macOS 26 Tahoe Pushes FileVault Use

Haven’t considered myself a target for “hostile governments,” but consensus on what “is” a hostile government seems to be in flux.

Yeah, that’s kinda annoying for sure. Fortunately some others here had tipped me off to this, so I paid attention to the rather innocuous announcement during the first use of macOS 26 that “Your computer is now protected by FileVault…”. I immediately tried to turn it off, but the little slider toggle wouldn’t. I continued with the rest of the setup process, and after that was completed (perhaps it was when I authenticated to iCloud?), I was able to turn it off.

Today I learned that for T2 and Apple Silicon Macs, you can ship the entire logic board or entire computer to DriveSavers for data recovery.

It would also be a really good idea if you had your data in human readable format on another disk. I tried restoring from a Super Duper! external disc. When I rebooted the internal disc, it wouldn’t recognize my password.

I had to completely erase the disc and reinstall then restore my data from Time Machine using migration assistant.

The only slight downside of enabling FileVault crops up if you lose your login password. That could happen with a long-unused Mac, for someone experiencing cognitive decline…

People forget passwords all the time and it has nothing to do with cognitive decline. Estimates are that 50% of people reset at least one of their passwords monthly because they forget it. I’ve forgotten passwords after a two week vacation. The File Vault Recovery Key would seem to be a prime candidate to misplace or forget. If you use the default method, then you only need to access your Apple Passwords to get the recovery key.

Another new aspect of FileVault setup in macOS 26 is that Apple no longer allows you to store your Recovery Key in your iCloud account

If it is in Passwords, doesn’t that mean that it is in the iCloud account as long as you use iCloud Passwords?

We’re not talking about just any password, but your login password, which you have to enter regularly to use your Mac at all, even if you also use Touch ID or an Apple Watch to login. It’s hard to imagine how you’d forget the password to a device you’re actively using.

I don’t know the exact architecture of how the data was stored done before, but iCloud Keychain, the technology behind the syncing in Passwords, is end-to-end encrypted, so there’s no vulnerability to that information being in the cloud. My suspicion is that the previous approach did not use E2EE. @glennf may know more.

Previously, Apple managed the iCloud key escrow. It only required your Apple Account login to obtain. So, while unlikely, if someone gained access to your computer and had your Apple Account login, they could unlock your drive without the macOS account password.

In this configuration, the Recovery Key is always secured by device-based encryption. If you are in a macOS session, you need Touch ID or the macOS account password to view the stored Recovery Key. If using Passwords, you need Face ID, Touch ID, or a passcode or password to view the key, and to access Passwords, you need to have the device in hand and be able to able to unlock it through one of those authentication methods as well.

Because Passwords syncs using iCloud Keychain, as Adam notes, it’s end-to-end encrypted.

I believe because Apple only used account security previously, a government could subpoena access to an iCloud account and thus unlock someone’s Mac if that method were enabled.

If you use a password manager - Dashlane for example - and put your recovery and password in that and have the password manager on your iPhone, you should be able to access it even if one device goes down hard.
David

Unless your Mac is configured for automatic login. Or does macOS sometimes force you to authenticate even then?

If you were automatically logging in, and then the system surreptitiously turned on FileVault (effectively preventing auto-login), you might have a real problem if you didn’t have the password recorded in an off-line location.

I don’t disagree with the point you’re trying to make here, but I will point out that thanks to TouchID I in fact do enter my Mac’s login password very very rarely. Essentially, only when I need to reboot the Mac, which is, apart from upgrade palooza, quite rare actually.

Well, the solution to this is to put your login password or recovery password on a yellow Post-it note that you affix to your monitor as I saw in countless offices over the years.

Dave

It will still probably prompt for the password every 6.5 days regardless. I certainly hit this regularly.

The user hasn’t used their passcode or password to unlock their device for 156 hours (six and a half days), and the user hasn’t used biometric authentication to unlock their device in 4 hours.

I sure hate this. I wish there was a way to extend that time. With several iPads, a phone, a watch, and multiple Macs, I have to type in my password on one or two devices every flipping day!

It really makes me consider using a shorter, less secure passcode for unlocking, which is the opposite of the intent.

I truly believe the intent is to make sure that users type the passphrase at some point so that they don’t forget it, as forgotten passphrases probably result in a lot of frustrating support calls and visits, and it would be worse if people weren’t prompted often enough. One week is a probably a pretty good way to do that.

That said, an option, well hidden behind one of those circle-i icons, that says, “I am a power user who will take responsibility for knowing my password, so don’t prompt me for it so often” would probably be good for many of us here.

I have a headless server and therefore need the server to restart without intervention (no keyboard, mouse or monitor). The only way I can find is to turnoff file vault and then the ‘Automatically login after restart’ option is shown in the Login Password Preference.

I had to permit the file vault encryption to start and then turn it off after that first MacOS 26 bootup on my M1 Mini was complete. While I admit Apple did display a message upfront that file vault was turned on, I had to scratch my head to remember why that was a potential problem …

This is so very familiar to me. Even for Servers, I saw people do this.

Very true, and why so many people re-use passwords everywhere. By forcing excessive password use it is, in essence, creating the environment for single passwords for everything.

I just did a quick check and I have over 500 passwords stored - all of them are different as I went through the process when I moved from 1Password to Apple Passwords.
I had staff members at work who used the same password for everything from their Netflix login to their bank accounts - and they openly talked about it. Truly horrifying.

Related:

It comes as a surprise to many, but the US National Institute of Standards and Technology has recommended for several years that passwords should not have mandatory expiration dates for exactly that reason. Instead, they recommend using lengthy passphrases and password managers.

For those interested in the source material, it is somewhat technical. You can find more information in NIST SP 800-63-4 (Section 3.1.1.2.6) and the more general NIST SP 800-53 (PDF).

It looks like this is no longer the case with MacOS 26! You can now enable FileVault and still boot remotely. A really nice change (though I no longer manage a headless server so won’t directly benefit).

As someone who has spent many months over the years trying to recover files from failing disks, FileVault would have been a disaster. In most cases, I have been able to recover 80-90% of the files completely and earned the owner’s eternal gratitude. If they were encrypted, I may have been able to recover the files but would the contents ever be able to be used?

Perhaps the problem has gone away with the use of SSDs. With magnetic disks, you could just keep reading a block hundreds of times and if once it worked, you had the data. From my experience, an SSD is either working or irretrievably dead.

Given that all data on Apple internal SSDs is already encrypted, I don’t think historical experiences with recovering data from hard disks are particularly relevant anymore. That’s why I explicitly described it as DriveSavers-level recovery that would use the Mac’s hardware key to decrypt the data as it was being recovered. Plus, SSDs and modern filesystems are less likely to suffer corruption to start.

Of course, none of this extreme data recovery is necessary when data is backed up, as it should be.

I use Touch ID most of the time, too, but my Mac appears to want password authentication once a week or so, just like my iThings.

I can imagine situations where it would be good to have File Vault enabled. For now, however, having nothing to hide, I store nothing on my drives that I wouldn’t be willing to share with anyone. I don’t keep, say, unencrypted passwords or recovery keys on my drives, but I do want my heirs/executors/holders of powers of attorney to be able to access my records.

Maybe I’m just thinking about such eventualities because of my age, but I also remember having to do the same as executor of my dad’s will. His iBook wasn’t password protected (a small relief at the time), but his estate-relevant information was kept in AppleWorks formats, and it took me some effort to find applications that could extract information from those files. (Pages, for example, was introduced just after my father’s death.)

Just a quick warning though: in my work as an Apple-specific consultant, I’ve seen folks experience serious data loss due to FileVault corruption of some kind. We never could figure out how it happened, but we had no recourse but to erase the drive and set up as new. I’ve never trusted FV since then.

I believe that should no longer be an issue for Apple Silicon or Intel machines with T2 and SSD boot drives - which should be the only machines running Tahoe. If I am reading Howard Oakley’s explanation right, data is always encrypted on these drives, and turning on FileVault should only protect the actual encryption key from anyone without the passphrase to an account with FileVault unlocking permission. So, turning on FileVault on these machines does not change the encryption of data on the volume at all, so should not cause any sort of corruption.

I think it’s based more on how long since you used the laptop…at least that’s what happens to me. But maybe it’s both that and periodically anyway.

Some things that are important to know for those of you who administer Macs and/or running a Mac as a server. If FileVault gets enabled, you can’t access the login screen over the network (immediately following boot up). AND following a power on, or reboot, if the system isn’t logged into within a certain time window (seems like 5-10 minutes), the system will shut down. These factors can really screw you over, if you aren’t prepared for them.

Regarding the talk of getting locked out…

I’ve been an independent Apple consultant for 25+ years and I regularly encounter people that “forget” their login password. This used to not be a big deal. There were workarounds. But those went away in recent years, as Apple has tightened up Mac security.

This makes it important to have an alternative admin login on every Mac. Especially in light of a Mac OS bug that rears its head sometimes, where even typing in the correct password is not acknowledged as correct and you get locked out of user account.

There are only two workarounds:

1. Boot into Restore mode and use terminal ‘resetpassword’ command (a pain for those not familiar)
2. Boot into alternate admin account and reset the user account password in question (you can reset it to the same thing that it was before, this action unlocks the account in question).

Does anyone know how long after a reboot ssh login is available on a headless server running tahoe and the boot volume is encrypted by File Vault?

You can with Tahoe, as long as the Mac is on ethernet and you have remote access sharing enabled.

See You can finally manage Macs with FileVault remotely in Tahoe | Jeff Geerling

But with macOS Tahoe, if you have ‘Remote Access’ enabled in your Sharing settings (this enables SSH access), you can now log in via SSH pre user login, then enter an Administrator’s account password to ‘unlock’ the machine and complete the full boot.

And at that point, you can either log in via normal SSH, or use tools like Screen Sharing.

One quirk: if my Mac was only connected to WiFi, I couldn’t get connected pre-login. If I plugged it into Ethernet (wired networking), it worked fine. Not sure if that’s a bug or if that’s by design (maybe the WiFi password, which is stored in the account’s Keychain, isn’t accessible during early boot stages when the ‘lightweight SSH’ server is running?).

Can you explain how this happens? They can’t use the Mac without it, so it’s hard to see how they could forget without some effort, such as changing it multiple times in quick succession and then not needing it for the maximum 6.5 days before being asked again.

Auto-login. If you auto-login to an administrator account, you might never need the password.

Though if you’re using auto-login, I believe macOS prevents you from using FileVault, so forgetting a password on a Mac that does auto-login couldn’t cause additional data recovery problems due to FileVault boot protection.

I can say that this has happened to me. I created a new user account on a Mac, basically a temporary account to try something out, and forgot to write down the password, and couldn’t remember or guess the password the next time I wanted to use the computer with that account. Of course this was fine with me - I could just roll my eyes at myself, log in to my normal account, delete the account, and create a new one again.

So I could see the scenario: a user gets a new computer, sets up the first account, uses the computer for a while, and then can’t remember the password the next time they are prompted for it - because it is possible to use a computer, as you say, for up to about a week before being prompted for the passcode again. I see this a lot, usually about phones or iPads, on Reddit - though I sometimes suspect it is someone who has “found” a device and is trying to find a workaround for knowing the passphrase, I truly believe that there are people who set up these devices and almost immediately forget their passcode. Actually, it seems to happen a lot with Apple Account / Apple ID passwords.

Alzheimers. This is not a joke.

Fair enough, though in such a scenario, there’s little opportunity to create enough data that being unable to use DriveSavers-level repair would be problematic.

Which was why I specifically said in the article: “for someone experiencing cognitive decline.” It’s very sad, and I’m sure it happens all the time.

Thanks Doug, good to know…

I’ve been an independent Apple consultant for 25+ years and I regularly encounter people that “forget” their login password.

Ditto, but I would say it happens astonishingly often.

They set-up their new computer and then are aghast a year later when they need to put in their login password because: auto-login was set; they never updated the OS; they never installed new software; they never wrote anything down.

Further, you have folks who get nervous when they’re asked for their AppleID, Apple Account, or Administrator login. (Gee! Might Apple want to make a clear visual and verbal distinction when requiring nervous-making things?) And then they mistype things long past the try-limit and . . . meltdown.

Don’t even talk to me about banks & credit card sites with quiz questions, 2FA, etc. which seem to cause near collapse when passwords are forgotten and money is on the line.

This is why, to the great amusement of my more discerning clients, that I forced them to purchase a notebook and note down every password they have—every time they changed it (put a lot of blank spaces between entries). On paper. In ink. And kept in a secret drawer that only their wives and husbands and trusted second-in-commands know about.

For fancy persons using password managers, I forced them to print out the database every 6 months or so. (Apple’s Passwords now makes this very easy where you can export a CSV.)

Why? Because when you’re distracted and/or beside yourself with worry about making the mortgage payment in time paper & ink is hugely comforting.

Dave

We had an office of about 50 Macs. Everyone had access to the same things and everything was on the servers so machine security wasn’t really an issue. Many of these machines would have been logged in for many months without restarting and if you asked a user for their password they would have no idea. They’d give their email password, their server login and pretty much anything other than the machine password. We caved and ended up giving all machines the same login and they’d need to call admins for any updates (that was a requirement anyway - no-one could install anything without the admin’s approval). I should point out everyone had different server and email loigins which were deactivated when someone left.

It wasn’t highly secure but worked for us. The point is machines can go for lengthy periods without requiring a password. Our record for a machine being on was over 5 years - an old Filemaker Server which just ran until we changed systems.

All these stories about how people forget their passwords makes me think we should recommend FileVault even more strongly, since then they won’t be able to use auto-login and forget their password.

I do tech support for an elderly relative who lives across the country. When I migrated her from an old to new iMac, I turned on keychain sync, so that a) it would transfer the login items, and b) back them up to iCloud.

But keychain sync requires FileVault. And that means no more auto login. And worse, it isn’t possible for me to remote control the iMac until she enters the login password – which she forgets.

I’m not sure that is correct, at least not in all cases. I have two Macs running Sequoia syncing their Keychains without using FileVault.

For an elderly person like this and for a home computer (not a portable phone), is password security so critical? Can’t you just use her name as the password? Hopefully she wouldn’t forget that.

She would forget that her password is now her name.

She got locked out of her computer earlier this year. We think she entered the wrong password too many times. That was a pain to fix; my brother had to do it with me helping, but it didn’t help that I mistyped the correct password in an IM to him, so he kept entering the wrong password! Oops.

She would forget that her password is now her name.

I’ve done this for non-tech people and I put a reminder in the “hint” (“your password is your first name”).

Not secure at all, of course, but for these users, that isn’t the main problem.

I’ve done this for non-tech people and I put a reminder in the “hint” (“your password is your first name”).

Not secure at all, of course, but for these users, that isn’t the main problem.

That’s an excellent suggestion.

And now, feeling expansive and with a little wine down the hatch I’m going to put up a and say a few things.

Given the audience here, enthusiasts, sys-admins, programmers, and other-like of long-standing what I’m going to say may sound like anathema but it’s not.

For the vast majority of users inside institutions or without these security “improvements” are a huge pain in the ass. They just don’t care about this stuff and when they encounter it they are confused, scared out of their wits, or pissed-off and then they make mistakes that make things worse.

For the average home user, there is absolutely no need for full disk encryption and no need for 32 character passwords with upper & lower case, punctuation, and odd unicode symbols. The likelihood of state actors visiting your grandmother’s house to discover her secret messages with a friend in Bulgaria is laughably tiny.

And in institutions, the requirement for monthly password changes and the like causes a tsunami of post-it notes on monitors. (By the way, NIST suggests not requiring monthly password changes.)

Now, if you’re working in a bank, or a deliberately secure environment, the more security the better and it’s part of your job to deal with it. If you’re a road warrior with trusty laptop you absolutely want FileVault because there’s a damn good chance you’ll leave that laptop under your seat in your haste to get out of the damn plane.

When I put on my old programmer pants I’m horrified at the energy expenditure to encrypt 60 500M Photoshop files, but our modern systems are so bloody fast, I guess I should let that go.

I’m an advocate of local encryption. In other words, use an encrypted .dmg for your most vital information with a password that you’ll remember even after a 6-hour bender. As for the rest, if the evil guy wants to look at my scans of 1887 daguerrotypes why go right ahead! (By the way, what evil guy? How many of you have had large bearded guys with Jolt cola in a holster at their belt come clambering in the window to invade your computer?)

Smartphones are different because you carry them with you all the time, they often have vital personal information, and they are stolen regularly. The better they lock those down the better we’ll be. But your home computer in your Fortress of Solitude? Please.

A while ago, my sisters came to visit and both needed to use my workstation to print boarding passes. They asked for the password. I gave it. They erupted in laughter because it was so simple and they both had been working in academic/medical environments for years where excruciating irritation with passwords was a given.

For most people, the real danger is phishing and other web subterfuges. No password will prevent you from being hoodwinked though I suppose if you used a 64-character password with suitable unicode oddities the likelihood that the scammers could note it down is low.

Dave

Awesomely entertaining turn of phrase.

Also, now I know what to look for.

The most common malware attacks with human agents I see at the senior community where I live, and at the university where supported humanities faculty and students most often involved a Trojan utility or browser add-on toolbar, or those scams that make loud buzzing sounds and produce multiple dialogs telling users they have been infected/hacked and should call [Apple or Microsoft, etc,) immediately with a toll free number.

There’s a phone call version of this, but ultimately the scam involves the user giving the bad actor remote access to the computer or their bank account or both.

Given the difficulty of remote logging in under Tahoe & FileVault, that might be a reason to leave it on. People here have lost thousands; one woman lost over 50K to a similar “IRS” scam.

Given the difficulty of remote logging in under Tahoe & FileVault, that might be a reason to leave it on. People here have lost thousands; one woman lost over 50K to a similar “IRS” scam.

That’s awful! 50K!?

I don’t think it’s all that difficult to do remote login under Tahoe. Most of the screen-takeover scammers that tell you to call them because a very important doohickey in your OS is melting down use remote viewing software like LogMeIn and the like and they persuade the user to install it for them.

Some of these scoundrels are very persuasive. I had an old friend, professor, computer user for 20+ years, who was caught by one. I got a call from his wife who was worried about what was happening. She had tried several times to get him to break-off but he brushed aside her concerns. As soon as I heard the description I knew he was in trouble because they were already remotely bouncing around his system. I told her to walk over, completely shut down his system no matter what he said, and exchange his phone for hers so I could explain what was happening. Phew. He just barely escaped being hit-up for a $300+ fee for their “repairs.” Took me an hour-plus to remove all the crap they dropped in his system. He was extremely embarrassed about this incident but the fact was the crooks were damn good at their job.

So, I’m afraid FileVault and secure passwords are truly no match for social engineering swindlers. I’ve had some success in inoculating people against this by personally showing them how these work, how to fix it, and how to ignore the patter. Just sending around a warning note doesn’t work very well.

Sigh.

Dave

My article triggered DriveSavers to post about how there are a number of edge cases where it might seem like recovery would be impossible due to the use of FileVault, but where they’ve been able to get data back in the past.

Of course, the only time drive recovery would be needed is when there are no backups.

There is a Take Control ebook on Digital Legacy which covers many aspects of this. I have used it as a basis for a talk I give to groups of mainly older people with low computer literacy. The purpose is to make them think about these issues before it is too late. And with default encryption of disks, unless you know the password to the Mac, it is past recovery.

It is not only old people. I have had clients who have been using their Mac for 20 years through various new Macs. They set up the password then, and have never needed it since. (It is amazing to see apps from 20 years ago still sitting in the Applications folder.)

Wow. I have a hard time believing that someone could go anywhere near 20 years, or even a year, without entering their login password. Even with auto-login set up and them rejecting every macOS update that was offered, I would expect something in macOS to ask for the login password at some point. Back in the day, I think it was possible to have no password at all in Mac OS X, so pressing Return just continued—I wonder if that might still be possible on migrated accounts.

But hey, maybe there’s a way to do this, however much of a bad idea it is.