Secure erase external SSD

[ngel22]

Hi all,

is anyone here who has expert knowledge in erasing an external Samsung SSD securely? I heard of recommending encrypting the SSD with filevault and then just forget the keys would be enough.

Thinking about it, would following method work?
1. Formatting/Erasing the SSD in Disk Utility choosing APFS encrypted with some random password.
2. Simply erasing the SSD again choosing APFS.

 

[jb310]

If you try to erase an external drive using Disk Utility, there should be a little button that says "Security Options." The options listed there should get the job done, as they'll fill the drive with zeroes.

Thinking about it, would following method work?
1. Formatting/Erasing the SSD in Disk Utility choosing APFS encrypted with some random password.
2. Simply erasing the SSD again choosing APFS.

I've never tried this, but it would probably work. 🤷‍♂️

 

[NoBoMac]

What format is the SSD in currently? If already APFS, right click the partition(s) > Encrypt. Let it do its thing. Then re-format the drive as APFS Encrypted. Done.

If HFS, bring up Disk Utility, select the partition(s) in the sidebar, right click > Convert to APFS. Then do previous.

APFS Encrypted is "on demand" encryption, only when a file is written, so if you simply erase the drive and turn on APFS encryption, the blocks of data that were there, good chance still there, just marked as "available". Why turning on encryption for APFS happens instantly for new/empty drives, not really encrypting anything at that moment. So want to leave whatever data is on the drive vs deleting, to make sure it gets encrypted before reformatting.

If drive was already in some sort of encrypted format, yes, the steps you outlined should work as you are erasing the former encryption key and what data is there is encrypted with a random system generated encryption key (the key a person provides is just a wrapper around the system random key [ala abcd-efgh-ijkl-lmno-0123]). And, really, would just need to do one reformat as APFS encrypted and done in the case of an an already encrypted drive.

 

[chabig]

1. Formatting/Erasing the SSD in Disk Utility choosing APFS encrypted with some random password.
2. Simply erasing the SSD again choosing APFS.

I don’t think this will work, because step 1 isn’t going to encrypt the data that’s already there. As mentioned above, APFS encrypted means that the data will be encrypted when written. So by changing the format, you’re changing future behavior, not the existing bits.

The right way to achieve what you want is what NoBoMac said, but I’d do it in Finder. Select the drive, right click, and select “Encrypt”. Let it complete. Now the data is encrypted. You can do anything you want with the drive and your data is secure so long as nobody knows the encryption key.

 

[NoBoMac]

Select the drive, right click, and select “Encrypt”. Let it complete.

Ah! Right! Forgot that if you try to encrypt an HFS drive, it will convert to APFS at same time (I no longer have anything in HFS format, so no need to encrypt those).

 

[Fishrrman]

Get ahold of an old copy of Drive Genius.

Then, erase the drive using disk utility.
IMPORTANT: erase to "Mac OS extended, journaling enabled, GUID partition format" -- old HFS+.

When done, quit disk utility and open drive genius.

Use the "shred" feature.

That should do it.

 

[Brian33]

I don’t think this will work, because step 1 isn’t going to encrypt the data that’s already there. As mentioned above, APFS encrypted means that the data will be encrypted when written. So by changing the format, you’re changing future behavior, not the existing bits.

The right way to achieve what you want is what NoBoMac said, but I’d do it in Finder. Select the drive, right click, and select “Encrypt”. Let it complete. Now the data is encrypted. You can do anything you want with the drive and your data is secure so long as nobody knows the encryption key.

This sounds right, but I always wonder about the data blocks for files that have been deleted at some point in the past. It seems to me that they will not be encrypted by this process (I'm assuming only existing files' blocks get encrypted, and not "free" space). Therefore some (old) data is possibly recoverable.

Even using diskutil secureErase freespace is not guaranteed to solve this problem. According to the man page:

NOTE: This kind of secure erase is no longer considered safe. Modern
devices have wear-leveling, block-sparing, and possibly-persistent cache
hardware, which cannot be completely erased by these commands. The modern
solution for quickly and securely erasing your data is encryption.
Strongly-encrypted data can be instantly "erased" by destroying (or
losing) the key (password), because this renders your data irretrievable
in practical terms. Consider using APFS encryption (FileVault).

My standard practice now is to always use encryption from the very beginning of the drive's usage.

 

[NoBoMac]

Therefore some (old) data is possibly recoverable.

My standard practice now is to always use encryption from the very beginning of the drive's usage.

Same. Have always done this.

But I only worry about encryption for sensitive information (eg. don't care about my music collection for example), so will make two volumes: "newdrivename-Secure" (encrypted) and "newdrivename-Misc", "newdrivename-Music" (unencrypted). But get that others might want all their info encrypted.

With APFS and shared volume space and ability to easily add new volumes, the headaches/pain that came with encryption of HFS+ formatted drives is a thing of the past, so can change things up easily these days as the need(s) arise off my usual starting points.