On 2024/02/08 11:07, Klemens Nanni wrote:
> +		[pP]*)
> +			while :; do
> +				ask_password 'Passphrase for the root disk?'
> +				[[ -n "$_password" ]] && break
> +				echo 'The passphrase must be set.'
> +			done
> +			PASSFILE=/tmp/i/passfile
> +			(umask 077 && print -r -- "$_password" >$PASSFILE)

This is fairly distasteful, OpenBSD usually goes out of its way to
even wipe sensitive things like this even from memory in a single
process after use.

If doing this, it might be better to only have this question for the
autoinstall case (like how ask_root_sshd is done) and use the standard
bioctl method for manual install.

>  	bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null
> +	rm -f $PASSFILE

rm -fP perhaps?

But, do enough people really want autoinstall with FDE from a password
fetched from a webserver to be worth doing this? It doesn't seem very
sensible to me.