←back to thread

Apple: SSH and FileVault

(keith.github.io)
507 points ingve | 1 comments | 18 Sep 25 20:15 UTC | HN request time: 0s | source
Show context
reader9274 ◴[18 Sep 25 20:47 UTC] No.45294811[source]
So you're saying i can now have a fully remote mac mini server with auto-reboot on power outage without the need to physically log in with a keyboard attached? Awesome
replies(11): >>45295194 #>>45295532 #>>45295803 #>>45295918 #>>45296499 #>>45298327 #>>45298862 #>>45298996 #>>45299462 #>>45300622 #>>45300893 #
varenc ◴[18 Sep 25 21:25 UTC] No.45295194[source]
You can also do this:

   sudo fdesetup authrestart -delayminutes -1
which will make the computer auto login to the chosen account on next reboot, without having to type in a password. Only lasts once. Has obvious security downsides though but that might be fine.
replies(2): >>45295374 #>>45296504 #
eastbound ◴[18 Sep 25 21:42 UTC] No.45295374[source]
But then you could just disable FileVault?
replies(2): >>45295885 #>>45296333 #
johncolanduoni ◴[18 Sep 25 23:38 UTC] No.45296333[source]
This only puts the key in NVRAM until the next restart - so if you run it just before you restart an attacker would have to happen to grab the device in those few minutes.
replies(1): >>45297622 #
anyfoo ◴[19 Sep 25 03:20 UTC] No.45297622[source]
The stated problem was power outages. I did not verify the syntax of the proposed solution, but -1 looks like it disables the delay. So, indefinitely until the next reboot? Which, if the key is indeed saved in NVRAM (I don’t know), means someone can take the machine and have it unlocked at their destination.
replies(2): >>45297804 #>>45299265 #
johncolanduoni ◴[19 Sep 25 03:59 UTC] No.45297804{5}[source]
It used to be NVRAM at least, but that was before the integrated Secure Enclave. Now it could in theory store it there and only unlock if the boot chain is validated (similar to the automatic TPM-based unlock that Windows uses by default).
replies(1): >>45298916 #
1. anyfoo ◴[19 Sep 25 07:33 UTC] No.45298916{6}[source]
Right, but my point was, if the idea is to do this to have an automatic unlock on power outages (and if this persists across power outages), it’s not just a few minutes, it’s indefinitely.