OpenBSD Cryptography

Why do we ship cryptography?

In three words: because we can.

The OpenBSD project is based in Canada.

The Export Control List of Canada places no significant restriction on the export of cryptographic software, and is even more explicit about the free export of freely-available cryptographic software. Marc Plumb has done some research to test the cryptographic laws.

Hence the OpenBSD project has embedded cryptography into numerous places in the operating system. We require that the cryptographic software we use be freely available and with good licenses. We do not directly use cryptography with nasty patents. We also require that such software is from countries with useful export licenses because we do not wish to break the laws of any country.

OpenBSD was the first operating system to ship with an IPsec stack. We've been including IPsec since the OpenBSD 2.1 release in 1997.


As of the 2.6 release, OpenBSD contains OpenSSH, an absolutely free and patent unencumbered version of ssh. OpenSSH interoperated with ssh version 1 and had many added features,

Roughly said, we took a free license release of ssh, OpenBSD-ifyed it. About a year later, we extended OpenSSH to also do SSH 2 protocol, the result being support for all 3 major SSH protocols: 1.3, 1.5, 2.0.

International Cryptographers Wanted

Of course, our project needs people to work on these systems. If any non-American cryptographer who meets the constraints listed earlier is interested in helping out with embedded cryptography in OpenBSD, please contact us.

Further Reading

A number of papers have been written by OpenBSD team members, about cryptographic changes they have done in OpenBSD. The postscript versions of these documents are available as follows.