Remote Desktop: Filevault encryption hinders Mac login – workaround
If you operate a Mac without a screen and use macOS with FileVault as Apple intends, you will encounter a problem when restarting.
Apple Remote Desktop: Practically for remote maintenance.
(Image: Apple)
Apple is increasingly aggressively prompting macOS users to activate the optional SSD encryption FileVault – for example, during major operating system updates or when switching to a new version, such as with macOS 26 Tahoe, which has been available since September.
However, those who use the actually sensible computer protection can get into a predicament without further warning in a specific case: operators of "headless" Macs, i.e. those controlled remotely without a mouse, keyboard, and screen – in the home network or, if authorized, also via tunneling, dynamic DNS, and/or port forwarding on the open internet. The problem: The system initially boots only a mini-macOS to enable FileVault decryption. Apple Remote Desktop, macOS screen sharing, or VNC are not yet active. Thus, you can no longer access the computer, and remote control is initially blocked.
Security layer is removed
Apple sees this as a security feature: FileVault should only be decryptable by people physically present. The problem affects every normal new or fresh system startup, except macOS updates – then an automatic login usually occurs. But you shouldn't rely on that either. The FileVault issue has existed for a long time.
Videos by heise
The simplest recommendation remains to disable the additional SSD encryption on headless machines again as soon as you have been able to log in again (via screen, mouse, and keyboard). In principle, the system does not work unencrypted: Apple uses encryption via the SSD controller by default, but FileVault offers an additional layer of security against various forms of physical attacks.
Unlock in the pre-boot dialog
Alternatively, since macOS 26, Apple offers another option: via SSH in the Terminal, a remote decryption for FileVault is possible for the first time. This eliminates the problem of being locked out. To do this, you must first activate SSH in the system settings ("Remote Login"). Unfortunately, it is not yet possible to distinguish between "regular" SSH and this pre-boot phase – you always enable both.
After activation, you should have logged in once as a test before a reboot to ensure that SSH is working. Then, when logging in, you will see a special output: here it says that the system is "locked" and must be unlocked with an account (the one set up for FileVault). If you do this, FileVault is decrypted and normal booting occurs – Remote Desktop & Co. can then be used as usual. There is one disadvantage: login is apparently not possible via WLAN; at least a physical LAN connection must exist.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
