Tested on OpenBSD 6.3 and 6.4

Install OpenBSD on a desktop

Prepare an USB drive with OpenBSD installer.
For example, on macOS.

Backup everything.

Check BIOS: Secure Boot disabled, UEFI Boot enabled.
For example, on ThinkPad X1C5.

Boot the installer.

Select (S)hell to create encrypt the drive.

# sysctl hw.disknames

In this case sd0 is the target drive.
rd0 is ramdisk for installer kernel.
sd1 is USB drive with OpenBSD installer.

Erase all data on sd0. Create GUID Partition Table (GPT) and a partition layout.

# dd if=/dev/urandom of=/dev/rsd0c bs=1m
# fdisk -iy -g -b 960 sd0
# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
a a
offset: [1024]
size: [500117105]
FS type: [4.2BSD] RAID
No label changes.

Generate a strong passphrase. Use diceware, for example.

# bioctl -c C -l sd0a softraid0
New passphrase:
Re-type passphrase:
sd2 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd2: 244190MB, 512 bytes/sector, 500102858 sectors
softraid0: CRYPTO volume attached as sd2
# cd /dev && sh MAKEDEV sd2
# dd if=/dev/zero of=/dev/rsd2c bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.003 secs (265557618 bytes/sec)
# exit

Select (I)nstall and answer questions.

System hostname? = foo
Which network interface do you wish to configure? = em0
DNS domain name? = doman
Password for root account? = **************************
Do you want the X Window System to be started by xenodm(1)? = yes
Setup a user? = username
Full name for user username? = full name
Password for user username? = *******************
What timezone are you in? = UTC
Which disk is the root disk? = sd2
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? = gpt
Location of sets? = disk
Is the disk partition already mounted? = no
Which disk contains the install media? = sd1
Continue without verification? = yes

Unplug USB drive with the installer and boot OpenBSD from the target drive. Login as a regular user and run this command in xterm(1) to switch to root.

$ su -

run syspatch(8):

# syspatch
Relinking to create unique kernel... done.

Update fstab(5) to add noatime:

# cp /etc/fstab /etc/fstab.bak
# sed -i 's/rw/rw,noatime/' /etc/fstab

Update login.conf(5) to increase memory limits:

# cp /etc/login.conf /etc/login.conf.bak
# sed -i 's/datasize-cur=768M/datasize-cur=4096M/' /etc/login.conf
# sed -i 's/datasize-max=768M/datasize-max=4096M/' /etc/login.conf

Enable apmd(8):

# rcctl enable apmd
# rcctl set apmd flags -A -z 7
# rcctl start apmd
ampd (ok)

Add your username /etc/doas.conf:

# echo 'permit username' > /etc/doas.conf

Reboot and login as a regular user.