NetBSD Installation with Disk Encryption guides a manual, UEFI-ready setup

April 14, 2026
aibusinesshardwareopen-source
Close-up of a person connecting an external hard drive to a laptop on a desk.
Photo by Andrea Piacquadio on Pexels

What the guide covers

A detailed HOWTO has been published showing how to install NetBSD with a manually configured, encrypted disk layout instead of relying on the installer’s menus. It has been reported that sysinst — the menu-driven installer launched at boot — does not provide the option to set up the multi-wedge, partially encrypted layout the author wants, so the install switches to the console early on and proceeds by hand. The write-up walks through acquiring the NetBSD 11.0_RC3 amd64 image, verifying SHA512 checksums, writing the image to USB, and booting the live installer.

The meat of the guide is the partition and encryption scheme: a small EFI System Partition (ESP); a minimal unencrypted root that prompts for a passphrase at boot; an encrypted wedge (syscgd) holding /var, /usr and /home; and swap that is auto-encrypted at boot using a random key. The author documents the low-level steps — wiping and partitioning the disk, creating the encrypted device, setting disklabels, formatting and mounting wedges, chrooting into the new system and finishing system configuration. Examples and warnings (dd will obliterate the target device!) are included.

Why it matters

Why go through the extra work? Because home-directory encryption alone can leave traces: logs, swap, and other system areas can leak passphrases and sensitive data if not protected. The guide frames the trade-off clearly — more coverage means more complexity at install and slightly more friction at boot — and is aimed at users comfortable with the console who want stronger protection than a point-and-click install provides. For anyone who likes tinkering or who treats lost laptops as a real threat, this is the sort of belt-and-suspenders approach you’ll appreciate.

The full HOWTO — complete with step-by-step commands and assumptions (amd64 UEFI target, secure boot disabled, wired network during install) — is available from the author’s site and was discussed on Lobsters. Not for the faint of heart, but helpful for people who take their local disk security seriously.

Sources: dwarmstrong.org, Lobsters