Refer to the installation guide.
Download OpenBSD and install it on an USB-Stick as described in the installation guide and boot the installer from the USB-Stick.
Welcome to the OpenBSD/ installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
Change the keyboard layout to make typing the follwing commands easier:
# kbd -l | less
Navigate with space, return, q through less.
# kbd de
The changes won't be persisted, but the installer will ask for the keyboard layout again.
Find out on which disk the OpenBSD will be installed
# dmesg | grep "^[sw]d"
...
sd0 at scsibus1 targ 0 lun 0: <...> ...
sd0: 476940MB, 512 bytes/sector, 976773168 sectors, thin
sd1 at scsibus2 targ 1 lun 0: <...> removable ...
sd1: 59040MB, 512 bytes/sector, 120913920 sectors
sd0 is the hard disk and sd1 is the USB-stick the initial system was booted from.
Create the device node sd0 to make the disk known to OpenBSD.
# cd /dev && sh MAKEDEV sd0
Prepare the encryption of the disk (sd0). Optionally overwrite all data on the disk whith random data. This will prevent getting information from free disk space usage. But this will take some time.
# dd if=/dev/urandom of=/dev/rsd0c bs=1m
Write the default MBR boot code to sd0
# fdisk -iy sd0
Writing MBR at offset 0.
Create the partition which will be encrypted. All available space will be used.
# disklabel -E sd0
Label editor (enter '?') for help at any prompt)
sd0> a
partition: [a]
offset: [64]
size: [976773104]
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
No label changes
Now the sd0a partition has been created. Build the encrypted softraid in the sd0a partition and enter the passphrase which will grant access to the partition. All other partitions will be created withing this partition sd0a later.
# bioctl -c C -l sd0a softraid0
New passphrase : <passphrase>
Re-type passphrase: <same passphrase>
sd2 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd2: 476939MB, 512 bytes/sector, 976772576 sectors
softraid0: CRYPTO volume attached as sd2
Enter a secure passphrase. If you lose the passphrase it's not possible to access this encrypted partition again.
Create the device node for the pseudo device sd2 to make it known to OpenBSD. The device sd2 isn't a real hardware device but the encrypted partition.
# cd /dev && sh MAKEDEV sd2
Clear the first megabyte of sd2 by writing zeros for storing the MBR data afterwards.
# dd if=/dev/zero of=/dev/rsd2c bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.040 secs (26068572 bytes/sec)
Exit the shell and start the installation of OpenBSD.
# exit
Welcome to the OpenBSD/ installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? i
Choose the correct keyboard layout which will be also used for the installed system:
Choose you keyboard layout ('?' or 'L' for list) [default] de
System hostname? (short form, e.g. 'foo') mynewopenbsd
Configure the network if it's available. This might be wired or wireless network. The network device names may differ as they are dependent on the hardware which is used:
Available network interfaces are: bge0 iwn0 vlan0.
Which network interface do you wish to configure? (or 'done') [bge0]
IPv4 address for bge0? (or 'autoconf' or 'none') [autoconf]
IPv6 address for bge0? (or 'autoconf' or 'none') [none] autoconf
Available network interfaces are: bge0 iwn0 vlan0.
Which network interface do you wish to configure? (or 'done') [done] iwn0
Access point? (ESSID, 'any', list# or '?') [any] SSID_NAME
Security protocol? (O)pen, (W)ep, WPA-(P)SK [O]
WPA passphrase? (will echo) <WPA_PASSWORD>
Symbolic (host) name for iwn0? [mynewopenbsd]
IPv4 address for iwn0? (or 'autoconf' or 'none') [autoconf]
IPv6 address for iwn0? (or 'autoconf' or 'none') [none] autoconf
Available network interfaces are: bge0 iwn0 vlan0.
Which network interface do you wish to configure? (or 'done') [done]
DNS domain name? (e.g. 'example.com') [my.domain] mydomain.local
Using DNS nameservers at 192.168.13.1 fd70:feed:beaf::1
Enter the new root password twice. Choose a secure password and don't loose it. It is the access to the root account of the machine!
Password for root account? (will not echo)
Password for root account? (again)
If you want to login from remote starting the Secure Shell Daemon is a good idea. Otherwise disable it. It can be enabled later, as well.
Start sshd(8) by default? [yes]
If you want a graphical user interface (mostly if it's not a server) enter yes. This can be changed later, as well.
Do you want the X Window System to be started by xenodm(1)? [no] yes
A normal user can be created now. This normally a good idea, so you don't have to login as root. Doing non-adminstrative task as root is always a bad idea as it weakens the security of the system. In this case the normal user will be created later when the installed system has been booted to have more detailed configuration options for the user account.
Setup a user? (enter a lower-case loginname, or 'no') [no]
The best choose is not to allow root to login from remote. The second best choose is by forbidding passwords and only using public-private-keys.
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login (yes, no, prohobit-password) [no] prohibit-password
Now it's time to configure the partitions of the disk. The suggested partition scheme is sufficiant. But when you have enough space or any special needs the partitions can be enlarged. Only the root partition is necessary. But having only one partition isn't recommended for serveral reasons like mount options and fragmentation.
Available disks are: sd0 sd1 sd2
Which disk is the root disk? ('?' for details) [sd0] sd2
MBR has invalid signature: not showing it.
Use (W)hole disk or (E)dit the MBR? [whole]
Setting OpenBSD MBR partition to whole sd2...done.
The auto-allocated layout for sd2 is:
# size offset fstype [fsize bsize cpg]
a: 1.0G 64 4.2BSD 2048 16384 1 # /
b: 3.2G 2097216 swap
c: 465.8G 0 unused
d: 4.0G 8893248 4.2BSD 2048 16384 1 # /tmp
e: 10.0G 17281824 4.2BSD 2048 16384 1 # /var
f: 6.0G 38213888 4.2BSD 2048 16384 1 # /usr
g: 1.0G 50796800 4.2BSD 2048 16384 1 # /usr/X11R6
h: 20.0G 52893952 4.2BSD 2048 16384 1 # /usr/local
i: 3.0G 94836992 4.2BSD 2048 16384 1 # /usr/src
j: 6.0G 101128448 4.2BSD 2048 16384 1 # /usr/obj
k: 300.0G 113711360 4.2BSD 4096 32768 1 # /home
...
Available disks are: sd0 sd1.
Which disk do you wish to initialize? (or 'done') [done]
Everything is prepared to install the software. The location of the software sets and which sets should not be installed can be configured now. On a server games and the XServer might be skipped. The whole system with XServer and games will fill about 1Gb of disk space. For common cases, there's no need to deselect sets because of disk space.
Let's install the sets!
Location of sets? (cd0 disk http or 'done') [cd0] http
HTTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]
HTTP Server? (hostname, list#, ‘done’ or ‘?') [cdn.openbsd.org]
Server directory? [pub/OpenBSD/7.1/i386]
Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
[X] bsd [X] base71.tgz [X] game71.tgz [X] xfont71.tgz
[X] bsd.mp [X] comp71.tgz [X] xbase71.tgz [X] xserv71.tgz
[X] bsd.rd [X] man71.tgz [X] xshare71.tgz
Set name(s)? (or 'abort' or 'done') [done] -game*
[X] bsd [X] base71.tgz [ ] game71.tgz [X] xfont71.tgz
[X] bsd.mp [X] comp71.tgz [X] xbase71.tgz [X] xserv71.tgz
[X] bsd.rd [X] man71.tgz [X] xshare71.tgz
Set name(s)? (or 'abort' or 'done') [done]
Get/Verify SHA256.sig 100% |***********************| 1966 00:00
Signature Verified
Get/Verify bsd 100% |***********************| 14637 KB 00:04
...
Installing bsd 100% |***********************| 14637 KB 00:00
...
Location of sets? (cd0 disk http or 'done') [done]
Configure the correct time zone to have a proper system time.
What timezone are you in? ('?' for list) [Canada/Mountain] Europe/Berlin
Saving configuration files... done.
Making all device nodes... done.
fw_update: added intel.inteldrm.iwn: updated none; kept none
Multiprocessor machine: using bsd.mp instaed of bsd.
Relinking to create unique kernel... done.
CONGRATULATIONS! You OpenBSD install has been successfully completed!
When you login to you new system the first time, please read you mail
using the 'mail' command.
Exit to (S)hell, (H)alt or (R)eboot? [reboot]
Now the system has been installed. Time to reboot and start the installed system. Don't forget to remove the installation media!
syncing disks... done.
The boot of the system will ask for the passphrase to unlock the encrypted partition. Without the correct passphrase all the data on the disk aren't decryptable and of course inaccessable. When the correct passphrase has been entered the boot prompt will show up and after pressing return the OpenBSD will start for the first time.
Usingh drive 0, partition 3
Loading......
probing: pc0 mem[638K 3061M a20=on]
disk: hd0+ sr0*
>> OprnBSD/i386 BOOT 3.44
Passphrase:
boot>