From: Andrew Hewus Fresh <andrew@afresh1.com>
Subject: Re: [patch] Autoinstall with disk encryption
To: tech@openbsd.org
Date: Sat, 10 Feb 2024 14:40:33 -0800

On Sat, Feb 10, 2024 at 05:37:14PM +0000, Klemens Nanni wrote:
> On Thu, Feb 08, 2024 at 01:29:46PM +0000, Stuart Henderson wrote:
> > On 2024/02/08 11:07, Klemens Nanni wrote:
> > >  	bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null
> > > +	rm -f $PASSFILE
> > 
> > rm -fP perhaps?
> > 
> > But, do enough people really want autoinstall with FDE from a password
> > fetched from a webserver to be worth doing this? It doesn't seem very
> > sensible to me.
> 
> Unless I hear objections, I'll go ahead with my first diff (OK afresh1)
> plus your -P suggestion.

I like -P, forgot it existed.

I do rather dislike the plaintext password fetched from a webserver, but
at least after auto-install on a secure network folks can change the
passphrase, while there is no way (AFAIK) to add FDE with passphrase
later.

It _is_ technically possible to use a coprocess instead of a temporary
file, but not entirely sure the added complexity is worth is.

set -o monitor
doas bioctl -c C -s -l /dev/${VND}a softraid0 |&
print -p -- test123
fg
set +o monitor