Skip to content
WhySoGeek.
Software

macOS Tahoe: Unlock FileVault Over SSH Remotely

macOS Tahoe lets you unlock a FileVault-encrypted Mac over SSH after a reboot, moves recovery keys into the Passwords app, and warns before Terminal paste attacks.

Sam Carter 8 min read
Cover image for macOS Tahoe: Unlock FileVault Over SSH Remotely
Photo: Wawabro89 / wikimedia (BY-SA 4.0)

Anyone who has managed a Mac remotely knows the nightmare: FileVault is on, the machine reboots, and it sits at the pre-boot login screen waiting for a password nobody is physically there to type. macOS Tahoe finally fixes that, and adds a couple of other security touches worth knowing.

Quick answer

In macOS Tahoe, FileVault can be unlocked over SSH after a restart, provided Remote Login is enabled and the machine has a network connection. That lets you type the boot password remotely instead of needing physical access. Tahoe also moves FileVault recovery keys into the Passwords app, adds password change history, and warns you before pasting into Terminal.

Key takeaways

  • FileVault unlocks over SSH after a reboot when Remote Login is on and the network is up.
  • Recovery keys now live in the Passwords app, synced via iCloud instead of stored only in iCloud generically.
  • The Passwords app shows history, including old passwords and when they changed.
  • Terminal warns before paste, a defense against paste-based attacks, added in Tahoe 26.4.
  • These target remote management and everyday security rather than flashy features.

The remote unlock everyone wanted

FileVault's whole point is that an encrypted Mac is useless without the password, which is also exactly why remote management has been painful. Reboot a headless or remote Mac and it stops at the pre-boot screen, unreachable over the network because the disk is still encrypted and the OS has not fully started.

macOS Tahoe changes this. FileVault can now be unlocked over SSH after a restart, as long as Remote Login is enabled and a network connection is available. In practice, you SSH into the machine at the pre-boot stage and supply the boot password, and the Mac proceeds to boot normally. For IT teams managing Macs they cannot walk over to, this removes a genuine operational headache.

The prerequisites matter: Remote Login must be enabled beforehand, and the Mac needs network connectivity at the pre-boot stage. Set this up while you still have physical or remote access, not after the machine is already stuck.

A Mac laptop showing a terminal with an SSH connection to a remote machine
Photo: blakespot / flickr (BY 2.0)

Recovery keys move to the Passwords app

Tahoe also changes where FileVault recovery keys live. They are now stored in the Passwords app rather than only in iCloud generically. Because Passwords syncs through iCloud, you can pull up a recovery key from your iPhone, iPad, or another Mac, as long as you are signed into the same Apple Account with iCloud syncing on.

This is a practical improvement. A FileVault recovery key is the thing you desperately need exactly when you cannot get into your machine, so having it accessible from another device you already carry is the right place for it. Apple's Passwords app has been expanding steadily, and recovery-key storage is a natural fit.

Password change history

Staying in the Passwords app, Tahoe adds change history. Alongside the login details for an account, you now see when the password was created or modified. If you have changed a password since first saving it, a View History option shows the details of those changes, including the old passwords themselves.

That is a double-edged detail worth understanding. Being able to recover a previous password is genuinely useful when a change breaks something. It also means old passwords are retained, so if your Apple Account is compromised, that history is exposed too. Treat it as one more reason to keep your Apple Account locked down with a strong password and two-factor authentication.

Terminal paste warning

The last notable change is small but smart. Starting in macOS Tahoe 26.4, Terminal warns you when you attempt to paste something into the command line. Paste-based attacks are a real threat: a malicious webpage can put a dangerous command on your clipboard, sometimes with a hidden newline that executes it the moment you paste. A warning gives you a beat to notice before running something you did not mean to.

FeatureWhat it doesNotes
FileVault SSH unlockType boot password remotely after rebootNeeds Remote Login on and network
Recovery key in PasswordsAccess FileVault key from any synced deviceSyncs via iCloud and Apple Account
Password change historySee and recover old passwordsOld passwords retained; secure your account
Terminal paste warningPrompts before pasting to TerminalAdded in 26.4; defends against paste attacks

Setting up remote unlock safely

The remote unlock only helps if you configure it before you need it. Enable Remote Login in System Settings under General then Sharing while you have access, and make sure the Mac will have network connectivity at boot. Test it once by rebooting and unlocking over SSH so you know it works, rather than discovering a gap during a real incident.

Because SSH access to the pre-boot stage is powerful, treat the credentials and network path with care. Restrict who can reach the machine over SSH and use key-based authentication where possible.

What to do right now

  • Enable Remote Login before you need remote unlock, not after.
  • Confirm the Mac has network connectivity available at the pre-boot stage.
  • Test the SSH unlock once by rebooting so you know the setup works.
  • Check that your FileVault recovery key appears in the Passwords app.
  • Secure your Apple Account with two-factor authentication, since password history is retained.
  • Note the Terminal paste warning and do not dismiss it reflexively.

Frequently asked questions

How does FileVault SSH unlock work in macOS Tahoe?

After a restart, if Remote Login is enabled and the Mac has a network connection, you can SSH into the machine at the pre-boot stage and enter the boot password remotely. The Mac then boots normally, without needing anyone at the keyboard.

What do I need to set up beforehand?

Enable Remote Login in System Settings and ensure the Mac will have network connectivity at boot. Configure this while you still have access, because you cannot enable it after the machine is already stuck at the pre-boot screen.

Where are FileVault recovery keys stored now?

In the Passwords app, which syncs through iCloud. As long as you are signed into the same Apple Account with iCloud syncing enabled, you can retrieve the key from your iPhone, iPad, or another Mac.

Can I recover an old password in Tahoe?

Yes. The Passwords app now shows change history, including when a password was created or modified and a View History option that reveals previous passwords. Because old passwords are retained, keep your Apple Account well secured.

What is the Terminal paste warning?

Added in macOS Tahoe 26.4, it prompts you before pasting content into Terminal. It defends against paste-based attacks where a malicious clipboard payload could run a command the moment you paste it.

#macos#filevault#ssh#security

Sources & further reading

Keep reading