>When FileVault is enabled, the data volume is locked and unavailable during and after booting, until an account has been authenticated using a password. The macOS version of OpenSSH stores all of its configuration files, both system-wide and per-account, in the data volume. Therefore, the usually configured authentication methods and shell access are not available during this time. However, when Remote Login is enabled, it is possible to perform password authentication using SSH even in this situation. This can be used to unlock the data volume remotely over the network. However, it does not immediately permit an SSH session. Instead, once the data volume has been unlocked using this method, macOS will disconnect SSH briefly while it completes mounting the data volume and starting the remaining services dependent on it. Thereafter, SSH (and other enabled services) are fully available.
Now THAT is a welcome change!
reader9274 8 hours ago [-]
So you're saying i can now have a fully remote mac mini server with auto-reboot on power outage without the need to physically log in with a keyboard attached? Awesome
varenc 8 hours ago [-]
You can also do this:
sudo fdesetup authrestart -delayminutes -1
which will make the computer auto login to the chosen account on next reboot, without having to type in a password. Only lasts once. Has obvious security downsides though but that might be fine.
firecall 5 hours ago [-]
I was also aware of this - but I dont want my Mac to actually auto login, for obvious reasons!
I just want me to able to remotely login!
eastbound 7 hours ago [-]
But then you could just disable FileVault?
derefr 6 hours ago [-]
I think the point of this technique is to be able to leave the machine locked on cold boot, but to be able to e.g. unlock it, put it to sleep, and go on vacation; and then, if you need to remotely reboot it, you can reboot it in such a way that it stays unlocked on next boot, rather than reverting to locked.
kkylin 6 hours ago [-]
Generally I have used fdesetup to do remote OS upgrades: do this just before an OS upgrade so that on reboot I can still log in.
anyfoo 6 hours ago [-]
It's still a little bit like putting your jewelry in a safe, and leaving the key on top of the safe.
patrakov 2 minutes ago [-]
It makes sense temporarily. You can always move the key to your pocket later if nobody steals it.
BHSPitMonkey 3 hours ago [-]
When it comes to disk encryption, at least in the home, the threat model isn't somebody sitting around in your home finding a way to exfiltrate the currently-unlocked filesystem; It's someone taking the computer or the drive with them and leaving.
In your analogy, the key atop the vault vanishes as soon as the vault is moved from its location (loses power).
anyfoo 2 hours ago [-]
If that was the case (maybe it is, I don’t know), then how does the proposed solution help against power outages, which was asked for?
derefr 4 hours ago [-]
I mean, I assume you'd set the unlock-on-reboot flag, and then immediately reboot — at which point the unlock-on-reboot flag gets automatically unset.
So, sure, it's a bit like leaving the key on top of the safe... while you have the safe open. Which isn't all that odd.
anyfoo 2 hours ago [-]
No, the scenario was power outage at an unknown time in the future, not immediate reboot.
johncolanduoni 5 hours ago [-]
This only puts the key in NVRAM until the next restart - so if you run it just before you restart an attacker would have to happen to grab the device in those few minutes.
anyfoo 2 hours ago [-]
The stated problem was power outages. I did not verify the syntax of the proposed solution, but -1 looks like it disables the delay. So, indefinitely until the next reboot? Which, if the key is indeed saved in NVRAM (I don’t know), means someone can take the machine and have it unlocked at their destination.
johncolanduoni 1 hours ago [-]
It used to be NVRAM at least, but that was before the integrated Secure Enclave. Now it could in theory store it there and only unlock if the boot chain is validated (similar to the automatic TPM-based unlock that Windows uses by default).
firecall 5 hours ago [-]
I'm hoping that's the case!
Having to physically login to a remote Mac that has FieVault enabled to get it online after a power outage is not ideal!
So will I be able to actually remote into the GUI now after a reboot?
I've looking at getting a Mac mini for my homelab again, but thinking I'll need one of those remote enable KVM devices!
Reason077 7 hours ago [-]
You’ve always been able to do this, just not in combination with FileVault.
tristansokol 6 hours ago [-]
How would you automatically login via ssh?
7 hours ago [-]
georgeburdell 7 hours ago [-]
Biggest change for corporate non-personal Mac usage. Mac Minis are actually fairly good value and good quality for miscellaneous automation purposes. We started switching over to them at work, and the FileVault issue described here was actually one of the big things holding us back.
TheTaytay 3 hours ago [-]
Ive been curious about using some Macs for general purpose servers. Is there anything else you do to make them easier to administrate as servers? Are you running Mac-specific stuff on them or more general purpose Linux containerized stuff?
mrtesthah 34 minutes ago [-]
Macs make terrible servers. I’ve had to manage various on-premises Mac servers for the last 15-20 years and every year Apple breaks something extremely basic and obvious with no reasonable workaround. Especially these days with locking down all the administrative functions such that only a local admin user (with a SecureToken!) clicking a button in the GUI with a physically attached mouse/keyboard can enable them.
tonymet 6 minutes ago [-]
could this be used more generally for secrets & creds? i would like to improve the security of api keys and stuff
sandreas 17 minutes ago [-]
I welcome this change, while I'm still asking myself whether macs did not support JetKVM or NanoKVM? This should allow way more flexible remote access solutions than having to use SSH.
nozzlegear 8 hours ago [-]
> The capability to unlock the data volume over SSH appeared in macOS 26 Tahoe.
Neat! I thought it was odd that I was able to SSH into my Mac after upgrading to Tahoe the other night – part of me wondered if I actually hit that "Upgrade" button before walking away. This is a welcome change though; I don't usually shut my Mac down but there have been a few times where I'm working away from home and need to SSH into my Mac only to remember that I'd installed some major update the night before.
ninkendo 7 hours ago [-]
I guess this means the system volume is not encrypted with FileVault? It makes total sense, since it’s supposed to be sealed, read-only data, and identical for every macOS installation.
There’s no reason you shouldn’t be able to boot all the way up including networking, before requiring the data volume to be decrypted.
I know they do a lot of clever things with overlays too, to make it look like you’re writing to the system partition when you’re actually writing to the data partition. It’s a pretty welcome change if FileVault can just skip encrypting the sealed system volume altogether.
astafrig 4 hours ago [-]
Not always on networking; any WiFi passwords are on the data volume too.
unloader6118 3 hours ago [-]
Some WiFi password and Bluetooth keyboard pairing are in nvram.
4 hours ago [-]
Cu3PO42 8 hours ago [-]
Neat. Though I wonder if this suffers from the same race condition that the graphical session does when your shell is stored on a data volume.
Specifically, if you restart and opt to restart apps, they can come up before all volumes have been decrypted and mounted. If your shell is on one such volume, your terminal emulator may fail to start, for example. This can happen when using Nix to install your shell, for example.
I imagine this may be even easier to hit over SSH unless the underlying problem was resolved.
lilyball 4 hours ago [-]
Unlock over SSH terminates the connection after unlocking the data volume, so it doesn't even attempt to start the shell until you reconnect after it's fully booted up.
FWIW you can fix the shell issue by wrapping your shell in a shim that essentially runs wait4path on the nix store before exec'ing your real shell. I set up my environment to install that shim binary directly onto the data volume at a known path so it can be used as my login shell.
Cu3PO42 4 hours ago [-]
Depending on the timeouts involved, I imagined it might still happen if you had automatic retry.
And thanks for the pointer, I actually have the same fix in my config with the nice benefit of only adding a single non-changing entry to /etc/shells. It might be worth up streaming something like this to nix-darwin, so we don't all go implement essentially the same fix.
xrisk 7 hours ago [-]
This is such a hilarious failure mode. I would never have imagined something like this to a problem.
In the case of SSH though, I assume retrying after a second or so would be enough. You probably have some sort of retry mechanism to deal with network failures anyway.
conradev 5 hours ago [-]
Apple does a “userspace reboot” (killing all processes) after device unlock to categorically solve this problem
floam 3 hours ago [-]
That sounds like a perfect use case for the wait4path utility that’s shipped with the OS for decades
nunez 33 minutes ago [-]
Huge news for kick-starting Mac minis in a rack and remote lockout troubleshooting!
epistasis 6 hours ago [-]
I've been playing with Omarchy ("highly opinionated" Arch configuration) which has full disk encryption, and was wondering if I could use it as my primary VM. While in person, I would get a full GPU accelerated desktop, with access to all the long-running compute jobs etc. that I'm doing otherwise.
However the one thing stopping me is exactly what's solved here with the new MacOS. If I'm away for a few weeks, and the machine power cycles, the full disk encryption password still needs to be entered, in person, as far as I can tell. I'm running it under ProxMox, with the GPU in-person USB devices being passed to the VM. So the standard VNC viewer doesn't work for the setup.
It would be interesting to see if Omarchy tries somethnig similar...
halJordan 6 hours ago [-]
You've been able to bake a dropbear into the initramfs for, well, ever on linux
epistasis 5 hours ago [-]
Thanks for the pointer! Looks like tailscale also has at least 3 implementations for initramfs too:
It’s such a welcome change. I have filevault disabled specifically for that purpose.
cjensen 4 hours ago [-]
>When FileVault is enabled, the data volume is locked and unavailable during and after booting
This is incorrect. Macs do only a tiny partial boot before showing the login. The real work is done after the machine is unlocked.
When using OpenCore on a Hackintosh, the unlock login is almost instantly presented after OpenCore completes its part of startup. Only after the unlock does MacOS startup really do anything.
It's awesome that someone has managed to get ssh to do the unlock, but saying the data volume is "locked... after booting" is going too far.
mjg59 3 hours ago [-]
"Someone" here is Apple - this is the Apple manpage for a Tahoe feature
unloader6118 2 hours ago [-]
You are confused. There are no "partial boot". This is fully booted in "before first unlock" state. Apple's public document always call it that way.
dishsoap 2 hours ago [-]
In the past it used to work the way the parent comment is describing. The confusion is understandable. Apple basically got rid of macos and replaced most of it with things from ios in 2020, a lot changed.
wpm 50 minutes ago [-]
Only true for Intel Macs
4 hours ago [-]
mmaunder 8 hours ago [-]
There’s an attack vector in there somewhere.
xoa 8 hours ago [-]
Kinda struggling to think of what, beyond the well understood risks of using password-based SSH at all. But that's easily ameliorated by sticking it behind Wireguard or something similar. I think this is a pretty welcome change vs turning off FV entirely which I've had to do with Mac servers in the past.
g-mork 6 hours ago [-]
1) steal computer,
2) copy unencrypted SSH host key from it to a new computer (which necessarily must not be stored in the data volume), configured with the network identity of original computer
3) leave new computer in place of original to capture remote SSH-to-unlock attempt
4) use knowledge of password to unlock original's filevault at your leisure somewhere offsite
johncolanduoni 5 hours ago [-]
I’m not sure if they do this, but nothing would stop Apple from putting the SSH host key in the Secure Enclave. This would prevent the extract the SSH host (private) key step.
adastra22 8 hours ago [-]
Tahoe now escrows your FileVailt key to the iCloud keychain, even if that is something you explicitly opted out of before. Can this recovery key be used to unlock over SSH?
pseudalopex 7 hours ago [-]
> Tahoe now escrows your FileVailt key to the iCloud keychain, even if that is something you explicitly opted out of before.
Yes and no according to Glenn Fleishman. Storing FileVault recovery keys in iCloud Keychain wasn't a choice before. The old iCloud recovery method wasn't end to end encrypted. But iCloud Keychain is. So calling it escrow is debatable. And old recovery keys aren't added to iCloud Keychain. But new recovery keys are stored in iCloud Keychain if enabled.[1]
I can confirm that old recovery keys are added to the iCloud Keychain, even if you explicitly opted out of iCloud recovery before. This is exactly what happened to me when I upgraded my systems to macOS 26 yesterday.
iCloud Keychain is NOT the same security as a hardcopy written down recovery key, which is what I used before. This is absolutely a forced change in security policy that was not communicated or opted into by the user.
pseudalopex 2 hours ago [-]
Was iCloud Keychain enabled before you upgraded? Or was it forced on?
adastra22 1 hours ago [-]
I use iCloud keychain as my password manager, just for other things.
xoa 7 hours ago [-]
I don't know but I'm still not seeing the relevance? The threat/target scenarios in general for FDE are physical theft of a device, hardware servicing by 3rd parties, and dealing with end of life (either due to replacement or hardware failure). FDE means that "erasing all data securely" can involve simple key purging instead of extremely time consuming zeroing/overwriting or physical destruction. But it's no barrier nor meant to be any barrier against hot online attacks, if someone is able to get admin remote access to a running system without authorization that is the problem and it'd be equally the problem whether the machine was cold booted or already booted. And if they illegitimately possess the recovery key then it's a problem whether remote or physically present.
FWIW and having not looked yet (since I never upgrade major macOS versions anymore without a good 3-5 months going by and the first 2-3 minor fixes first) my default assumption is it's still possible to not escrow recovery keys, if only because plenty of people don't use iCloud keychain at all (including myself), and also because I know for sure that you can use configuration profiles to control FV recovery key escrow already. That'd be a requirement for lots of business usage so even if it needs a profile to use should still be there? But again this all seems orthogonal to the issue at hand. Stuff does crash or need updates that require a reboot and previously you either needed to turn off FV entirely or use a hardware workaround for GUI access (ie, setup a basic SBC with HDMI/USB in and use it as a bridge or use a premade solution along the lines of PiKVM [0]). It's definitely a small but nice (and feels rare nowadays from Apple) remote admin gesture to let it be done in software like it should have been long ago.
> my default assumption is it's still possible to not escrow recovery keys
At least if you have an iCloud account attached to your profile (I have no idea what happens if you don't), the upgrade process will automatically and without notification or asking consent add your recovery key to the iCloud Keychain. It does tell you afterwards what it so helpfully did.
qmr 6 hours ago [-]
Call me crazy, (“you’re crazy!”) but I still zero all storage before destruction, sale or repurposing.
Belt and suspenders.
johncolanduoni 5 hours ago [-]
For SSDs that doesn’t actually guarantee deletion - there could still be some over-provisioned erase blocks that have the old data due to wear leveling.
jshier 4 hours ago [-]
Apple's SSDs are all encrypted at the controller nowadays. No need to rewrite, just reformat and it cycles the key, leaving any recoverable data irrevocably encrypted (until we break modern encryption).
wpm 48 minutes ago [-]
I mean, if you regularly deal with data worth the effort necessary to recover, that isn’t crazy at all
Citizen8396 7 hours ago [-]
1. Keychain is local if you don't enable iCloud
2. If someone has compromised your iCloud account and/or device, you have bigger things to worry about
3. No
adastra22 3 hours ago [-]
> If someone has compromised your iCloud account and/or device, you have bigger things to worry about
That doesn't mean all my security should be a house of cards with a single point of failure in the form of my iCloud account and/or device(s). Someone shouldn't be able to get the keys to the castle just by compromising any single one of those.
bigyabai 7 hours ago [-]
Yup. My post-Blastdoor reaction to these writeups is always one of tentative suspicion.
AceJohnny2 7 hours ago [-]
Interesting. I thought even networking didn't come up after a cold boot on a system with FileVault until there was a local login, which is a big reason I do not enable FileVault on my office workstation. I guess this has been changed on Tahoe too?
conradev 5 hours ago [-]
Networking always comes up after cold boot, but WiFi passwords are stored on the encrypted volume. So, it depends on whether you use WiFi!
wpm 46 minutes ago [-]
One network will get stored on NVRAM, I think it’s probably whatever the first one you connect to is.
SoftTalker 4 hours ago [-]
And also depends on your using DHCP?
johannes1234321 7 hours ago [-]
I guess it is need, so that the IT department may revoke keys remotely.
oefrha 3 hours ago [-]
Sadly you need to upgrade to the abomination that is macOS 26 to use this… Which I probably won’t do until latest Xcode drops support for macOS 15.
nnx 6 hours ago [-]
Is there a way to somehow authenticate with ssh key instead?
kylehotchkiss 5 hours ago [-]
Can LaunchDaemons spin up after this initial unlock? I'm trying to get my Mac Mini server to run things regardless of my login status. It would be great to get FileVault enabled on the server with this. I'm OK to manually login whenever the power goes out.
lilyball 4 hours ago [-]
LaunchDaemons don't rely on GUI login state so they should come up. If you use LaunchAgents then they won't start this way, but LaunchDaemons should be enabled once the data volume is unlocked and booting finishes.
odo1242 4 hours ago [-]
They also seem to have added the ability to use external displays on the login screen while FileVault is enabled, which is pretty useful.
pfexec 7 hours ago [-]
Friendly reminder that you've been able to automatically unlock fully-encrypted Linux systems via TPM for years since it was added to systemd...
(Here's a nickel kid...)
xrisk 7 hours ago [-]
This is not the same thing is it? Arch Wiki mentions something about having to install a separate ssh server into initramfs to support ssh’ing into fully encrypted systems.
systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)
Apologies if I misunderstood something.
epistasis 6 hours ago [-]
I'm looking for what you're describing, some way to remote unlock a system. Is this the wiki page you're talking about?
However, I'd prefer that the box is not on the general internet, but only over my tailscale net. I wonder if tailscale will also fit in the initramfs...
Thanks! I'm just getting back into Linux boot issues for the first time in multiple decades, and boy is it different than I remember.
It's pretty incredible to be able to dump all this stuff directly into the boot system. Now to see what Omarchy has done to give the fancy LUKS password entry...
conradev 5 hours ago [-]
and I imagine that the initramfs is not encrypted and trivially modifiable?
Apple is able to achieve this securely because their devices are not fully encrypted. They can authenticate/sign the unencrypted system partition.
But that uses TPM backed keys only protected by the TPM PSRs. Someone could still swipe your box and unlock the disk.
rnhmjoj 7 hours ago [-]
Also possible without a TPM: you just put openssh into the initrd, so you can log in and type the password to unlock the root.
(It's technically not full-disk encryption because the kernel and initrd are in plaintext, but everything else is)
pfexec 7 hours ago [-]
What do you authenticate against? Your shadow file is in the unencrypted area leaving it susceptible to offline attack.
With the TPM you can fully disable password auth over SSH.
rnhmjoj 7 hours ago [-]
Correct, someone with physical access could run a MitM attack and steal your passphrase. I just find this extremely unlikely, so I honestly don't care.
Finally, MacOS version of Linux dropbear + LUKS. I waited for this.
techlatest_net 7 hours ago [-]
[dead]
saraxx22 7 hours ago [-]
[dead]
sugarpimpdorsey 8 hours ago [-]
Maybe stop using Macs as multiuser servers?
Unavailability of FileVault-mounted home directories when not logged in has been the case since Tiger.
I'm curious - if the OpenSSH config files are not available - how do they start sshd? If the system keys are encrypted, how do they accept connections?
There's a surprising lack of detail here.
numbsafari 8 hours ago [-]
How about I just want to access my files remotely after a reboot occurs without having to get to the device at my house?
Agreed, though… MacOS isn’t a proper multi-user system and X is Not Unix…
jacobgkau 8 hours ago [-]
In addition to the pedigree that someone else pointed out, macOS is also explicitly certified as UNIX by the legal stewards of that name: https://www.opengroup.org/openbrand/register/
I have to dig out this chart when people complain about macOS's "non-standard utilities." Linux's GNU tools are the ones that aren't standard. If anything, Linux did an "embrace, extend, extinguish" against Unix in general.
jen20 8 hours ago [-]
It's also not just Unix by pedigree, but also by certification [1].
I’d add that it is rather prescriptive to declare that macOS is not a “proper multi-user system.”
It is quite capable of handling multiple users. Maybe just not in the way that certain people want it to.
dangus 8 hours ago [-]
I can’t imagine it’s too hard, I think password authentication is the key. Your user password is the same as your FileVault unlock password. I think that there’s a pre-unlock and post-unlock ssh session trick going on. The pre-unlock session just doesn’t have access to anything in the data volume and is able to use the provided password to unlock the data volume.
This would explain why it won’t work with ssh key authentication.
angulardragon03 8 hours ago [-]
Yeah iirc they have moved some stuff around that sshd relied on into the pre-boot volume, so it works exactly as you describe.
cyberax 8 hours ago [-]
I think the SSH host keys are in the system partition ('/private' directory)? It's not protected by FileVault.
This leaves out a possibility of a MITM. An attacker can steal the unencrypted machine host keys and pretend to be your computer. And since you're entering a clear-text password, it's easy to sniff.
Moving the host keys into hardware root-of-trust would help. But macOS Secure Enclave barely supports that, and it's also pretty slow.
_mikz 8 hours ago [-]
I have my private keys in Secure Enclave. Why the machine would not have own private keys there?
aaroncarson 7 hours ago [-]
100% - Apple wouldn’t be so stupid as to move the private host keys to an unencrypted partition when the Secure Enclave is _right there_. No way is the Secure Enclave too slow for this - it’s exactly what it’s designed to do!
davidczech 7 hours ago [-]
They are encrypted with a SEP key when stored in preboot volume.
Citizen8396 7 hours ago [-]
1. The drive is encrypted and practically impossible to access on modern Macs regardless of FileVault status
2. The notion of someone having access to / compromising your device in order to capture SSH creds doesn't strike me as realistic
trueismywork 7 hours ago [-]
Thats how all major supercomputer was hacked for crypto.
Rendered at 05:04:36 GMT+0000 (Coordinated Universal Time) with Vercel.
Now THAT is a welcome change!
I just want me to able to remotely login!
In your analogy, the key atop the vault vanishes as soon as the vault is moved from its location (loses power).
So, sure, it's a bit like leaving the key on top of the safe... while you have the safe open. Which isn't all that odd.
Having to physically login to a remote Mac that has FieVault enabled to get it online after a power outage is not ideal!
So will I be able to actually remote into the GUI now after a reboot?
I've looking at getting a Mac mini for my homelab again, but thinking I'll need one of those remote enable KVM devices!
Neat! I thought it was odd that I was able to SSH into my Mac after upgrading to Tahoe the other night – part of me wondered if I actually hit that "Upgrade" button before walking away. This is a welcome change though; I don't usually shut my Mac down but there have been a few times where I'm working away from home and need to SSH into my Mac only to remember that I'd installed some major update the night before.
There’s no reason you shouldn’t be able to boot all the way up including networking, before requiring the data volume to be decrypted.
I know they do a lot of clever things with overlays too, to make it look like you’re writing to the system partition when you’re actually writing to the data partition. It’s a pretty welcome change if FileVault can just skip encrypting the sealed system volume altogether.
Specifically, if you restart and opt to restart apps, they can come up before all volumes have been decrypted and mounted. If your shell is on one such volume, your terminal emulator may fail to start, for example. This can happen when using Nix to install your shell, for example.
I imagine this may be even easier to hit over SSH unless the underlying problem was resolved.
FWIW you can fix the shell issue by wrapping your shell in a shim that essentially runs wait4path on the nix store before exec'ing your real shell. I set up my environment to install that shim binary directly onto the data volume at a known path so it can be used as my login shell.
And thanks for the pointer, I actually have the same fix in my config with the nice benefit of only adding a single non-changing entry to /etc/shells. It might be worth up streaming something like this to nix-darwin, so we don't all go implement essentially the same fix.
In the case of SSH though, I assume retrying after a second or so would be enough. You probably have some sort of retry mechanism to deal with network failures anyway.
However the one thing stopping me is exactly what's solved here with the new MacOS. If I'm away for a few weeks, and the machine power cycles, the full disk encryption password still needs to be entered, in person, as far as I can tell. I'm running it under ProxMox, with the GPU in-person USB devices being passed to the VM. So the standard VNC viewer doesn't work for the setup.
It would be interesting to see if Omarchy tries somethnig similar...
https://news.ycombinator.com/item?id=45296075
This is incorrect. Macs do only a tiny partial boot before showing the login. The real work is done after the machine is unlocked.
When using OpenCore on a Hackintosh, the unlock login is almost instantly presented after OpenCore completes its part of startup. Only after the unlock does MacOS startup really do anything.
It's awesome that someone has managed to get ssh to do the unlock, but saying the data volume is "locked... after booting" is going too far.
2) copy unencrypted SSH host key from it to a new computer (which necessarily must not be stored in the data volume), configured with the network identity of original computer
3) leave new computer in place of original to capture remote SSH-to-unlock attempt
4) use knowledge of password to unlock original's filevault at your leisure somewhere offsite
Yes and no according to Glenn Fleishman. Storing FileVault recovery keys in iCloud Keychain wasn't a choice before. The old iCloud recovery method wasn't end to end encrypted. But iCloud Keychain is. So calling it escrow is debatable. And old recovery keys aren't added to iCloud Keychain. But new recovery keys are stored in iCloud Keychain if enabled.[1]
[1] https://sixcolors.com/post/2025/09/filevault-on-macos-tahoe-...
iCloud Keychain is NOT the same security as a hardcopy written down recovery key, which is what I used before. This is absolutely a forced change in security policy that was not communicated or opted into by the user.
FWIW and having not looked yet (since I never upgrade major macOS versions anymore without a good 3-5 months going by and the first 2-3 minor fixes first) my default assumption is it's still possible to not escrow recovery keys, if only because plenty of people don't use iCloud keychain at all (including myself), and also because I know for sure that you can use configuration profiles to control FV recovery key escrow already. That'd be a requirement for lots of business usage so even if it needs a profile to use should still be there? But again this all seems orthogonal to the issue at hand. Stuff does crash or need updates that require a reboot and previously you either needed to turn off FV entirely or use a hardware workaround for GUI access (ie, setup a basic SBC with HDMI/USB in and use it as a bridge or use a premade solution along the lines of PiKVM [0]). It's definitely a small but nice (and feels rare nowadays from Apple) remote admin gesture to let it be done in software like it should have been long ago.
----
0: https://pikvm.org/
At least if you have an iCloud account attached to your profile (I have no idea what happens if you don't), the upgrade process will automatically and without notification or asking consent add your recovery key to the iCloud Keychain. It does tell you afterwards what it so helpfully did.
Belt and suspenders.
2. If someone has compromised your iCloud account and/or device, you have bigger things to worry about
3. No
That doesn't mean all my security should be a house of cards with a single point of failure in the form of my iCloud account and/or device(s). Someone shouldn't be able to get the keys to the castle just by compromising any single one of those.
(Here's a nickel kid...)
systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)
Apologies if I misunderstood something.
https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote...
However, I'd prefer that the box is not on the general internet, but only over my tailscale net. I wonder if tailscale will also fit in the initramfs...
It's pretty incredible to be able to dump all this stuff directly into the boot system. Now to see what Omarchy has done to give the fancy LUKS password entry...
Apple is able to achieve this securely because their devices are not fully encrypted. They can authenticate/sign the unencrypted system partition.
You auth the initrd too
(It's technically not full-disk encryption because the kernel and initrd are in plaintext, but everything else is)
With the TPM you can fully disable password auth over SSH.
Unavailability of FileVault-mounted home directories when not logged in has been the case since Tiger.
I'm curious - if the OpenSSH config files are not available - how do they start sshd? If the system keys are encrypted, how do they accept connections?
There's a surprising lack of detail here.
Agreed, though… MacOS isn’t a proper multi-user system and X is Not Unix…
This includes Tahoe specifically: https://www.opengroup.org/openbrand/register/brand3725.htm
https://en.wikipedia.org/wiki/List_of_Unix_systems#/media/Fi...
I have to dig out this chart when people complain about macOS's "non-standard utilities." Linux's GNU tools are the ones that aren't standard. If anything, Linux did an "embrace, extend, extinguish" against Unix in general.
[1]: https://www.opengroup.org/openbrand/certificates/1223p.pdf
It is quite capable of handling multiple users. Maybe just not in the way that certain people want it to.
This would explain why it won’t work with ssh key authentication.
This leaves out a possibility of a MITM. An attacker can steal the unencrypted machine host keys and pretend to be your computer. And since you're entering a clear-text password, it's easy to sniff.
Moving the host keys into hardware root-of-trust would help. But macOS Secure Enclave barely supports that, and it's also pretty slow.
2. The notion of someone having access to / compromising your device in order to capture SSH creds doesn't strike me as realistic