If you store sensitive data on your computer (e.g. passwords, keys, private files) you better enable full disk encryption.
First of all you need to generate a secure passphrase,
then boot OpenBSD installer and select
sd0 with the identifier of the target drive. All data
sd0 will be erased! Also check an identifier of the new crypto volume.
In my example it's
#!/bin/sh set -e drive='/dev/rsd0c' echo "DANGER! All data on $drive will be erased. Press CTRL-C to cancel." read -r dd if=/dev/urandom of="$drive" bs=1m count=1 status=none fdisk -iy sd0 >/dev/null disklabel -E sd0 >/dev/null << EOF z a a 1024 * RAID w q EOF bioctl -c C -l sd0a softraid0 cd /dev && sh MAKEDEV sd3 dd if=/dev/zero of=/dev/rsd3c bs=1m count=1 status=none echo 'Done! Please exit this shell to return to the main installer.'
Optionally, you can automate few steps. Here is how I do it. Frist, enable your internet connection:
# ifconfig re0 up # dhclient re0
Then download and execute the script:
Be very careful, at this step you may lose all your data.
# ftp https://www.romanzolotarev.com/openbsd/fde.sh # chmod +x # fde.sh # exit
When the installer asks which disk is the root disk, specify
When you booted OpenBSD from that crypto volume you can change the passphrase with this command:
doas bioctl -P sd3
Tested on OpenBSD 6.3.