From: Stuart Henderson Subject: Re: [patch] Autoinstall with disk encryption To: tech@openbsd.org Date: Thu, 8 Feb 2024 13:29:46 +0000 On 2024/02/08 11:07, Klemens Nanni wrote: > + [pP]*) > + while :; do > + ask_password 'Passphrase for the root disk?' > + [[ -n "$_password" ]] && break > + echo 'The passphrase must be set.' > + done > + PASSFILE=/tmp/i/passfile > + (umask 077 && print -r -- "$_password" >$PASSFILE) This is fairly distasteful, OpenBSD usually goes out of its way to even wipe sensitive things like this even from memory in a single process after use. If doing this, it might be better to only have this question for the autoinstall case (like how ask_root_sshd is done) and use the standard bioctl method for manual install. > bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null > + rm -f $PASSFILE rm -fP perhaps? But, do enough people really want autoinstall with FDE from a password fetched from a webserver to be worth doing this? It doesn't seem very sensible to me.