Kuba BaranSep 17, 2025
Miguel Arroz

macOS Tahoe UI has a HUGE new feature for folks like me who have 24/7 Mac Minis running and access them remotely: you can now type the boot password remotely via SSH!

Power on the Mac, then SSH to it. A simple SSH server will handle your request. Typing the password there is equivalent to typing it on the keyboard. The connection then closes and the machine boots normally.

Combine this with "Start up automatically after a power failure" and you can ditch that KVM! #macadmins

Sep 16, 2025 at 4:43pmIvory for Mac
Show threadJames AtkinsonSep 16, 2025
@arroz ohh that’s great.
Show threadTodd Thomas Sep 16, 2025
@arroz huge thanks to the Apple people responsible for this! Hope they also made it work via screen sharing but if not at least better than plugging in a keyboard/monitor/trackpad to login so can ssh/screen share again after reboot.
Show threadNicolás AlvarezSep 16, 2025
@arroz @todd You can ssh once to unlock FileVault, and after it disconnects you, connect via screen sharing instead of via ssh again.
Show threadSophia Sep 16, 2025
@todd afaik it’s been possible to log in to screen sharing on fresh boot since before Tahoe… I do it all the time
Show threadTodd Thomas Sep 16, 2025
@via with File Vault enabled? None of the regular processes are running for me because the ssd is still encrypted.
Show threadSophia Sep 16, 2025
@todd oh I forget if it is…
Show thread💚Sep 17, 2025
@via @todd it’s not with FileVault on
Show threadww 🩶Sep 16, 2025
@arroz with filevault? yayyy
Show threadMiguel ArrozSep 16, 2025
@ww With FileVault. :) It’s awesome!
Show threadww 🩶Sep 16, 2025
@arroz now i'm really sad my old mac mini didn't get the update ^^;
Show threadBobo_PK 🦄Sep 16, 2025
@arroz fucking finally.
Show threadBrian Gerfort🇺🇦Sep 16, 2025
@arroz omg omg omg!
Show threadRecovered ExpertSep 16, 2025
@arroz seriously? Wow. Limited to certain hardware? I mean, other than Apple Silicon of course.
Show threadMiguel ArrozSep 16, 2025
@RecoveredExpert I assume it works on any Mac, at least Apple Silicon. Not sure about the few Intel that still run Tahoe. I didn’t have time to read the man page yet.
Show threadRecovered ExpertSep 16, 2025
@arroz Well, the only intel based Mac that I would spent even a few seconds to think about is a 7,1 b/c of it‘s max RAM for a select few tasks. But that machine is going to be obsolete soon as well.
Show threadCassandra is only carbon nowSep 16, 2025
@arroz Oh, that's really clever! ♥
Show threadSkitch2310 Sep 16, 2025
@arroz
@geerlingguy this seems right up your alley
Show threadJeff GeerlingSep 16, 2025
@skitch2310 Indeed!
Show threadGlyphSep 16, 2025
@arroz 😱
Show threadGlyphSep 16, 2025
@arroz Thank you for tooting about this! I have rearranged much of my life so I don't need a mac mini any more but this is _why_ I did that
Show threadYuki MeadowsSep 17, 2025

@arroz (haven't owned a mac since the intel era)

Do these machines support wake on lan?

Show threadMiguel ArrozSep 17, 2025

@Yuki They do but it’s not relevant for this, since we’re talking about the password asked during boot and not on wake. AFAIK Macs can’t be turned on via WoL, only waken up if the OS is already running and the machine is sleeping. The only way to power on a Mac remotely is using Lights Out Management but only a few Macs support that and require a complicated external setup.

This new feature is helpful on reboots (machine already on) or if configured to power on after a power outage.

Show thread🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈Sep 17, 2025
@arroz Oh, is there no way to just autounlock it via TPM at boot on macs? (well, or disable disk encryption, tho that’s not ideal)
Show threadMiguel ArrozSep 17, 2025
@luana Not familiar with TPM, how would that work? Until now, on Macs, assuming you are using FileVault (aka, full disk encryption), when you power on the system, you would always need to type the password during the boot sequence to unlock the data volume, and allow the OS to carry on booting. This is the part that can be done via SSH now.
Show threadjaffaSep 17, 2025
@arroz I tried this and it didn’t work for me 😭 gives a key exchange error (I think). Do you know if you have to connect via SSH first while the Mac is booted to whitelist it or anything like that? Or did you just reboot said Mac (with remote login enabled, of course) and SSH to it for the first time from another Mac? Thanks!
Show threadMiguel ArrozSep 17, 2025
@jaffa Can you copy and paste the error here (delete any host name, IP and key hash before doing so)?
Show threadjaffaSep 17, 2025
@arroz Heya! I’m not sure what was wrong but after a manual local reboot, I was able to try this after the subsequent boot and it worked fine. Very impressed! Thanks for the offer to assist though.
Show threadJulien Avérous – 🇫🇷🇪🇺🇺🇦Sep 17, 2025
@arroz It's nice, but what is the practical usage of this ? If you need to remotely unlock a FileVault-ed machine, does it mean it's a server ? But who activates FileVault on a server ? If the machine has to reboot automatically (power failure, typically) usually you want the machine to recover by itself as fast as possible, without having to wait for someone to manually enter a password…
Show threadMiguel ArrozSep 17, 2025
@javerous It fits perfectly the use case of folks who have a Mac Mini acting as a server at home or a small company/lab, where you don't have a "safe" data centre to host the machines at. Even those data centres are anything but safe: servers being stolen (with all their data) is a very common event, more than most people know. Many servers SHOULD use full disk encryption, but don't because there's no practical way to do that.
Show threadJulien Avérous – 🇫🇷🇪🇺🇺🇦Sep 17, 2025
@arroz Okay, I see.
Show threadMartin SchultzSep 17, 2025
@arroz is this documented somewhere?
Show threadMiguel ArrozSep 17, 2025
@mshdk There's a man page, not too detailed though. man apple_ssh_and_filevault or read here: https://keith.github.io/xcode-man-pages/apple_ssh_and_filevault.7.html
apple_ssh_and_filevault(7)

Show threadStephen 🎃Sep 17, 2025
@arroz Is it necessary to enable ssh to the machine for this to have this functionality?
Show threadMiguel ArrozSep 17, 2025
@stephen I think so, although I haven't tested with ssh turned off. But since it needs to access the generated hostkey somehow, I assume you need to enable SSH at least once.
Show threadJohannSep 17, 2025
@arroz Where do you turn this on?
Show threadMiguel ArrozSep 17, 2025
@johann It's always on, at least if you have ssh enabled.
Show threadFysacSep 17, 2025

@arroz Is this vulnerable to evil maid attacks like the Linux SSH-to-initramfs equivalent?

Edit: since Apple has code signing and controls the whole boot process, I’m guessing it’s equivalently secure to entering the password on a physically connected keyboard, modulo SSH host authentication

Show threadMiguel ArrozSep 17, 2025
@fysac You would have to ask Apple. I doubt it, since the entire boot sequence is extremely secure against that and other types of attacks, but don't take my word for it.
Show threadJohn-Mark GurneySep 17, 2025

@arroz

Alt text:
Screen shot of a terminal window with the contents:
arroz ~ & ssh [redacted]
This system is locked. To unlock it, use a Local account name and password. Once successfully unlocked, you will be able to connect normally.

[ Password: System successfully unlocked.

You may now use SSH to authenticate normally.

Connection closed by [redacted] port 22
arroz ~ &

#macadmins

Show threadAlexi CharlesSep 22, 2025
@arroz works great, including remote with Tailscale sub net router. Thanks @ironicbadger