Tahoe FileVault: iCloud Keychain and SSH

Glenn Fleishman:

When setting up FileVault, you used to be presented with two choices:

• View the Recovery Key, write it down, and keep it safe. It’s never presented again. (But as long as you can log in, you can toggle FileVault and get a new key.)

• Use your iCloud account to store the key in escrow. However, the key is not end-to-end encrypted, so there was always the slight potential that the key could be recovered by anyone who gains access to your Apple Account and unlocks that escrow.

Neither choice was great; I always opted for the first.

Read the whole post for details about how booting with FileVault works.

Now the key can be shown after it’s first created, which makes it easier to retrieve it without cycling FileVault off and on to regenerate the Recovery Key. And, instead of using basic Apple Account encryption, protected just by a password, the Recovery Key is now stored in your end-to-end encrypted iCloud Keychain and accessible via the Passwords app.

So you now need a trusted device rather than just your Apple Account password to get at the recovery key.

apple_ssh_and_filevault(7) (via Hacker News):

When FileVault is enabled, the data volume is locked and unavailable during and after booting, until an account has been authenticated using a password. The macOS version of OpenSSH stores all of its configuration files, both system-wide and per-account, in the data volume. Therefore, the usually configured authentication methods and shell access are not available during this time. However, when Remote Login is enabled, it is possible to perform password authentication using SSH even in this situation. This can be used to unlock the data volume remotely over the network. However, it does not immediately permit an SSH session. Instead, once the data volume has been unlocked using this method, macOS will disconnect SSH briefly while it completes mounting the data volume and starting the remaining services dependent on it. Thereafter, SSH (and other enabled services) are fully available.

Jeff Geerling (Mastodon):

macOS 26, despite all its visual warts, lets you manage Macs with FileVault drive encryption enabled, even after a hard reboot or cold boot (like after a power outage).

I’ll show you how it works in this video.

Previously:

• macOS Tahoe 26
• macOS Tahoe Beta Forces Sharing FileVault Key

Apple ID FileVault iCloud Keychain Mac macOS Tahoe 26 Security SSH

Comments RSS · Twitter · Mastodon

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ