Table of Contents
Was this article helpful?

1  out of  1 found this helpful

Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

How to Use Full Disk Encryption on OpenBSD 7.0

Last Updated: Wed, Jan 19, 2022
BSD Security System Admin


When deploying a new server instance, one of the security best practices is to enable full disk encryption on the machine, adding a second layer of security to your data. This article explains how to set up an OpenBSD 7.0 server instance with full disk encryption at Vultr.


  • An active Vultr user account.

  • A modern web browser, such as Chrome or Firefox, that supports noVNC connections

1. Upload the OpenBSD Amd64 7.0 Image to Vultr

Because the OpenBSD amd64 7.0 image is not in the public Vultr ISO Library yet, you need to upload it to Vultr by yourself.

  1. Point your web browser to the official OpenBSD download page, and then find the download link to the OpenBSD amd64 7.0 image named install70.iso.

  2. Log in to the Vultr Control Panel in a new browser window, navigate to the ISOs tab, and click the Add ISO button.

  3. Copy the download link mentioned above, paste it into the text box on the page, and click the Upload button to start uploading.

  4. If nothing goes wrong, the MD5 value of the uploaded OpenBSD amd64 7.0 image should be a6a8091dceaa6a88972902b6616b38e8. Delete the image and upload it again if you find a different MD5 value.

2. Deploy a New Server Instance with the Newly Added OpenBSD Amd64 7.0 Image

Having the OpenBSD amd64 7.0 image in place, hover your mouse over the blue + icon on the upper right corner of the Vultr Control Panel page, and then click Deploy New Server to deploy a new server instance.

Among other settings, in the Server Type section, be sure to choose install70.iso from the My ISOs line within the Upload ISO tab.

After your machine gets up and running, collect its networking information from the Settings tab in the Server Details page for later use. The IP addresses listed below are for demonstration purposes only.

  • IPv4 address:

  • Netmask:

  • Gateway:

  • Nameserver: (Find it in the networking configuration page.)

3. Install OpenBSD Amd64 7.0 to Your Server Instance from the noVNC Console

Note: Some browser extensions, including but not limited to Vimium, could interfere with your input in the noVNC console window. Disable those extensions when using a noVNC console.

Setup Full Disk Encryption on the Server Instance

Click the View Console button on the upper right corner of the Server Details page to open a noVNC console window. Use this console window to access your server instance and begin the installation of OpenBSD amd64 7.0 with full disk encryption:

Welcome to the OpenBSD/amd64 7.0 installation program.

(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? sENTER

In the OpenBSD shell, use the following command to find any hard disks on your server instance:

# dmesg | grep "^[sw]d"ENTER

sd0 at scsibus0 targ 0 lun 0: <VirtIO, Block Device, >


As you see, sd0 stands for a single Small Computer System Interface (SCSI) hard disk on this machine, which is the most common configuration on Vultr.

To make the OpenBSD 7.0 system recognize that SCSI hard disk, create a device file with the same name sd0 in the system using the MAKEDEV script:

# cd /dev && sh MAKEDEV sd0ENTER

Optionally, overwrite the whole disk with random data to prevent unauthorized space usage deductions:

# dd if=/dev/urandom of=/dev/rsd0c bs=1mENTER

Use the fdisk command to write a default Master Boot Record (MBR) boot code to the sd0 disk:

# fdisk -iy sd0ENTER

Writing MBR at offset 0.

Create a partition layout on sd0 with the disklabel command, allocating all available disk space:

# disklabel -E sd0ENTER

Label editor (enter '?' for help at any prompt)

sd0> a aENTER

offset: [64] ENTER

size: [52420031] *ENTER


sd0*> wENTER

sd0> qENTER

Build an encrypted device named softraid0 with the sd0a partition:

# bioctl -c C -l sd0a softraid0ENTER

New passphrase: YourOwnPassphraseENTER

Re-type passphrase: YourOwnPassphraseENTER

sd1 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>


softraid0: CRYPTO volume attached as sd1

Important: Don't lose the passphrase you input here, or you won't be able to access the data within the machine.

Create the required sd1 pseudo-device file:

# cd /dev && sh MAKEDEV sd1ENTER

Clear the first megabyte of sd1 for storing MBR data later:

# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1ENTER

Exit the OpenBSD shell and return to the welcome prompt:

# exitENTER

Install OpenBSD Amd64 7.0 in the Encrypted Partition

Start the installation:

Welcome to the OpenBSD/amd64 7.0 installation program.

(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? iENTER

Go through the installation program as follows to install OpenBSD amd64 7.0 with full disk encryption for production. Main points you should know during the installation:

  1. Replace all example networking configurations with your own.

  2. For security purposes, set strong passwords for the root user and the newly created user, and do not allow root to log in from SSH.

  3. The X Window System and games are unnecessary for building a production website. De-select those sets to save disk space.

  4. Be sure to input sd1 as the root disk.

  5. Because the matching SHA256 signature is not uploaded, input yes to continue the installation.

    Choose your keyboard layout ('?' or 'L' for list) [default] ENTER
    System hostname? (short form, e.g. 'foo') openbsdENTER
    Available network interfaces are vio0 vlan0.
    Which network interface do you wish to configure? (or 'done') [vio0] ENTER
    IPv4 address for vio0? (or 'autoconf' or 'none') [autoconf]
    Netmask for vio0? []
    IPv6 address for vio0? (or 'autoconf' or 'none') [none]ENTER
    Available network interfaces are: vio0 vlan0.
    Which network interface do you wish to configure? (or 'done') [done]ENTER
    Default Ipv4 route? (IPv4 address or none)
    add net default: gateway
    DNS domain name? (e.g. '') [my.domain] example.comENTER
    DNS nameservers? (IP address list or 'none') [none]
    Password for root account? (will not echo) YourOwnRootPasswordENTER
    Password for root account? (again) YourOwnRootPasswordENTER
    Start sshd(8) by default? [yes] ENTER
    Do you expect to run the X Window System? [yes] noENTER
    Setup a user? (enter a lower-case loginname, or 'no') [no] johndoeENTER
    Full name for user johndoe [johndoe] John DoeENTER
    Password for user johndoe? (will not echo) YourOwnUserPasswordENTER
    Password for user johndoe? (again) YourOwnUserPasswordENTER
    WARNING: root is targeted by password guessing attacks, pubkeys are safer.
    Allow root ssh login? (yes, no, prohibit-password) [no] ENTER
    What timezone are you in? ('?' for list) [US/Pacific] ENTER
    Available disks are: sd0 sd1.
    Which disk is the root disk? ('?' for details) [sd0] sd1ENTER
    No valid MBR or GPT.
    Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] ENTER
    Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] ENTER
    Available disks are sd0.
    Which disk do you wish to initialize? (or 'done') [done] ENTER
    Let's install the sets!
    Location of sets? (cd0 disk http nfs or 'done') [cd0] ENTER
    Pathname to the sets? (or 'done') [7.0/amd64] ENTER
    Select sets by entering a set name, a file name pattern or 'all'. De-select sets by
    prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
    Set name(s)? (or 'abort' or 'done') [done] -game* -x*ENTER
    Set name(s)? (or 'abort' or 'done') [done] ENTER
    Directory does not contain SHA256.sig. Continue without verification? [no] yesENTER
    Location of sets? (cd0 disk http nfs or 'done') [done] ENTER
    CONGRATULATIONS! Your OpenBSD install has been successfully completed!
    Exit to (S)hell, (H)alt or (R)eboot? [reboot] ENTER

Having OpenBSD 7.0 installed, you need to make the system boot from the hard disk other than the OpenBSD amd64 7.0 ISO image. To do so, Return to the Server Details page of your machine in the Vultr Control Panel, click the Remove ISO button in the Custom ISO column in the Settings tab.

4. Next Steps

  1. Open a new noVNC console window.

  2. Input the passphrase you set up earlier to start the fully encrypted system.

  3. Log in as root from the same noVNC console window.

  4. Grant doas permissions to the newly created johndoe user:

    # user mod -G wheel johndoeENTER
    # echo "permit persist :wheel" >> /etc/doas.confENTER
  5. Patch and then reboot the system:

    # syspatchENTER
    # shutdown -r nowENTER

    After the system gets up and running again, input your passphrase to start the system.

  6. On your desktop machine, create a public/private RSA key pair and then upload the public key to your OpenBSD server instance:

    $ ssh-keygen -t rsa -b 4096 -f ~/.ssh/johndoe.openbsd.key -C "John Doe on OpenBSD"ENTER
    $ ssh-copy-id -i ~/.ssh/ johndoe@
  7. Login in to your OpenBSD as johndoe from an SSH console, and then disable password authentication as follows:

    $ ssh johndoe@
    $ doas sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_configENTER
    $ doas /etc/rc.d/sshd restartENTER
  8. From now on, log in from SSH with your private key:

    $ ssh -i ~/.ssh/johndoe.openbsd.key johndoe@

More Information

Learn more about OpenBSD by visiting the following pages:

Want to contribute?

You could earn up to $600 by adding new articles.