One of the changes Apple has introduced with macOS Tahoe is the ability to use SSH at the unified login screen available on Apple Silicon Macs. Apple has built on this to provide a way to allow a FileVault-encrypted Mac to be unlocked via an SSH session. Apple mentions this new capability as part of the following KBase article:
- What’s new for enterprise in macOS Tahoe 26: https://support.apple.com/124963
As part the KBase article, the following man page is referenced:
apple_ssh_and_filevault
This can be accessed using the following command:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
man apple_ssh_and_filevault |
For more details, please see below the jump.
To unlock FileVault on macOS Tahoe using SSH, you can use the procedure described below:
Pre-requisites:
- Second computer available which can run SSH.
- Target Mac must be using an Apple Silicon processor.
- Target Mac must be running macOS Tahoe or later.
- Target Mac must have FileVault encryption enabled.
- Target Mac must have SSH enabled.
1. Connect from the second computer to the target Mac using the username and network address of the target Mac.
For this example, the target Mac has the following account and network address:
- Account: username
- Network address: computername.local
In this example, the following command is being used to connect from the second computer to the target Mac using SSH:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ssh username@computername.local |
2. When you connect, you should be informed that the target Mac is locked and that you’ll need to a local username and password to unlock it.
In this example, we’re connecting with the username of an account which is enabled on the Mac to unlock FileVault. Because of this, we should only need to provide the password for that account.
3. Once the password has been provided, the Mac unlocks FileVault and automatically closes the SSH connection between the second computer and the target Mac.
On the target Mac, you should see activity similar to this occurring on the login screen.
4. After a short amount of time, the target Mac should be unlocked. At this point, you should be able to connect again from the second computer to the target Mac using SSH and have access to all expected functionality.