[sarnowski]

I think/assume OpenBSD is mainly used as a server OS. Yes, passionate people use it as a desktop but those mostly read the FAQ anyway.

Currently and as far as I know, bioctl does only support user typed in passwords or key disks. You certainly want also encrypted disks on your server but requiring user typed in password is oftentimes a no-go (think of various firewall appliances doing a reboot and not having remote hands). A compensation can be the key disk but I don’t know how widely that is used.

Hardware bound encryption like with a TPM is not supported. Also Linux is still exploring here as far as I can tell (no installer offers that).

In sum: I think disk encryption in the current form is not a tradeoff many installations will take.

[e12e]

> Hardware bound encryption like with a TPM is not supported. Also Linux is still exploring here as far as I can tell (no installer offers that).

True, OTOH AFAIK you can add tpm unlock to a typical luks setup after installation, see my other comments:

https://news.ycombinator.com/item?id=35067375 (ed: fixed)

[prmoustache]

Wrong link I believe.

Also if secure-boot/tpm is not desired or not available systemd can now start openssh very early to allow user to type passphrase and for non systemd system one can use tinyssh-initramfs or dropbear-initramfs depending on keys requirements. Last option is dedicated kvm (which also work for openbsd).

[e12e]

> Wrong link I believe.

Yes, it was. Fixed, thank you.