Apple: SSH and FileVault

Original Article ↗ Hacker News Discussion ↗

New SSH-based FileVault Unlock

  • macOS 26 “Tahoe” adds the ability to remotely unlock a FileVault-encrypted data volume over SSH when “Remote Login” is enabled.
  • Initial SSH authentication only unlocks the volume; the connection is then dropped while the system finishes mounting and starting services. A second SSH connection works normally.
  • Users confirm it works on headless Mac minis: after reboot, SSH prompts to “unlock” first, then behaves as usual.

Security Implications and Attack Vectors

  • Main new risk discussed: enabling password-based SSH where users previously enforced key-only auth. Some plan to mitigate via VPN/WireGuard/Tailscale.
  • One proposed attack: steal the Mac, copy its unencrypted host key, impersonate it on the network, capture the unlock password via SSH, then decrypt the original machine offline.
  • Others note Apple can store host keys in Secure Enclave or encrypt them in preboot, which likely reduces that risk, but concrete implementation details are unclear.
  • Concern that Tahoe now forces FileVault recovery keys into iCloud Keychain for some users, even if they previously opted out, changing the threat model without explicit consent.

Macs as (Headless) Servers

  • Many see this as a major quality-of-life improvement for Mac mini servers and CI/build machines, where power outages or OS updates previously required physical console access or hardware KVM.
  • Some still consider macOS a poor server platform due to opaque security dialogs, Apple ID prompts, and GUI-only admin flows that break unattended operation. Others argue modern Macs are performant, power-efficient, and fine for home/hobby or Apple-specific workloads.

Comparisons and Alternatives

  • Several note Linux has long supported similar remote-unlock patterns (SSH in initramfs, dropbear, systemd-cryptenroll with TPM, Tailscale in initramfs), though often with more manual setup and different trade-offs.
  • This feature is seen as Apple’s “Dropbear + LUKS” equivalent, finally arriving for macOS.

Implementation Questions & Issues

  • Unclear whether SSH key-based auth is supported pre-unlock; documentation emphasizes passwords.
  • Some report needing to toggle “Remote Login” after upgrading. One user found Tahoe auto-enabled FileVault, then SSH stopped working (“connection refused”) until the machine was locally unlocked.