Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Good news. But why so late to support this? Debian had this for decades.


Sometimes adding a user interface to a straightforward operation is complicated, expensive, time-consuming, and/or low-priority for the intended audience.

OpenBSD users know how to partition and encrypt their disks.

World domination was never on BSD's todo list!

Don't get me wrong -- the Linux way is also perfectly valid, and obviously more popular. But it's not the only way.


I think/assume OpenBSD is mainly used as a server OS. Yes, passionate people use it as a desktop but those mostly read the FAQ anyway.

Currently and as far as I know, bioctl does only support user typed in passwords or key disks. You certainly want also encrypted disks on your server but requiring user typed in password is oftentimes a no-go (think of various firewall appliances doing a reboot and not having remote hands). A compensation can be the key disk but I don’t know how widely that is used.

Hardware bound encryption like with a TPM is not supported. Also Linux is still exploring here as far as I can tell (no installer offers that).

In sum: I think disk encryption in the current form is not a tradeoff many installations will take.


> Hardware bound encryption like with a TPM is not supported. Also Linux is still exploring here as far as I can tell (no installer offers that).

True, OTOH AFAIK you can add tpm unlock to a typical luks setup after installation, see my other comments:

https://news.ycombinator.com/item?id=35067375 (ed: fixed)


Wrong link I believe.

Also if secure-boot/tpm is not desired or not available systemd can now start openssh very early to allow user to type passphrase and for non systemd system one can use tinyssh-initramfs or dropbear-initramfs depending on keys requirements. Last option is dedicated kvm (which also work for openbsd).


> Wrong link I believe.

Yes, it was. Fixed, thank you.


Maybe it is coming now instead of earlier not because of a clear choice, but because to get features in to the project people need to spend their own free time on creating them.

Thank you Klemens Nanni and others for taking the time.


No, you could do it by hand. Even with commands, bioctl was far easier than the luks+lvm voodoo.


It's only now added as an interactive step in the install script. It has ~always been possible to create a crypto device with the install medium by dropping to a shell: https://www.openbsd.org/faq/faq14.html#softraidFDE


archlinux only added an installer very recently.

Besides, setting encryption manually and then installing openbsd with its very fast installer has always been faster than using the interactive debian installer so in the grand scheme of things it wasn't that big of a deal.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: