Kick off your book project in 2 hours, get started with GhostAI in 2 hours, or do both! Free live workshops, on Zoom. You’ll leave with a real book project and a clear plan to keep going. Saturday, June 27, 2026.

Leanpub Header

Skip to main content
Go to Leanpub.com

OpenBSD Engineer's Handbook

This book is 100% completeLast updated on 2026-05-25
Raj Andrews

Some operating systems ask you to trust them. OpenBSD earns it.

I've spent my career in the trenches of information security — hardening systems, closing attack surfaces, and building infrastructure that doesn't apologize for being locked down. OpenBSD didn't just become my tool of choice. It became my standard.

The OpenBSD Engineer's Handbook is what I wish someone had handed me years ago: a no-nonsense, engineer-first guide to one of the most secure and thoughtfully designed operating systems on the planet. Not a quick-start. Not a wiki dump. A real handbook — the kind you reach for when things get serious.

Inside, you'll find everything from pf firewall design and privilege separation to production-grade networking, secure development workflows, and the operational discipline that separates good systems from bulletproof ones.

If you're done with security theater and ready to build something that actually holds — this is your book.

Minimum price

$90.00

$120

You pay

Author earns

$

Also available for 3 book credits with a Reader Membership

PDF
EPUB
About

About

About the Book

OpenBSD Engineer's Handbook is a definitive field guide for architects/engineers who demand security, correctness, and reliability from their systems. Whether you're deploying firewalls, hardening servers, building network infrastructure, or developing software on one of the most security-conscious operating systems ever created, this handbook gives you the deep, practical knowledge to do it right.

OpenBSD has long been the operating system of choice for security professionals, network engineers, and systems architects who refuse to compromise. This book meets that standard — going beyond surface-level tutorials to explore the internals, idioms, and engineering philosophy that make OpenBSD uniquely powerful. From the packet filter (pf) and privilege separation to the base system toolchain and secure coding practices, every chapter is built around real-world engineering problems and battle-tested solutions.

Inside, you'll find:

  • A thorough grounding in OpenBSD's architecture, design principles, and security model
  • Hands-on guidance for installation, configuration, and system administration
  • Fleets and fleet management
  • In-depth coverage of pf, OpenSSH, relayd, and other flagship tools
  • Networking and firewall design patterns for production environments
  • Development workflows, ports, and packaging for engineers building on OpenBSD
  • Performance tuning, monitoring, and operational best practices

Written for engineers by engineers and architects, this handbook respects your time and your intelligence. It doesn't hold your hand — it equips you. Whether you're new to OpenBSD or a seasoned practitioner looking for a trusted reference, the OpenBSD Engineer's Handbook belongs on your desk!

Share this book

Categories

Computer Security

Feedback

Email the Author

Author

About the Author

Raj Andrews

I've spent the better part of my career doing the unglamorous but deeply satisfying work of keeping systems secure — hardening infrastructure, hunting down vulnerabilities, and building networks that hold up under pressure. OpenBSD found me early on, and honestly, it never let go.

What drew me in wasn't just the security track record — it was the philosophy. The OpenBSD project doesn't cut corners, and over the years, that mindset shaped the way I approach every system I touch. I've run pf rulesets in production environments, leaned on OpenSSH in ways most people never think to, and lost more than a few weekends going deep on the base system just because I wanted to understand it.

I'm not an academic. I'm an architect who works in the real world, where things break, deadlines exist, and "secure by default" isn't just a tagline — it's a requirement. This book is the one I wished existed when I was starting out, and the one I still reach for now.

When I'm not buried in a terminal, I contribute to the security community through research, talks, books and the occasional late-night mailing list thread. I believe open systems make us all safer, and I hope this handbook helps you feel the same way.

Contents

Table of Contents

Gratitude and Dedication

Introduction

  1. Part I: The Architecture of ksh on OpenBSD

Chapter 1: KornShell Internals and Environment

Chapter 2: Advanced Scripting for Senior Architects

Chapter 1

  1. 1.1 The Genesis and Evolution of OpenBSD ksh
  2. 1.2 The Execution Model: Fork, Exec, and Memory
  3. 1.3 Security Primitives: The Shell and the Kernel
  4. 1.4 Advanced Variable Expansion and Pattern Matching
  5. 1.5 Signal Handling and Resilient Scripting
  6. 1.6 Memory Management and the ksh/Kernel Interface
  7. 1.7 ASLR (Address Space Layout Randomization) and PIE
  8. 1.8 Observing Memory Stress in ksh
  9. 1.9 The Cost of Security

Chapter 2

  1. 2.1 High-Performance Conditionals
  2. 2.2 Co-processes: The $|&| Construction
  3. Part II: Identity and Access Management (IAM)

Chapter 3: User Onboarding and Offboarding at Scale

Chapter 3

  1. 3.1 The Architect’s Foundation: login.conf
  2. 3.2 Automated Onboarding via ksh
  3. 3.3 The Skeleton Directory (/etc/skel) Architecture
  4. 3.4 Secure Offboarding: The “Nuclear Option”
  5. 3.5 Auditing the IAM Lifecycle
  6. 3.6 The Architecture of Trust: doas vs. sudo
  7. 3.7 Implementing doas in the Onboarding Workflow
  8. 3.8 Advanced Environment Management: setenv and keepenv
  9. 3.9 Integrating doas into the Offboarding Workflow
  10. 3.10 Fleet Orchestration and doas
  11. Part III: Fleet Management and the SSH Ecosystem

Chapter 4: Beyond Authorized_Keys: SSH Certificates

Chapter 5: Orchestrating the Fleet

Chapter 4: Beyond Authorized_Keys — SSH Certificates

  1. 4.1 The CA Hierarchy: Host vs. User
  2. 4.2 Architecting the Signing Node
  3. 4.3 Server-Side Configuration
  4. 4.4: The Kill-Switch — Key Revocation Lists (KRL)

Chapter 5: Orchestrating the Fleet with ksh

  1. 5.1 The ProxyJump Strategy
  2. 5.2 Mass-Parallel Execution via ksh
  3. 5.3 Hardware Tokens: FIDO2 and OpenBSD
  4. Part IV: Sustaining the System

Chapter 6: Patching and Lifecycle Management

Chapter 6: Patching and Lifecycle Management

  1. 6.1 The syspatch(8) Internal Logic
  2. 6.2 Automating the Fleet Patching
  3. 6.3 The sysupgrade(8) Transition

Chapter 7: Forensic Auditing — doas, sshd, and syslogd

  1. 7.1 The syslogd(8) Backbone
  2. 7.2 Auditing doas: Tracking Privilege Escalation
  3. 7.3 Auditing sshd: Detecting Ingress Anomalies
  4. 7.4 Advanced: Real-time Alerting with sec(8) or ksh
  5. 7.5 Forensic Integrity: newsyslog(8)

Chapter 6: Patching and Lifecycle Management

  1. Part V: Cryptography Integrity

Chapter 8: Cryptographic Integrity — Signing Scripts with signify(1)

  1. 8.1 The Signify Philosophy
  2. 8.2 Implementing the Signed Script Pipeline
  3. 8.3 Fleet-Wide Verification
  4. 8.4 Bootstrapping with signify
  5. Part VI: Foundation of Redundancy

Chapter 9: The Foundation of Redundancy — CARP

  1. 9.1 Architectural Mechanics of CARP
  2. 9.2 Provisioning CARP via ksh
  3. 9.3 Preemption and Failover Logic
  4. Part VII: Orchestration at Layer 7

Chapter 10: Layer 7 Orchestration — relayd(8)

  1. 10.1 The Relayd Architecture
  2. 10.2 Production Configuration for a Fleet
  3. 10.3 Synchronizing State with ksh
  4. Part VIII: HA Storage

Chapter 11: High Availability Storage — Synchronization via rsync or pax

  1. Part IX: Unique and Powerful Firewall with State

Chapter 12: PF Architecture and Stateful Inspection

  1. 12.1 The Ruleset Hierarchy

Chapter 13: High-Efficiency Tables and Anchors

  1. 13.1 Tables: The Architect’s Secret Weapon
  2. 13.2 Anchors: Dynamic Rulesets

Chapter 14: Orchestrating PF Across the Fleet

  1. 14.1 The ksh “Safety-First” Deployment Script

Chapter 15: Advanced Scrubbing and Fingerprinting

Chapter 16: Integration — Auditing doas/PF with syslogd

  1. 16.1 Logging PF Drops
  2. 16.2 The Audit Pipeline
  3. Part X: Zero-Touch Provisioning

Chapter 17: Zero-Touch Provisioning — autoinstall(8)

  1. 17.1 The Autoinstall Workflow
  2. 17.2 Crafting the install.conf
  3. 17.3 The site78.tgz Post-Install Hook
  4. Part XI: Security at Rest

Chapter 18: Security at Rest — Bioctl and Softraid Crypto

  1. 18.1 The Crypto-Disk Architecture
  2. 18.2 Automating Encryption via Autoinstall
  3. Part XII: Do what is right

Chapter 19: Hardening ksh via Pledge(2) and Unveil(2)

  1. 19.1 What is Unveil in a Shell Context?
  2. 19.2 The “Secure Exec” Wrapper
  3. Part XIII: Disks again

Chapter 20: Advanced Disk Geometry and Partitioning

  1. 20.1 The Disklabel Deep-Dive
  2. 20.2 Orchestrating Custom Labels
  3. Part IV: Performance Tuning

Chapter 21: Performance Tuning and Sysctl

  1. 21.1 Network Stack Tuning
  2. 21.2 Monitoring with systat

A few thoughts, from hereon

Credits

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub