From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: [patch] Autoinstall with disk encryption
To: tech@openbsd.org
Date: Thu, 08 Feb 2024 10:06:50 -0700

Stuart Henderson <stu@spacehopper.org> wrote:

> On 2024/02/08 11:07, Klemens Nanni wrote:
> > +		[pP]*)
> > +			while :; do
> > +				ask_password 'Passphrase for the root disk?'
> > +				[[ -n "$_password" ]] && break
> > +				echo 'The passphrase must be set.'
> > +			done
> > +			PASSFILE=/tmp/i/passfile
> > +			(umask 077 && print -r -- "$_password" >$PASSFILE)
> 
> This is fairly distasteful, OpenBSD usually goes out of its way to
> even wipe sensitive things like this even from memory in a single
> process after use.

Does this matter?  It is /tmp on the bsd.rd