3 min read

Secure Remote Development with YubiKey, macFUSE, and SSHFS on macOS

Missed Part 1? Read how we securely store and use SSH keys with YubiKey and 1Password

When working on client infrastructure under strict security requirements—think ISO 27001 or NIS 2—remote development setups can’t just be convenient. They have to be secure, traceable, and controlled.

In Part 1, we explained how to secure your SSH keys using YubiKey and 1Password 8, making key sharing within teams both safe and convenient. Now it’s time to take it one step further: mounting remote directories over SSH using hardware-backed authentication.

This guide walks you through setting up SSHFS with macFUSE on macOS (Intel + Apple Silicon), backed by YubiKey-based SSH authentication.

Why Remote Mounting?

Mounting remote directories with sshfs allows you to:

Edit and browse files remotely as if they were local
Avoid unnecessary syncing or file duplication
Maintain full SSH-based encryption and access control

For developers working with containerized deployments, staging servers, or even edge devices, this gives the comfort of local tooling while staying securely inside the target infrastructure.

Prerequisites

Before you begin, make sure you’ve completed the setup from Part 1:

SSH key stored in YubiKey
1Password 8 installed with SSH agent support enabled
You can run:

ssh [email protected]

using a sk (FIDO2) key that requires YubiKey touch

Step 1: Install macFUSE

Download the official macFUSE package:

https://osxfuse.github.io

Important: After installation, follow the steps below depending on your Mac type.

If you want additional context and screenshots, this external guide is useful:

https://phoenixnap.com/kb/sshfs-mac

Apple Silicon (M1/M2/M3)

Shut down your Mac
Hold the Power button to enter Recovery Mode
Go to Utilities → Startup Security Utility
Select your system disk and set:
- Reduced Security
- Allow user management of kernel extensions
Reboot
Go to System Settings → Privacy & Security
- Click Allow next to the blocked macFUSE extension
Reboot again to activate the extension

Intel Macs

Install the macFUSE .dmg
Go to System Settings → Privacy & Security
Click Allow next to the blocked extension
Reboot

In some cases (Macs with a T2 chip), you may also need to follow the Apple Silicon procedure if the “Allow” option doesn’t appear.

Step 2: Install SSHFS

The SSHFS package is not bundled with macFUSE anymore.

Download the .pkg installer from the same site:

https://osxfuse.github.io

Avoid Homebrew-based sshfs installs—they often don’t work correctly with the macFUSE kernel extension.

Step 3: Verify macFUSE is working

To ensure it’s installed correctly:

/Library/Filesystems/macfuse.fs/Contents/Resources/mount_macfuse -V

You should see a version string. If not, revisit your reboot and extension approval steps.

Step 4: Mount a Remote Directory

Let’s say you want to mount /tmp/secure-data from a remote server:

mkdir -p ~/mnt/secure-remote
sshfs username@your-alias:/tmp/secure-data ~/mnt/secure-remote -o IdentityFile=~/.ssh/id_ed25519_sk

Make sure:

your-alias matches a Host entry in your ~/.ssh/config
Your YubiKey is plugged in and configured
You’ve already used the key successfully with ssh your-alias

You may be prompted to touch your YubiKey.

Add -o debug or -o loglevel=debug to troubleshoot.

Step 5: Unmount

When you’re done:

umount ~/mnt/secure-remote

Or:

diskutil unmount ~/mnt/secure-remote

Optional: Verify YubiKey-Based SSH Access

Use this script to double-check everything’s working:

#!/bin/bash

echo "Checking SSH with YubiKey..."
ssh -v your-alias exit
if [ $? -eq 0 ]; then
  echo "YubiKey-based SSH works."
else
  echo "Something's wrong. Try ssh -vvv your-alias for debug."
fi

Summary

This setup gives you:

Remote file access using secure sshfs
Authentication backed by physical YubiKey
Clean local development workflows without syncing or duplication
Compliance-ready operations under ISO 27001 / NIS2

You’re now fully equipped to work from any macOS machine with hardware-backed, secure SSH.