OpenBSD Journal

Passphrase timeout for disk decryption at boot added (potential battery lifesaver)

Contributed by Peter N. M. Hansteen on from the bag heater no more dept.

Have you had your laptop accidentally un-hibernate while you weren't looking, leaving you with a totally drained battery?

Now OpenBSD-current has a fix for that, thanks to this commit by Klemens Nanni (kn@). The commit message reads,

List:       openbsd-cvs
Subject:    CVS: src
From:       Klemens Nanni <kn () cvs ! openbsd ! org>
Date:       2024-04-25 18:31:49

Module name:	src
Changes by:	2024/04/25 12:31:49

Modified files:
	sys/lib/libsa  : softraid.c 
	sys/arch/amd64/stand/boot: boot.8 
	sys/arch/amd64/stand/efiboot: Makefile.common cmd_i386.c conf.c 
	                              efiboot.c efiboot.h 

Log message:
Add boot.conf(8) 'mach idle [secs]' to halt at idle passphrase prompts
Enable users to power down their machines if there was no input after N
seconds during disk descryption.

Motivation is to save battery and prevent pocket heaters when notebooks
unhibernate (e.g. lid accidentially opened) and sit at "Passphrase: ".

Only available on efi(4) systems as the timeout is saved as EFI variable;
mostly because that's trivial to do, but also because we lack a better
mechanism to configure that and persist such data without the root disk.

Discussed with many, starting at h2k23
OK Tests gnezdo

It is worth noting that this feature is only available on EFI systems configured with disk encryption (as one would have these days).

Thanks to Bryan Steele (brynet@) for the heads up via the fediverse.

(Comments are closed)

  1. By Anonymous Coward (2003:d2:5737:c500:39d9:789a:a382:47ba) on


    I've had weird powerups on my early 2015 MBP running OpenBSD. I do shut it down nightly with this:

    (btw having this program in xenodm login startup is awesome!)

    So anyhow, whenever I shut this laptop down I have to remove the powerchord since it will power up magically by itself and chime at any hour of the night. Unplugging the chord seems to prevent that.

    This addition is great too! BTW, I had OpenBSD running on a windows host in QEMU (still do actually, however I had to rebuild it) and what I found out is the following. With an encrypted partition the boot process from bootloader to kernel is really really slow. A load would take on the account of 20 min sometimes. I came to the conclusion that there must have been some overlapping sectors on the NTFS and the crypto partition and that caused horrendous slowdowns. What I do now is I have put the drive for OpenBSD on a Bitlocker partition and it is encrypted by NTFS. There is no crypto inside OpenBSD right now. Bootup resumed to be fast. While I'm on this subject.. have you heard of the passphrase for bitlocker partitions changing case? as in PASSword changing to password? Because that happened to me, and I'm baffled but feel lucky that I figured out the lower case password.

    Keep up the good work!


    1. By Anonymous Coward (2003:d2:5737:c500:6147:1324:a5:aacb) on

      turns out the battery has 1 Ah out of 65 Ah left on it. It's as good as dead. I knew this day would happen eventually. it's 9 years old and was falling apart/bulging etc etc. I think I'm going to purchase a new (non-intel/amd) laptop this year, until then I'll use the craptops (acer 1's) that I have still. :-) or should it be :-(


  2. By Sebastian Rother (2001:9e8:fab:5300:7da1:64f5:b492:2eb) on

    Either you Guys add a CHEAVAT-Section or you patch the disk-Decryptor:

    You can NOT USE NON-US-Chars in a Password since the DECRYPTOR will not switch your Keyboardlayout so you simply can not enter a "รถ" even you can use it during the INSTALLATION (where you can set the Keyboard Layout!). This renders your Installation COMPLETLY USELESS and you have to reinstall and use US-ASCII-only Passwords (wich allows faster Bruteforcing, limited Keyspace).

    If you do use a SERIAL CONSOLE you can NOT DECRYPT your Installation since switihing the CONSOLE to SERIAL happens AFTER you DECRYPTED the Installation (wich is a BUG). So Encryption is COMPLETLY USELESS for embedded Devices (wich still can do contain sensetive Data!)

    2 things for wich NOBODY cares....

    1. By Anonymous Coward ( on

      Why are you so angry? When I get angry like that I threaten to fork the project however...then sanity kicks in and I realise this is a lot of effing work, it would kill me literally.

      Also I see a complete make-over of your mood. Almost like there is two of you. Duality at its finest Dr. Hyde?

    2. By Peter N. M. Hansteen (pitrh) on

      It is possible that a warning in a man page or FAQ that the boot loader does not use or know about any console configuration (stored in files on a yet to me mounted file system) could be useful.

      Then again I can see any such carefully phrased patch not making it in since it really would only state the already obvious.

      That said, if you think this issue is important enough, I would encourage you to put in the work.

      1. By Sebastian Rother ( on

        Theo, and Core-Devs, do reject my Reports since i found an OffByOne in PF and I was Not credited sice Ibreported IT in a Beta andcTheobsaid "PF was Not enabled by Default", yet the RE!LEASE enabled IT. Back in the Times Henning commited...

        What I Report is serious. Do you Trust Guys doing Crypto wich do fail at the Installer-Level and Render your Devices useless so you can Not deploy them? Seriously?! This proofs a Lack of understanding in the Fundamental BASICS of doing such Things. Or to be openly: Incompetence... or why would you Limit the Keyspace actively?

        What i claim ist true. Issues in srrrval Places. OpenBSD would benefit of they stop adding Bullshit and e
        nforce the Devs to fix Bugs. iSCSI anyone? WLAN with iwn? Get ownes usong NTFS.. in Kernel! NFS is brocken.. also in the Kernel...

        And I alone, caring for my Famaly currently, should fix all the Obivious SHIT? What does the Foundation do? Why did OpenBSD lost Devs Like Henning and others? Even they so not liked me, they where competent..

        It's Like repoting to stsp! Either he ignores IT or he focuses on INTEL where the Bugs relay in the Stack...

        Theo Personaly IGNORES Burgreports from me, No Matter about the Sec-Level..

        Never forget WHO donated a SCSI-Raid-Adapter as some Mainserver needed urgently a Replacement... some Devs Put IT Up Back then from my pers. Adresse...

        But the Human Memory IS Like Openbsd-FS-Implementations, BE IT NFS, USB... it's faulty.

        1. By Anonymous Coward ( on

          sorry vor the Typos, First ever Post via a Mobilephone

        2. By anon (anonymouse) on

          > What does the Foundation do?

          The foundation's activities are limited. They raise and distribute funds to support project infrastructure and hackathons, and occasionally hardware for developers (replacing dead laptops, etc, for developers who can't do that themselves).


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]