Secure erase external SSD

[ngel22]

Hi all,

is anyone here who has expert knowledge in erasing an external Samsung SSD securely? I heard of recommending encrypting the SSD with filevault and then just forget the keys would be enough.

Thinking about it, would following method work?
1. Formatting/Erasing the SSD in Disk Utility choosing APFS encrypted with some random password.
2. Simply erasing the SSD again choosing APFS.

 

[jb310]

If you try to erase an external drive using Disk Utility, there should be a little button that says "Security Options." The options listed there should get the job done, as they'll fill the drive with zeroes.

Thinking about it, would following method work?
1. Formatting/Erasing the SSD in Disk Utility choosing APFS encrypted with some random password.
2. Simply erasing the SSD again choosing APFS.

I've never tried this, but it would probably work. 🤷‍♂️

 

[NoBoMac]

What format is the SSD in currently? If already APFS, right click the partition(s) > Encrypt. Let it do its thing. Then re-format the drive as APFS Encrypted. Done.

If HFS, bring up Disk Utility, select the partition(s) in the sidebar, right click > Convert to APFS. Then do previous.

APFS Encrypted is "on demand" encryption, only when a file is written, so if you simply erase the drive and turn on APFS encryption, the blocks of data that were there, good chance still there, just marked as "available". Why turning on encryption for APFS happens instantly for new/empty drives, not really encrypting anything at that moment. So want to leave whatever data is on the drive vs deleting, to make sure it gets encrypted before reformatting.

If drive was already in some sort of encrypted format, yes, the steps you outlined should work as you are erasing the former encryption key and what data is there is encrypted with a random system generated encryption key (the key a person provides is just a wrapper around the system random key [ala abcd-efgh-ijkl-lmno-0123]). And, really, would just need to do one reformat as APFS encrypted and done in the case of an an already encrypted drive.

 

[chabig]

1. Formatting/Erasing the SSD in Disk Utility choosing APFS encrypted with some random password.
2. Simply erasing the SSD again choosing APFS.

I don’t think this will work, because step 1 isn’t going to encrypt the data that’s already there. As mentioned above, APFS encrypted means that the data will be encrypted when written. So by changing the format, you’re changing future behavior, not the existing bits.

The right way to achieve what you want is what NoBoMac said, but I’d do it in Finder. Select the drive, right click, and select “Encrypt”. Let it complete. Now the data is encrypted. You can do anything you want with the drive and your data is secure so long as nobody knows the encryption key.

 

[NoBoMac]

Select the drive, right click, and select “Encrypt”. Let it complete.

Ah! Right! Forgot that if you try to encrypt an HFS drive, it will convert to APFS at same time (I no longer have anything in HFS format, so no need to encrypt those).

 

[Fishrrman]

Get ahold of an old copy of Drive Genius.

Then, erase the drive using disk utility.
IMPORTANT: erase to "Mac OS extended, journaling enabled, GUID partition format" -- old HFS+.

When done, quit disk utility and open drive genius.

Use the "shred" feature.

That should do it.

 

[Brian33]

I don’t think this will work, because step 1 isn’t going to encrypt the data that’s already there. As mentioned above, APFS encrypted means that the data will be encrypted when written. So by changing the format, you’re changing future behavior, not the existing bits.

The right way to achieve what you want is what NoBoMac said, but I’d do it in Finder. Select the drive, right click, and select “Encrypt”. Let it complete. Now the data is encrypted. You can do anything you want with the drive and your data is secure so long as nobody knows the encryption key.

This sounds right, but I always wonder about the data blocks for files that have been deleted at some point in the past. It seems to me that they will not be encrypted by this process (I'm assuming only existing files' blocks get encrypted, and not "free" space). Therefore some (old) data is possibly recoverable.

Even using diskutil secureErase freespace is not guaranteed to solve this problem. According to the man page:

NOTE: This kind of secure erase is no longer considered safe. Modern
devices have wear-leveling, block-sparing, and possibly-persistent cache
hardware, which cannot be completely erased by these commands. The modern
solution for quickly and securely erasing your data is encryption.
Strongly-encrypted data can be instantly "erased" by destroying (or
losing) the key (password), because this renders your data irretrievable
in practical terms. Consider using APFS encryption (FileVault).

My standard practice now is to always use encryption from the very beginning of the drive's usage.

 

[NoBoMac]

Therefore some (old) data is possibly recoverable.

My standard practice now is to always use encryption from the very beginning of the drive's usage.

Same. Have always done this.

But I only worry about encryption for sensitive information (eg. don't care about my music collection for example), so will make two volumes: "newdrivename-Secure" (encrypted) and "newdrivename-Misc", "newdrivename-Music" (unencrypted). But get that others might want all their info encrypted.

With APFS and shared volume space and ability to easily add new volumes, the headaches/pain that came with encryption of HFS+ formatted drives is a thing of the past, so can change things up easily these days as the need(s) arise off my usual starting points.

 

[gellydox]

This sounds right, but I always wonder about the data blocks for files that have been deleted at some point in the past. It seems to me that they will not be encrypted by this process (I'm assuming only existing files' blocks get encrypted, and not "free" space). Therefore some (old) data is possibly recoverable.

Even using diskutil secureErase freespace is not guaranteed to solve this problem. According to the man page:



My standard practice now is to always use encryption from the very beginning of the drive's usage.

I know this is old but I’m currently dealing with something like this so correct me if I got it wrong:

Of course, disk utility encryption upon first usage of the SSD/HDD is the golden rule. Upon a simple, fast format, key gets deleted and data is rendered unrecoverable.

What about unencrypted SSDs? I get that for an HDD you can zero it out, or do 1 pass of random data writes on it, but what about SSD?

Let’s say I have an SSD full of family photos and it’s just an APFS container — no volumes or partitions — I decide to sell it, so instead of going to disk utility where I’d encrypt it (which would erase my UNencrypted data and render it recoverable) instead I just use Finder’s “Encrypt”, wait it out, and then perform a formatting before sale happens.

As you guys said, what happens to the photos I deleted months ago when they weren’t encrypted? They’re deleted bits, how recoverable are they? Does it matter at all? I know when the new owner begins writing on the disk day by day it increases the chance of wear leveling or NAND refreshing (forgive my terminology) coming into place and erasing those for good, but what about before then?

Is there no surefire way of performing a secure erase for SSD from Disk Utility? I know some SSD’s manufacturers offer “sanitize” features in their toolkit apps but none native for macos?

 

[MayflyMaven]

Of course, disk utility encryption upon first usage of the SSD/HDD is the golden rule. Upon a simple, fast format, key gets deleted and data is rendered unrecoverable.

It's not just the golden rule, it's literally the only way to guarantee that any data ever written to an SSD is encrypted. The moment you write unencrypted data to that disk, the "horse has left the barn". At some point in the future wear-leveling could place storage blocks out of reach of any computer-side software.

what happens to the photos I deleted months ago when they weren’t encrypted? They’re deleted bits, how recoverable are they? Does it matter at all?

The "does it matter" question is key here – you know the data that you put on the disk, so you can assess the risk. Personally, if I only had my own photos library on an unencrypted SSD, and I sold the SSD and it wound up in the hands of a sophisticated attacker looking for state secrets, I'd be amused that the most they could find would be some stupid cat pictures. In most cases, writing data to the device until it is completely full and then erasing it is going to be sufficient to remove the data that you added to it. Yes, there will be pockets of recoverable content that is recoverable by very sophisticated attackers, but if you didn't add anything particularly sensitive to that disk, it's unlikely to be a big deal. On the flip side, if you ever stored data on the disk that could be used to access your bank accounts or steal your identity, then I'd weigh the potential cost of dealing with that vs. the amount of money you'll get for selling the device.

My old disks get disassembled, mutilated, then I recycle the parts that can get recycled and toss the rest. I'm also vigilant about enabling encryption when I initially format a disk or add volumes to an APFS container. That was a tough habit to get into because it's not the default choice. Someday I hope Apple (and any other app that offers volume creation/formatting functionality) will present the choice visually alongside the non-encrypted option, e.g. instead of separate choices in a popup menu, have the encryption UI presented separately under the "format" choice.

 

[Fishrrman]

There still seem to be standalone 3rd-party Mac apps "out there" that claim to be able to securely erase drives:

os x drive shredding utility - Yahoo Search Results

I can't speak for how well they work -- don't have any of them.

But if you put into my hands an SSD that you wanted "zeroed out", I'd do this:
1. Open disk utility
2. Erase the drive to HFS+ (not zeroing at this point)
3. Quit du and open a shredding app
4. "Aim it" at the SSD in question and let it go.

One pass of zeros or random "1" and "0" writes ought to do it.

 

[MacCheetah3]

Way overthinking things. Garbage collection works fairly fast on (modern) SSDs. So, if you reformat the drive, give it a few hours of idle time, you should be fine. You could also (then) reformat as encrypted, throw some random files at it, that aren’t sensitive/personal data, and reformat again. Nonetheless, as already stated, TRIM works fast and well enough.

 

[benwiggy]

is anyone here who has expert knowledge in erasing an external Samsung SSD securely? I heard of recommending encrypting the SSD with filevault and then just forget the keys would be enough.

What are you doing with the drive -- selling it? I'd agree that a simple erase should be sufficient. (Given the number of posts here from people with erased SSDs trying to recover their data unsuccessfully..)

 

[MayflyMaven]

Way overthinking things. Garbage collection works fairly fast on (modern) SSDs. So, if you reformat the drive, give it a few hours of idle time, you should be fine. You could also (then) reformat as encrypted, throw some random files at it, that aren’t sensitive/personal data, and reformat again. Nonetheless, as already stated, TRIM works fast and well enough.

I think what you're missing here is that TRIM takes blocks of storage out of rotation. So if the following were to happen:

- you write sensitive data to the device
- you delete those files (which does not overwrite the blocks, it just deallocates them)
- TRIM (which is invoked when you delete files) rotates the blocks containing sensitive data out of rotation
- you erase the drive, or even attempt to write data to the entire device

The effects of your erasing and overwriting activity have no effect on the blocks of storage that were rotated out of use – the device still contains your sensitive data. This is not a hypothetical situation either, this is the norm, it's how SSDs work. This behavior and the inherent risk associated with having unencrypted data on blocks off storage that have been rotated out of use is specifically why the "secure erase" functionality was removed from Disk Utility. It's also documented, as someone already commented above:

Even using diskutil secureErase freespace is not guaranteed to solve this problem. According to the man page:

NOTE: This kind of secure erase is no longer considered safe. Modern
devices have wear-leveling, block-sparing, and possibly-persistent cache
hardware, which cannot be completely erased by these commands. The modern
solution for quickly and securely erasing your data is encryption.
Strongly-encrypted data can be instantly "erased" by destroying (or
losing) the key (password), because this renders your data irretrievable
in practical terms. Consider using APFS encryption (FileVault).

Again, the level of risk is user-specific. If I was an amateur photographer storing innocuous photo shoots, I probably wouldn't be too concerned about this particular risk. If I was a journalist or State employee, though, I'd want to be in the habit of always enabling encryption on SSDs, regardless of what data I think I might put on there.

 

[MacCheetah3]

@MayflyMaven

That’s YouTube, social media where anyone can say anything. Well, here’s the explanation from an SSD producer:

What does Trim do?​

The Trim command tells the SSD that specific areas contain data that is no longer in use. From the user's perspective, this data has been deleted from a document. Because of the way solid state drives read and write information, the data is not deleted from the drive at the user's command. Instead, the area of the SSD that contains the data is marked as no longer used. The Trim command tells the drive that the data can be removed. The next time the computer is idle, Active Garbage Collection will delete the data.

If the Trim command did not exist (as was the case before Windows® 7), then the solid state drive would not know that certain sectors in the drive contained invalid information until the computer told the drive to write new information to that location. The drive would need to erase the existing information, then write the new information. This takes slightly more time to do than just writing the new information, so using Trim and Active Garbage Collection helps your SSD perform write commands more quickly.

Trim also affects the longevity of the solid state drive. If data is written and erased from the same NAND cells all the time, those cells will lose integrity. For optimum life, each cell should be utilized at roughly the same rate as other cells. This is called wear leveling. The Trim command tells the SSD which cells can be erased during idle time, which also allows the drive to organize the remaining data-filled cells and the empty cells to write to to avoid unnecessary erasing and rewriting.

How Active Garbage Collection works​

Flash memory, which is what SSDs are made of, cannot overwrite existing data the way a hard disk drive can. Instead, solid state drives need to erase the now invalid data. The problem is that a larger unit of the memory, a block, must be erased before a smaller unit, a page, can be written. For example, if there are four pages with data in an otherwise empty block and three pages of data are deleted, the remaining page of data must be written to a new block, then all four pages in the old block can be deleted, freeing them up to be rewritten in the future.

If the drive were to not go through this process of moving valid information so that invalid information can be deleted, and instead, just keep writing new information to new pages, eventually it would fill up with data, some of it no longer valid. To prevent this, Active Garbage collection goes through the disk and moves each page of valid data to a page in another block so the block with invalid data, which has been identified with Trim, can be cleaned out.

What is Trim?

The Trim command is used with Active Garbage Collection to clean up SSDs to ensure they continue to work quickly. Find out more with Crucial.

www.crucial.com

Let’s get another ‘official’ word for good measure:

How Does the SSD TRIM Command Work?​

SSD trimming allows the operating system to inform the SSD which blocks of data are no longer considered in use and can be erased. Here’s a step-by-step breakdown of how SSD trimming works:

1. File Deletion or Overwriting: When a file is deleted or overwritten on an SSD, the operating system sends a TRIM command to the SSD to indicate data in the specific blocks is not needed.
2. Marking Blocks: The SSD controller then receives the TRIM command and marks these blocks as invalid or free. Instead of immediately erasing the data, the SSD just notes that these blocks can be used for new data in the future.
3. Updating the Mapping Table: SSDs use a mapping table to keep track of where data is stored. When a TRIM command is issued, the SSD updates this table to reflect the blocks specified in the TRIM command are now free and available for new data.
4. Postponed Erase: Unlike traditional hard drives, SSDs don’t immediately erase data when it’s marked as deleted. Instead, the actual erasure is postponed until the SSD garbage collection process runs. This helps improve write performance since the drive doesn’t have to erase data before writing new data to the block.
5. Garbage Collection: During idle periods, the SSD’s garbage collection process runs in the background. It consolidates free space by physically erasing the blocks marked by the TRIM command. This process helps prepare the drive for future write operations and improves efficiency.
6. Wear Leveling: The SSD controller uses wear leveling algorithms to ensure data is evenly distributed across the memory cells. This is crucial because NAND flash memory cells have a limited number of write/erase cycles. By spreading out the wear, the drive life can be extended maximize.
7. Performance Optimization: By marking blocks as free and performing garbage collection during idle times, trimming helps maintain high write and read speeds. Without the TRIM command, the SSD would eventually slow down as it has to perform additional operations to clear old data before writing new data.

What Are SSD TRIM and Garbage Collection? | Seagate US

Understand the processes of trimming and garbage collection, and why they’re crucial for SSD longevity and performance. Learn why they matter for maintaining peak data storage efficiency.

www.seagate.com

So, I reiterate, erase/format the drive and give it enough (e.g., up to several hours) idle time, and it should be fine. If you want, verify afterwards with a free or trial data recovery utility.

 

[MayflyMaven]

So, if you reformat the drive, give it a few hours of idle time, you should be fine.
...
So, I reiterate, erase/format the drive and give it enough (e.g., up to several hours) idle time, and it should be fine.

OK, now I see your point more clearly. Yes, given enough idle time where the device remains attached to the computer, eventually the garbage collection will scrub any deallocated blocks.

 

[MacCheetah3]

OK, now I see your point more clearly. Yes, given enough idle time where the device remains attached to the computer, eventually the garbage collection will scrub any deallocated blocks.

I probably should have added, in other words, SSDs do an automatic secure erase free space.