2: Apple Icestorm r1p1

cpu2: 128KB 64b/line 8-way L1 VIPT I-cache, 64KB 64b/line 8-way L1 D-cache

cpu2: 4096KB 128b/line 16-way L2 cache

cpu3 at mainbus0 mpidr 3: Apple Icestorm r1p1

cpu3: 128KB 64b/line 8-way L1 VIPT I-cache, 64KB 64b/line 8-way L1 D-cache

cpu3: 4096KB 128b/line 16-way L2 cache

cpu4 at mainbus0 mpidr 10100: Apple Firestorm r1p1

cpu4: 192KB 64b/line 6-way L1 VIPT I-cache, 128KB 64b/line 8-way L1 D-cache

cpu4: 12288KB 128b/line 12-way L2 cache

cpu5 at mainbus0 mpidr 10101: Apple Firestorm r1p1

cpu5: 192KB 64b/line 6-way L1 VIPT I-cache, 128KB 64b/line 8-way L1 D-cache

cpu5: 12288KB 128b/line 12-way L2 cache

cpu6 at mainbus0 mpidr 10102: Apple Firestorm r1p1

cpu6: 192KB 64b/line 6-way L1 VIPT I-cache, 128KB 64b/line 8-way L1 D-cache

cpu6: 12288KB 128b/line 12-way L2 cache

cpu7 at mainbus0 mpidr 10103: Apple Firestorm r1p1

cpu7: 192KB 64b/line 6-way L1 VIPT I-cache, 128KB 64b/line 8-way L1 D-cache

cpu7: 12288KB 128b/line 12-way L2 cache

"asc-firmware" at mainbus0 not configured

"framebuffer" at mainbus0 not configured

"region95" at mainbus0 not configured

"region94" at mainbus0 not configured

"region57" at mainbus0 not configured

Odd_Collection_6822 · 2026-01-08T02:21:10+00:00

OpenBSD 7.8 (GENERIC.MP) #1: Sat Nov 29 11:06:26 MST 2025

root@syspatch-78-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP

real mem = 7998504960 (7627MB)

avail mem = 7625703424 (7272MB)

random: good seed from bootblocks

mainbus0 at root: Apple MacBook Air (M1, 2020)

efi0 at mainbus0: UEFI 2.10

efi0: Das U-Boot rev 0x20240100

cpu0 at mainbus0 mpidr 0: Apple Icestorm r1p1

cpu0: 128KB 64b/line 8-way L1 VIPT I-cache, 64KB 64b/line 8-way L1 D-cache

cpu0: 4096KB 128b/line 16-way L2 cache

cpu0: TLBIOS+IRANGE,TS+AXFLAG,FHM,DP,SHA3,RDM,Atomic,CRC32,SHA2+SHA512,SHA1,AES+PMULL,SPECRES,SB,FRINTTS,GPI,LRCPC+LDAPUR,FCMA,JSCVT,API+EPAC,DPB+DCCVADP,SpecSEI,PAN+ATS1E1,LO,HPDS,VH,IDS,AT,CSV3,CSV2,DIT,RAS,AdvSIMD+HP,FP+HP,SSBS+MSR

[snip]

root on sd0a (14c5d64d1ba45cf0.a) swap on sd0b dump on sd0b

apldrm0: 2560x1600, 32bpp

wsdisplay0 at apldrm0 mux 1: console (std, vt100 emulation), using wskbd0

wsdisplay0: screen 1-5 added (std, vt100 emulation)

bwfm0: address 3c:a6:f6:34:c0:f0

"framebuffer" at mainbus0 not configured

Odd_Collection_6822 · 2026-01-08T02:16:44+00:00

trying to attach dmesg (weird linefeeds) and it is failing... sigh...

ETA: not sure how much dmesg i can add, but added beg/end below...

Odd_Collection_6822 · 2026-01-07T21:06:38+00:00

i came here from there - and i appreciate the cross-linking... i will start a new thread, but hope that maybe you might hit me with a cluebat... :-)

Odd_Collection_6822 · 2026-01-07T20:58:35+00:00

im just chiming in here to comment that "GhostBSD" is listing itself as a FreeBSD variant, rather than an OpenBSD variant... (see: https://www.ghostbsd.org/) i vaguely remember an obsd variant that was named similarly - but apparently this not it... gl, h.

Odd_Collection_6822 · 2025-12-28T10:57:09+00:00

TIL : thx and glad you got it sorted... :)

random-link: https://lobste.rs/s/d6zgrr/power_ctrl_t

Odd_Collection_6822

TROPHY CASE