Home Bsd OpenBSD Installation Guide: Step by Step for Beginners

Bsd Distributions Distros Exclusive Matrixbeer Openbsd

OpenBSD Installation Guide: Step by Step for Beginners

adminApril 27, 202611 Mins read18

OpenBSD Installation Guide Step by Step for Beginners

OpenBSD Installation Guide: Step‑by‑Step for Beginners

Your road map to a rock‑solid, secure Unix‑like operating system

Disclaimer: The procedures described in this article are provided as‑is for educational purposes only. While OpenBSD is renowned for its security‑focused design, the on‑us to guarantee that any system you install will be completely invulnerable. Always keep your system patched, back up critical data, and consult the official OpenBSD documentation or a qualified professional before deploying OpenBSD in production environments.

Table of Contents

Why OpenBSD?
Before You Begin – Prerequisites
Downloading the Correct Image
Verifying the ISO – Trust, But Verify
Preparing Boot Media (USB / CD‑ROM)
BIOS vs. UEFI – What Your Firmware Wants
Booting the Installer
Partitioning the Disk – The “fdisk” and “sd” Way
Selecting Sets & Installing Base System
Configuring the Network
Creating Users & Setting Passwords
12 Configuring the Boot Loader
13 First‑Boot & Post‑Installation Tweaks
14 Common Pitfalls & Troubleshooting
15 Next Steps – Harden, Update, and Explore
16 Wrap‑Up

Why OpenBSD?

OpenBSD isn’t just another Unix‑like OS; it’s a secure operating system built from the ground up with code correctness, proactive security measures, and a minimalist philosophy. If you are a newcomer looking for a platform that values:

Simplicity – a clean base system without unnecessary bloat.
Security – default enablement of W^X, address‑space layout randomization (ASLR), and the famed secure by default kernel.
Transparency – every line of code is openly available for audit, and security advisories are published on a regular schedule.

…then OpenBSD is worth a serious look.

Quick fact: As of the latest release (7.4), OpenBSD ships over 3000 security fixes per year, many of them applied before any vulnerability is disclosed publicly.

Before You Begin – Prerequisites

Item	Why It Matters	Recommended Choice
A machine (physical or virtual)	OpenBSD runs on almost any x86‑64 hardware; virtualization makes testing painless.	2‑core CPU, 4 GB RAM, 20 GB SSD (minimum).
Network connection	Needed to download the release, verify signatures, and later grab security updates.	Wired Ethernet is simplest; Wi‑Fi is supported but may require extra configuration.
USB stick (≥2 GB) or blank CD‑ROM	For the installer media.	8 GB USB (most modern BIOS/UEFI support this).
A working backup	Installation erases disks.	Clone the drive with dd or use a dedicated backup tool.
Patience & a cup of coffee	The installer is text‑based and deliberately straightforward; there’s no “click‑through”.	☕️

Downloading the Correct Image

OpenBSD provides two primary installation images per release:

installXX.iso – a bootable ISO that can be written to CD‑ROM or USB.
memstickXX.img – a raw disk image specifically tailored for USB sticks.

XX corresponds to the release number (e.g., 71 for 7.1, 74 for 7.4). For beginners, the memstick format is often the easiest route because the resulting USB will be bootable on both BIOS and UEFI systems without extra steps.

Tip: Hover over “amd64” on the download page to ensure you get the correct architecture for modern 64‑bit PCs.

Download locations (as of OpenBSD 7.4):

Primary mirrors – https://cdn.openbsd.org/pub/OpenBSD/7.4/amd64/
Regional mirrors – e.g., https://mirrors.tuna.tsinghua.edu.cn/openbsd/7.4/amd64/ (Asia) or https://mirrorservice.org/sites/ftp.openbsd.org/pub/OpenBSD/7.4/amd64/ (global).

When you fetch the file, keep the accompanying SHA256 checksum and signatures files in the same directory; they will be essential for verification.

Verifying the ISO – Trust, But Verify

OpenBSD’s security ethos starts before you ever boot the installer. Verify the integrity and authenticity of the image using the provided SHA256 hash and the OpenBSD signing key.

4.1. Import the OpenBSD Release Signing Key

# Create a temporary GPG home

export GNUPGHOME=$(mktemp -d)

# Fetch the public key (as of 7.4, key ID: 0x85BB22922581A4D0)

gpg –keyserver hkps://keys.openpgp.org –recv-keys 85BB22922581A4D0

If you prefer you can also download the ASCII‑armored key directly from https://ftp.openbsd.org/pub/OpenBSD/7.4/amd64/sha256. The key is signed by the OpenBSD project’s official OpenPGP key.

4.2. Verify the Checksum File

# Verify the signature on the checksum file

gpg –verify SHA256.sig SHA256

You should see “Good signature from OpenBSD Release Engineering”.

4.3. Compute and Compare the Hash

# Compute SHA256 of the downloaded image

sha256 install74.memstick64.img

# Compare the output with the line in SHA256 that corresponds to your file.

If the hashes match, you can proceed with confidence. If they differ, redownload the image—a corrupted or tampered file could compromise the entire installation.

Preparing Boot Media (USB / CD‑ROM)

5.1. Using dd (Linux/macOS/*BSD)

# Replace /dev/sdX with the actual device (e.g., /dev/sdb). Be EXTREMELY careful.

sudo dd if=install74.memstick64.img of=/dev/sdX bs=1M conv=sync status=progress

sync # Guarantees all buffers are flushed

5.2. Using Etcher (Cross‑platform GUI)

Download Balena Etcher (https://www.balena.io/etcher/).
Select the image, pick the USB device, and click Flash.

Etcher automatically verifies the write operation, which is handy for newcomers not comfortable with dd.

5.3. Confirm Bootability

Run lsblk -f (Linux) or diskutil list (macOS) to confirm the USB shows a FAT32 partition labeled OpenBSD and that the size matches the image (≈ 5 GB for a full memstick).

BIOS vs. UEFI – What Your Firmware Wants

OpenBSD supports both legacy BIOS and modern UEFI firmware out of the box.

Firmware	How to Select in BIOS/UEFI	What the Installer Does
Legacy BIOS	Look for “Boot Mode”, “CSM”, or “Legacy” toggle. Choose Legacy if you have an older board.	Installer boots via the classic boot loader from the MBR.
UEFI	Disable Secure Boot (OpenBSD does not ship a signed shim). Choose UEFI or UEFI only.	Installer loads boot.efi from the FAT32 ESP. OpenBSD creates its own ESP during installation.

Pro tip: On UEFI systems, after installation the OpenBSD boot loader will be registered under the name OpenBSD in the firmware’s boot manager. If you have multiple OSes, you may need to adjust the boot order with efibootmgr (Linux) or the firmware UI.

Booting the Installer

Insert the prepared USB stick, power on (or reboot) the machine, and press the appropriate key (F12, Esc, Del, etc.) to open the boot menu. Select the USB entry.

You should see a plain text screen flashing “OpenBSD 7.4 (memstick)”. No graphical interface—just a plain console. This is intentional: fewer components means fewer attack surfaces.

OpenBSD 7.4 (memstick) #0

boot> ?

The default prompt is already the installer. Press Enter to launch it.

Partitioning the Disk – The “fdisk” and “sd” Way

OpenBSD uses the disklabel scheme (named sd by default). The installer offers three primary partitioning models:

Model	Description	When to Use
Auto (default)	The installer automatically creates a disklabel with a single a (root) slice and a b (swap) slice.	Most users; quick and clean.
Manual (fdisk + sd)	You hand‑craft the partition table, ideal when sharing a disk with other OSes.	Dual‑boot scenarios, custom RAID, or ZFS setups.
BIOS/UEFI boot partitions	On UEFI, the installer will create an EFI System Partition (ESP) automatically.	Required for UEFI boot.

8.1. Step‑by‑Step (Automatic)

Select the target disk – Usually sd0.
Confirm wiping – The installer warns that all data will be destroyed. Type y.
Choose the layout – Accept the default (“automatic layout of a + 1G swap”).
Pick file system type – ffs (Fast File System) is the default; you may also select ffs2 for better scalability.

If you want a separate /home or /var, repeat the fdisk step later and create additional slices (c, d, …).

8.2. Manual Partition Example (Dual‑Boot with Linux)

# fdisk -i /dev/sd0 (creates a GPT for UEFI)

# fdisk -e /dev/sd0 (enter interactive mode)

Command? p # prints current partitions

Command? a # add a new partition

Partition number? 1

First sector? 2048

Last sector? +512M

Partition type? ef00 # EFI System Partition

Command? a

Partition number? 2

First sector? +512M

Last sector? +2G

Partition type? 8300 # Linux root – we’ll leave it untouched

Command? a

Partition number? 3

First sector? +2.5G

Last sector? +4G

Partition type? 8300 # Space for OpenBSD

Command? w # write changes

After that, run the OpenBSD installer which will see the GPT and ask if you want to create a disklabel on slice 3. Accept, and continue as usual.

Selecting Sets & Installing Base System

OpenBSD is distributed as a collection of sets (compressed tar archives) that contain the kernel, base utilities, documentation, etc. The installer presents a checklist:

Set	Content	Recommended
base74.tgz	Core system (kernel, /bin, /sbin, etc.)	Mandatory
comp74.tgz	Compilers (gcc, clang, make)	Optional, but handy if you plan to build software locally
man74.tgz	Manual pages	Strongly recommended
games74.tgz	Classic games (wargames, adventure)	Optional (fun!)
xbase74.tgz / xfont74.tgz / xserv74.tgz	X Window System components	Only if you need a graphical environment
etc74.tgz	Default configuration files (including rc.conf.local)	Recommended

Steps

Select all the sets you need (use space‑bar to toggle).
Choose the installation destination – the a slice you created earlier.
Watch the extraction – OpenBSD optimizes for sequential writes, so the process is usually less than five minutes on an SSD.

After extraction, the installer will ask whether to run sysmerge to merge any existing configuration files. Since you have a fresh install, answer n.

Configuring the Network

OpenBSD uses rc.d scripts for service management. Network configuration lives primarily in /etc/hostname.if files, where if is the interface name (e.g., em0, re0, wlan0).

10.1. DHCP (Most Common)

If your network provides DHCP:

# cat > /etc/hostname.em0 <<EOF

dhcp

EOF

The installer will prompt you for this automatically; simply select “DHCP” when asked.

10.2. Static IP

For a static setup, replace the contents with:

# /etc/hostname.em0

inet 192.168.1.10 255.255.255.0 NONE

Optionally add the default gateway in /etc/mygate:

# cat > /etc/mygate <<EOF

192.168.1.1

EOF

10.3. DNS

Edit /etc/resolv.conf:

nameserver 1.1.1.1

nameserver 8.8.8.8

After the install, you can test connectivity with:

$ ping -c 3 openbsd.org

If you see replies, the network is ready.

Creating Users & Setting Passwords

OpenBSD’s root account is enabled by default but you’re encouraged to create a regular user for day‑to‑day work.

During the install, you will be prompted:

Enter the password for the root account:

Enter again:

Choose a strong passphrase (minimum 8 characters, mix of letters, numbers, symbols).

After the installer reboots, log in as root and run:

# adduser

Full name: Alice Example

Uid [1000]: (press Enter)

Home directory [/home/alice]: (press Enter)

Shell [/bin/ksh]: (press Enter)

Do you wish to specify an existing UID? No

Is the information correct? Yes

Password:

Password again:

OpenBSD stores passwords hashed with bcrypt ($2b$ identifier) by default – a very strong choice.

To grant alice sudo‑like privileges, add her to the wheel group:

# usermod -G wheel alice

Now alice can run privileged commands with doas:

$ doas pkg_add vim

(The internal doas utility is the preferred alternative to sudo on OpenBSD.)

Configuring the Boot Loader

On BIOS systems, OpenBSD installs the boot loader into the MBR. On UEFI, the installer creates an EFI System Partition (ESP) and places bootx64.efi (renamed to OpenBSD.efi) there.

12.1. BIOS – boot.conf

If you need custom kernel arguments (e.g., to enable early console debugging), edit /etc/boot.conf:

# Example: boot with verbose output and set a custom console speed

boot -c “v=YES console=COM0,115200”

12.2. UEFI – loader.conf

For UEFI, the equivalent file is /etc/rc.conf.local (or you can keep a loader.conf on the ESP). Example to enable ZFS early boot:

# /etc/rc.conf.local

zfs_enable=”YES”

Reboot and confirm the system boots without manual intervention. If you have multiple OSes, you may want to install rEFInd as a universal manager; however, OpenBSD’s own loader works perfectly for most single‑boot setups.

First‑Boot & Post‑Installation Tweaks

Congratulations, you’re now at a command prompt on a fresh OpenBSD machine! Below are the must‑do tasks before you start daily work.

13.1. Update the Package Repository

OpenBSD ships a snapshot of the package set that matches the release, but security updates are released throughout the month. First, fetch the latest pkg_add index:

# syspatch # Apply any kernel patches (if available)

# pkg_add -U # Upgrade the package manager itself

# pkg_add -v -U # Upgrade all installed packages

Note: The built‑in syspatch utility applies binary patches to the running kernel, preserving your config while fixing known vulnerabilities.

13.2. Harden the SSH Daemon

OpenSSH comes preinstalled and is already quite secure, but a few tweaks tighten it further:

# vi /etc/ssh/sshd_config

PasswordAuthentication no # Disable password logins

PermitRootLogin no # Disallow root over SSH

X11Forwarding no # Unless you need it

AllowGroups wheel # Only members of wheel can SSH

Reload the daemon:

# rcctl restart sshd

13.3. Enable the PF Firewall

OpenBSD’s PF (Packet Filter) is a powerful stateful firewall. A minimal but solid configuration lives in /etc/pf.conf.

# /etc/pf.conf

set skip on lo

block in all

block out all

pass out on egress inet proto udp to any port {53,123}

pass out on egress inet proto tcp to any port {80,443}

pass in on egress inet from any to (egress) port ssh

Enable PF at boot:

# rcctl enable pf

# rcctl start pf

You can view live state with pfctl -s state.

13.4. Install a Text Editor

Many users start with vi (already present), but vim or nano may feel more comfortable.

# pkg_add vim

# pkg_add nano

13.5. Set System Time (NTP)

OpenBSD ships with ntpd. Enable it:

# rcctl enable ntpd

# rcctl start ntpd

Verify synchronization:

# ntpctl -s status

Common Pitfalls & Troubleshooting

Symptom	Likely Cause	Quick Fix
No video output after reboot	Boot loader not pointing to the right partition (esp. on UEFI)	Re‑enter firmware and set the OpenBSD boot entry as the first option.
Keyboard not detected in installer	USB keyboards may require legacy USB mode in BIOS	Switch BIOS to Legacy USB support or use a PS/2 keyboard.
doas says “permission denied”	User not in wheel group	usermod -G wheel <user> and re‑login.
Network stays silent	Incorrect /etc/hostname.if syntax	Verify file ends with a newline, no stray spaces, and that the interface name matches ifconfig -a.
Package installation hangs	DNS not set or firewall blocking outbound traffic	Check /etc/resolv.conf, ensure PF rules allow outbound HTTP/HTTPS.
Filesystem full after a few installs	Default root partition too small (often 4 GB on small USB installs)	Re‑install with a larger a slice or add additional slices (b, c, …) for /var and /home.

When you hit a wall, the OpenBSD FAQ (man faq) and the mailing lists (openbsd-help@openbsd.org) are excellent places to search. Providing the exact error message and a snippet of your config files dramatically speeds up community assistance.

Next Steps – Harden, Update, and Explore

You now have a functional OpenBSD installation. Below are pathways to turn it from “just-installed” to a production‑ready platform.

Run syspatch regularly – The binary patch system ensures your kernel stays patched without a full reinstall.
Set up auditd (OpenBSD’s audit framework) if you need detailed logging for compliance.
**Deploy pkgsrc – OpenBSD’s source‑based package manager lets you compile a massive range of software from source, allowing fine‑grained control over options and compiler flags.
# cd /usr/pkgsrc
# ./bootstrap
# cd editors/vim && make install
Consider a minimal X environment (if you need a GUI). Install xorg, xwindow, and a lightweight window manager such as dwm or fluxbox.
Create encrypted home directories using geli or pflog for added privacy.
Back up with dump or rsync – OpenBSD’s native tools (dump, restore) integrate cleanly with the built‑in cron daemon (crontab -e).

Wrap‑Up

OpenBSD’s reputation isn’t built on flashy graphics or endless GUI wizards. It’s built on a culture of correctness, transparency, and simplicity that shines through every line of its installer. By following this step‑by‑step guide you have:

Downloaded and verified an authentic OpenBSD image.
Created boot‑ready media that works on both BIOS and UEFI platforms.
Partitioned the disk using OpenBSD’s disklabel system.
Installed the base system and optional sets.
Configured networking, users, the boot loader, and a basic firewall.
Applied the first security updates and laid a foundation for hardening.

From here, the sky’s the limit. Whether you’re building a firewall, a web server, a mail relay, or a personal development workstation, OpenBSD gives you a secure, stable base that you can trust.

Happy hacking – the secure way!

Keywords

OpenBSD installation – central theme of the guide.
secure operating system – the core value proposition of OpenBSD.
Unix‑like – describes the family of operating systems to which OpenBSD belongs.

Hashtags

#OpenBSD #InstallationGuide #SecureOS

Feel free to leave a comment, share your own installation stories, or ask any follow‑up questions. The OpenBSD community thrives on collaboration, and your experience could help the next beginner down the road!