←back to thread

Apple: SSH and FileVault

(keith.github.io)
507 points ingve | 3 comments | 18 Sep 25 20:15 UTC | HN request time: 0s | source
Show context
mmaunder ◴[18 Sep 25 20:37 UTC] No.45294710[source]
There’s an attack vector in there somewhere.
replies(3): >>45294968 #>>45295595 #>>45300986 #
xoa ◴[18 Sep 25 21:01 UTC] No.45294968[source]
Kinda struggling to think of what, beyond the well understood risks of using password-based SSH at all. But that's easily ameliorated by sticking it behind Wireguard or something similar. I think this is a pretty welcome change vs turning off FV entirely which I've had to do with Mac servers in the past.
replies(3): >>45295011 #>>45296172 #>>45301008 #
adastra22 ◴[18 Sep 25 21:06 UTC] No.45295011[source]
Tahoe now escrows your FileVailt key to the iCloud keychain, even if that is something you explicitly opted out of before. Can this recovery key be used to unlock over SSH?
replies(3): >>45295348 #>>45295489 #>>45295543 #
pseudalopex ◴[18 Sep 25 21:54 UTC] No.45295489{3}[source]
> Tahoe now escrows your FileVailt key to the iCloud keychain, even if that is something you explicitly opted out of before.

Yes and no according to Glenn Fleishman. Storing FileVault recovery keys in iCloud Keychain wasn't a choice before. The old iCloud recovery method wasn't end to end encrypted. But iCloud Keychain is. So calling it escrow is debatable. And old recovery keys aren't added to iCloud Keychain. But new recovery keys are stored in iCloud Keychain if enabled.[1]

[1] https://sixcolors.com/post/2025/09/filevault-on-macos-tahoe-...

replies(1): >>45297329 #
1. adastra22 ◴[19 Sep 25 02:25 UTC] No.45297329{4}[source]
I can confirm that old recovery keys are added to the iCloud Keychain, even if you explicitly opted out of iCloud recovery before. This is exactly what happened to me when I upgraded my systems to macOS 26 yesterday.

iCloud Keychain is NOT the same security as a hardcopy written down recovery key, which is what I used before. This is absolutely a forced change in security policy that was not communicated or opted into by the user.

replies(1): >>45297661 #
2. pseudalopex ◴[19 Sep 25 03:27 UTC] No.45297661[source]
Was iCloud Keychain enabled before you upgraded? Or was it forced on?
replies(1): >>45297711 #
3. adastra22 ◴[19 Sep 25 03:37 UTC] No.45297711[source]
I use iCloud keychain as my password manager, just for other things.