Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to permanently secure erase/wipe a MacOS SSD Drive

M

MikeGreo

macrumors member
Original poster
Oct 15, 2019
62
0
Having used DoD and Peter Gutmann secure erase before on conventional HDD drives it was quite a surprise to find out that the same secure wipe method is unavailable or ineffective on an SSD. Reading online about this, there is numerous conflicting and contradicting information which makes getting to the bottom of this more difficult.

I've read threads saying that you can secure erase your SSD drive by command+R booting and using the Disk Utility and then selecting the "security options" for a secure erase. Then we find out that Apple has removed this option since they deemed it ineffective.

I've read threads saying that you need to run diskutil secure erase and that this will wipe it clean. But if Apple removed the GUI for the diskutil, the terminal command line would be no different and would also similarly be deemed ineffective. It is frustrating that they mention that you should encrypt it and that would solve the problem. But it will not solve the problem if you have not encrypted in the beginning though and you are just finding out this information now.

Also, some information mentions that recovering data from SSDs is very difficult so you do not need to worry about it. However, I later read a poster on stackexchange saying he was able to recover the data.

Another important point seems to be that the SSD needs to be TRIM enabled. Another frustrating thing is, there is no way for me to find out the current setting. I know how to enable or disable it, however it doesn't tell me what the current setting currently is. I want to find out that as well.

So all of this is very worrying. I need a no ******** answer by someone who really knows what he is talking about, taking into consideration the things I have mentioned here.

Looking forward to some serious assistance.

Kind regards,

Mike

--------------------------------------------
MacBook Pro
Physical Drive:
Device Name: APPLE SSD AP0256M
Media Name: AppleAPFSMedia
Medium Type: SSD
Protocol: PCI-Express
Internal: Yes
Partition Map Type: Unknown
SMART Status: Verified

APPLE SSD AP0256M:
Capacity: 251 GB (251,000,193,024 bytes)
TRIM Support: Yes
Model: APPLE SSD AP0256M
Revision: 717.0.21
Serial Number: C02912501V6JP4F1J
Link Width: x4
Link Speed: 8.0 GT/s
Detachable Drive: No
BSD Name: disk0
Partition Map Type: GPT (GUID Partition Table)
Removable Media: No
SMART status: Verified
Volumes:

EFI:
Capacity: 314.6 MB (314,572,800 bytes)
BSD Name: disk0s1
Content: EFI
Volume UUID: E783267B-A4C3-3556-B751-DBED770EB996

disk0s2:
Capacity: 250.69 GB (250,685,575,168 bytes)
BSD Name: disk0s2
Content: Apple_APFS
 
Last edited:
I'll be interested to see any suggestions provided by knowledgeable folks. I'm not sure why there isn't a disk utility option for this. Samsung has a bootable utility to securely erase their SSDs in an instant.

Even if you still have the system intact enabling FileVault can take a LONG time which isn't great if you're in a rush. Even so, I'm wondering if a user has erased their system drive at point "A" would a clean install, conversion to FileVault and then drive erase prevent recovery of any data from the original point "A"?
 
I don't think you're going to be able to use ANYTHING (disk utility or 3rd party utilities) to "securely erase" the internal drive on a Mac that has a t2 chip inside. The t2 won't give you enough "access" to the drive.

I have used 3rd party apps (Drive Genius) to do "secure erases" on EXTERNALLY mounted SSDs.

If you have a NON-t2-equipped Mac, it MIGHT be possible to boot externally, and then use something like Drive Genius to do a secure erase (DG will tell you that the drive "does not need" a secure erase, but will let you do it anyway).

Other than that, although I've never tried it I believe you can do this:
a. encrypt the internal drive using filevault,
and then...
b. erase it with disk utility.
c. data is now "gone" and un-recoverable.
 
Fishrrman said:
I don't think you're going to be able to use ANYTHING (disk utility or 3rd party utilities) to "securely erase" the internal drive on a Mac that has a t2 chip inside. The t2 won't give you enough "access" to the drive.

I have used 3rd party apps (Drive Genius) to do "secure erases" on EXTERNALLY mounted SSDs.

If you have a NON-t2-equipped Mac, it MIGHT be possible to boot externally, and then use something like Drive Genius to do a secure erase (DG will tell you that the drive "does not need" a secure erase, but will let you do it anyway).

Other than that, although I've never tried it I believe you can do this:
a. encrypt the internal drive using filevault,
and then...
b. erase it with disk utility.
c. data is now "gone" and un-recoverable.
Click to expand...
How do I find out if I have a t2 chip?

Connecting it externally not going to be possible in my case. Anyway I can use a bootable USB Linux and then wipe it with the Drive Genius?

Is it possible to use Samsungs software for secure erase on an MacOS? Perhaps with the bootable Linux USB I can run the Samsung secure erase on the Linux to wipe the Mac SSD?
 
Encrypt the contents with FileVault. This takes a while on a large SSD, but with a decent-length pass phrase, it’s good enough for most users.
 
RogerWilco said:
Encrypt the contents with FileVault. This takes a while on a large SSD, but with a decent-length pass phrase, it’s good enough for most users.
Click to expand...

How would encrypting it NOW make the files deleted BEFORE unrecoverable? This is the point that even on many other pages people are missing to clarify and I think relates to the question BrianBaughn asked as well.

Encrypting it NOW will ensure that files deleted HENCEFORTH will be unrecoverable, but it says nothing about the files that have ALREADY been deleted. How does the FileVault make those unrecoverable? That is my only concern now.
 
MikeGreo said:
How would encrypting it NOW make the files deleted BEFORE unrecoverable? This is the point that even on many other pages people are missing to clarify and I think relates to the question BrianBaughn asked as well.

Encrypting it NOW will ensure that files deleted HENCEFORTH will be unrecoverable, but it says nothing about the files that have ALREADY been deleted. How does the FileVault make those unrecoverable? That is my only concern now.
Click to expand...
FileVault's Full Disk Encryption doesn't encrypt just files. It encrypts the blocks that the file data is stored in. When you turn on FileVault, the OS starts encrypting the blocks that make up the volume. This includes header blocks, directory blocks, the blocks where file data is stored, and even unused blocks that have no file data in them.

Until the encryption is complete, some data may still be at risk, because some blocks haven't been encrypted yet. This is why it's important to let the encryption finish.

Once encryption has finished, every block on the disk is encrypted. This means that if the decryption key is erased, all the encrypted blocks will contain is indecipherable random gibberish. Random gibberish is as good as erasure, from the standpoint of data safety. You can't decode anything from a random sequence, just as you can't decode anything from a sequence of 0's, or 0xA6's, or whatever constant.

Here's a paper analyzing FileVault:

From that paper's section 3.1:
3.1 Enabling FileVault 2​
After FileVault 2 is enabled, a series of events take place. First, the user is presented with a 24-character recovery password (see Figure 1) that can be used to access the encrypted volume, even if the user password is lost.​
Next, the filesystem in the main volume is converted from the native HFS Plus type to CoreStorage (encrypted). During this operation, the user can still use the system and the ConversionStatus field in the EncryptedRoot.plist file (details are provided below) contains the string “Converting.” After the encryption process is complete, the string is changed to “Complete.” At this time, we do not know how the operating system keeps track of the encrypted blocks during the conversion process, so our tool cannot correctly mount volumes that are in the Converting state. We are continuing to investigate this situation.​
 
Last edited:
  • Like
Reactions: JoeInMilwaukee and ApfelKuchen
chown33 said:
FileVault's Full Disk Encryption doesn't encrypt just files. It encrypts the blocks that the file data is stored in. When you turn on FileVault, the OS starts encrypting the blocks that make up the volume. This includes header blocks, directory blocks, the blocks where file data is stored, and even unused blocks that have no file data in them.
Click to expand...

Thanks for that. It would seem that enabling FileVault in the scenario I presented above in post #2 would suffice for protecting the previously erased SSD.
 
chown33 said:
FileVault's Full Disk Encryption doesn't encrypt just files. It encrypts the blocks that the file data is stored in. When you turn on FileVault, the OS starts encrypting the blocks that make up the volume. This includes header blocks, directory blocks, the blocks where file data is stored, and even unused blocks that have no file data in them.

Until the encryption is complete, some data may still be at risk, because some blocks haven't been encrypted yet. This is why it's important to let the encryption finish.

Once encryption has finished, every block on the disk is encrypted. This means that if the decryption key is erased, all the encrypted blocks will contain is indecipherable random gibberish. Random gibberish is as good as erasure, from the standpoint of data safety. You can't decode anything from a random sequence, just as you can't decode anything from a sequence of 0's, or 0xA6's, or whatever constant.

Here's a paper analyzing FileVault:

From that paper's section 3.1:
3.1 Enabling FileVault 2​
After FileVault 2 is enabled, a series of events take place. First, the user is presented with a 24-character recovery password (see Figure 1) that can be used to access the encrypted volume, even if the user password is lost.​
Next, the filesystem in the main volume is converted from the native HFS Plus type to CoreStorage (encrypted). During this operation, the user can still use the system and the ConversionStatus field in the EncryptedRoot.plist file (details are provided below) contains the string “Converting.” After the encryption process is complete, the string is changed to “Complete.” At this time, we do not know how the operating system keeps track of the encrypted blocks during the conversion process, so our tool cannot correctly mount volumes that are in the Converting state. We are continuing to investigate this situation.​
Click to expand...
Thanks for that detailed response. It clears up a lot. So FileVault is the answer. One question though. If we are going to give the laptop to someone else or sell it, I can't have it encrypted once they have it. Is it possible to use FileVault to encrypt the whole hard drive and then do a format deleting it and reinstalling it? So basically after the first FileVault encryption followed by format and install again, second time FileVault encryption is not even necessary, because the data became impossible to recover after the first encryption, even though the FileVault encryption is no longer present after the second install? If you know what I mean. Because a new user might not want FileVault encryption.
 
Encrypt the drive with Filevault.

Then, boot to internet recovery.

Erase the drive.

Install a new copy of the OS.

Hand it off to whoever is going to use it next.
 
Fishrrman said:
Encrypt the drive with Filevault.

Then, boot to internet recovery.

Erase the drive.

Install a new copy of the OS.

Hand it off to whoever is going to use it next.
Click to expand...

Thanks for the advice.

I am about to use FileVault and encrypt the whole hard drive. After that I will format my machine. After the format I am hoping that I don't get locked out of my machine somehow as the decryption key will probably be deleted with it. And upon the new install it will LOOK LIKE there is no encryption, even though on SSD level it is encrypted, but by the newly installed operating systems perspective it will be as if there is no encryption.
 
You should try booting to Internet Recovery first. Make sure that works.

Then make sure you can run Disk Utility from there, and it offers the option to completely erase the SSD (which I presume is internal). I'm not suggesting that you actually erase the SSD now, only that you confirm it's an available option.

Personally, I'd have previously prepared a bootable external USB drive of some kind, because sometimes Bad Things Happen. I would also have confirmed that said drive was bootable by actually booting to it, and running Disk Utility from there. I would then disconnect it while booting from Internet Recovery, because if it's disconnected, you can't accidentally erase it in Disk Utility.
 
chown33 said:
You should try booting to Internet Recovery first. Make sure that works.

Then make sure you can run Disk Utility from there, and it offers the option to completely erase the SSD (which I presume is internal). I'm not suggesting that you actually erase the SSD now, only that you confirm it's an available option.

Personally, I'd have previously prepared a bootable external USB drive of some kind, because sometimes Bad Things Happen. I would also have confirmed that said drive was bootable by actually booting to it, and running Disk Utility from there. I would then disconnect it while booting from Internet Recovery, because if it's disconnected, you can't accidentally erase it in Disk Utility.
Click to expand...

I made all the checks. I can boot into Internet Recovery and I can erase. I turned on FileVault, but nothing seemed to have happened. I was expecting a progress bar, saying encrypting, but it just set the recovery key and says turned on. That's it. Why is it not working?
 
The actual encryption occurs in the background. You should keep the machine active (not asleep) until it completes.

Here are a couple articles on how to find where it's at in the process:
apple.stackexchange.com

How to view progress when encrypting a disk?

Mountain Lion allows one to encrypt any disk by right-clicking on the disk in the Finder and selecting Encrypt from the contextual menu. Is there anyway to check on the progress of this encryption
apple.stackexchange.com apple.stackexchange.com
osxdaily.com

How to View FileVault Progress When Encrypting a Mac Disk

Using Filevault on a Mac encrypts the entire hard drive and helps protect personal data from theft or unauthorized snooping. It’s a great security feature that many users enable when they&#82…
osxdaily.com osxdaily.com

The 2nd one is from 2017, and mentions a progress bar in System Preferences > Security & Privacy > FileVault.

I don't know how accurate either of these are, but I'd guess the command-line check using diskutil is almost certainly still there. It's been quite a while since I've done FileVault on a new disk, so I haven't kept up on how to determine its progress.
 
chown33 said:
The actual encryption occurs in the background. You should keep the machine active (not asleep) until it completes.

Here are a couple articles on how to find where it's at in the process:
apple.stackexchange.com

How to view progress when encrypting a disk?

Mountain Lion allows one to encrypt any disk by right-clicking on the disk in the Finder and selecting Encrypt from the contextual menu. Is there anyway to check on the progress of this encryption
apple.stackexchange.com apple.stackexchange.com
osxdaily.com

How to View FileVault Progress When Encrypting a Mac Disk

Using Filevault on a Mac encrypts the entire hard drive and helps protect personal data from theft or unauthorized snooping. It’s a great security feature that many users enable when they&#82…
osxdaily.com osxdaily.com

The 2nd one is from 2017, and mentions a progress bar in System Preferences > Security & Privacy > FileVault.

I don't know how accurate either of these are, but I'd guess the command-line check using diskutil is almost certainly still there. It's been quite a while since I've done FileVault on a new disk, so I haven't kept up on how to determine its progress.
Click to expand...

Thanks for the info.

I tried what it says in those articles. I get:

Code: 
diskutil cs list
No CoreStorage logical volume groups found

But I definitely have seen progress bar saying encrypting in YouTube videos and images, but it is not happening on my system. Could the fact that I have T2 Security chip be the reason?

I have the this About the Apple T2 Security Chip

How Apple’s T2 Security Chip Affects Your Disk Storage

It seems to say that FileVault happens instantly.

But now I am really worried, that I can't ensure that the deleted files are made unrecoverable.
 
MikeGreo said:
But I definitely have seen progress bar saying encrypting in YouTube videos and images, but it is not happening on my system. Could the fact that I have T2 Security chip be the reason?

I have the this About the Apple T2 Security Chip

How Apple’s T2 Security Chip Affects Your Disk Storage

It seems to say that FileVault happens instantly.

But now I am really worried, that I can't ensure that the deleted files are made unrecoverable.
Click to expand...
Indeed, on a Mac that has a T2, FileVault is enabled instantly.
 
chrfr said:
Indeed, on a Mac that has a T2, FileVault is enabled instantly.
Click to expand...
So what does that mean interms of the freespace on my SSD? Are all the blocks used and unused now encrypted, just like that? I think I would have actually preferred that it takes time, much like the secure erase which zeroes out all the sectors on the disk. Is it actually possible for the FileVault to encrypt all of the sectors/block on the SSD instantly? Is it now unrecoverable. I have absolutely no file on the SSD at the moment, it is already a fresh install, so this is only about encrypting the freespace to make the deleted files absolutely unrecoverable.
 
MikeGreo said:
So what does that mean interms of the freespace on my SSD? Are all the blocks used and unused now encrypted, just like that? I think I would have actually preferred that it takes time, much like the secure erase which zeroes out all the sectors on the disk. Is it actually possible for the FileVault to encrypt all of the sectors/block on the SSD instantly? Is it now unrecoverable. I have absolutely no file on the SSD at the moment, it is already a fresh install, so this is only about encrypting the freespace to make the deleted files absolutely unrecoverable.
Click to expand...
In a computer with a T2, the drives are always encrypted, which is how the computer is able to turn on FileVault immediately. Given that this is a new computer, there's no chance your data would ever be able to be recovered once you copy to the drive.
 
  • Like
Reactions: Weaselboy
chrfr said:
In a computer with a T2, the drives are always encrypted, which is how the computer is able to turn on FileVault immediately. Given that this is a new computer, there's no chance your data would ever be able to be recovered once you copy to the drive.
Click to expand...
Okay. I mean when I say it is a fresh install, I had extensively used it prior to the fresh install. So it is not a new computer per se. But glad to know it is no longer recoverable then.
 
Just an update on this. Btw, I have enabled FileVault and it is all encrypted. I have two remaining questions though.

1-) In some articles online about secure deleting files/freespace on Mac SSD, I have read using the the following commands are very important:
Code: 
diskutil secureErase freespace 1 /Volumes/Macintosh\ HD
or
Code: 
diskutil secureErase freespace 1 /dev/disk3s4

Is one better than the other? Is it completely useless to do this on an MacOS SSD like mine?

2-) I don't know if anybody noticed but in my first post I had put my system specs which included:
TRIM Support: Yes

What does this mean? Does it mean that my files were deleted beyond recovery from the first moment even before FileVault was enabled?

Many thanks,

Mike
 
MikeGreo said:
Just an update on this. Btw, I have enabled FileVault and it is all encrypted. I have two remaining questions though.

1-) In some articles online about secure deleting files/freespace on Mac SSD, I have read using the the following commands are very important:
Code: 
diskutil secureErase freespace 1 /Volumes/Macintosh\ HD
or
Code: 
diskutil secureErase freespace 1 /dev/disk3s4

Is one better than the other? Is it completely useless to do this on an MacOS SSD like mine?

2-) I don't know if anybody noticed but in my first post I had put my system specs which included:
TRIM Support: Yes

What does this mean? Does it mean that my files were deleted beyond recovery from the first moment even before FileVault was enabled?

Many thanks,

Mike
Click to expand...


1) it is the same thing.

Code: 
/dev/disk0 (internal):


   #:                       TYPE NAME                    SIZE       IDENTIFIER


   0:      GUID_partition_scheme                         128.0 GB   disk0


   1:                        EFI EFI                     209.7 MB   disk0s1


   2:                  Apple_HFS HighSierraNVMe          127.0 GB   disk0s2


   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3

The first disk in my computer /dev/disk0 it show the partitons in use on it to do your command I would.

Code: 
diskutil secureErase freespace 1 /Volumes/HighSierraNVMe
or
Code: 
diskutil secureErase freespace 1 /dev/disk0s2

Second part you over think it way too much with the paranoia format the thing it will wipe everything for you or do the secure command.

2) It means that the trim function is enabled the OS will think the deleted space is available for use. If necessary it uses it, once used the data there before is now gone.
 
MikeGreo said:
Just an update on this. Btw, I have enabled FileVault and it is all encrypted. I have two remaining questions though.

1-) In some articles online about secure deleting files/freespace on Mac SSD, I have read using the the following commands are very important:
Code: 
diskutil secureErase freespace 1 /Volumes/Macintosh\ HD
or
Code: 
diskutil secureErase freespace 1 /dev/disk3s4

Is one better than the other? Is it completely useless to do this on an MacOS SSD like mine?

2-) I don't know if anybody noticed but in my first post I had put my system specs which included:
TRIM Support: Yes

What does this mean? Does it mean that my files were deleted beyond recovery from the first moment even before FileVault was enabled?

Many thanks,

Mike
Click to expand...
Because you have a computer with a T2, the data has always been encrypted on disk. Nobody would get your files back.
The commands to erase free space on an SSD are not reliable anyway. Because of how the SSD works, there's no way to ensure that data is actually written to every bit of space on the disk.
 
Thanks for the responses. I think in terms of encrypting/secureErasing I have done everything that can be done.

So really in situations like this there is only one remaining thing left that people can do if in this situation one wants certainty. And that is to install a highly effective file recovery tool to undelete files once thought erased. I knew a number of these tools on Windows, but don't really know any on Mac.

If after running these tools, NO file that was once deleted can be found, then indeed we know it is gone forever. Any ideas what I can install?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back