Automated FileVault unlock via external secret provider in headless server deployment

App & System Services Core OS
rlaures OP
Created 6h
Replies 3
Boosts 0
Views 90
Participants 3
This post is from the WWDC26 File Systems Q&A.

We are deploying Mac mini nodes in a headless server environment. FileVault is required for security compliance, but the boot-time unlock requires physical user interaction, which is incompatible with unattended server deployments. We understand that FileVault by design requires an external actor to provide the unlock secret. What is the supported mechanism for an external trusted service to supply that secret automatically at boot — similar to BitLocker + TPM + network unlock on Windows — without requiring physical access to the machine?

Replies  3
Boosts  0
Views  90
Participants  3
Engineer OP
Apple
6h

If you're running in a headless environment, can you assert that the machine will not be sleeping or hibernated?
bombich OP
6h

That could potentially be automated (or at least done without physical access) if having Remote Login enabled is an option:

Unlock FileVault using SSH

Engineer OP
Apple
6h

That is where I was going with that. But it doesn't help you if the machine has lost network access by dint of being asleep/hibernated 🫠

Also useful if you set up ahead of time to make sure you have uptime even in the event of a kernel panic or power failure

Automated FileVault unlock via external secret provider in headless server deployment
First post date Last post date
 
 
Q