How to Securely Erase a Mac’s SSD or Hard Drive

Originally published at: How to Securely Erase a Mac’s SSD or Hard Drive - TidBITS

If you need to get rid of a Mac or external drive, how do you ensure that no one can access the data on it? Adam Engst runs through the various methods you can employ, one or more of which should address your situation.

I find that a pair of linesman’s pliers comes in handy for insuring that the chips on Apple proprietary and M.2 Flash memory cards are well and truly rendered unreadable.

In the last couple of months, I’ve had the “pleasure” of opening up an old iBook (only 38 steps on iFixIt!) and the MacBook Pros of a certain age in order to destroy the HDDs/SSDs. Fortunately, my county landfill and recycling facility accepts old personal computers (or their wreckage) as well as other electronics for recycling. I take that to include the metal debris from drilling through HDDs.

Thank you for this lesson. Timely for me as I have some HDDs to be disposed.

Are you certain using the “diskutil secureErase 1 diskX” command in Terminal will securely erase Solid State Drives? I’ve read elsewhere that command is only to be used on older spinning Hard Disk Drives.

For SSD’s with TRIM enabled it would be enough just to erase the drive and then TRIM the unused blocks. Doesn’t work with the Samsung T7 though because there is no TRIM support over SSD. For Macs with Apple provided SSD’s it would be enough to erase the drive, re-install macOS and then start in safe mode (which will trigger an fsck command which TRIMs unused blocks as well).

Encrypt and then erase is what I usually use for HDD’s. Or indeed physically destroy them if they’re faulty.

In my understanding many SSDs had hardware encryption always on for a long time (10 years or so). This is at least true for Samsung SSD and very likely for some other brands.
Deleting the key would make all data unusable, but which command or action destroys or renews this key? At what point is this key set?

No, it won’t, which is why I included Apple’s complete warning against it. Why it won’t is explained in the encryption section next in the article.

If there is a Staples office supply store near you, they have an electronic recycling program that will accept (up to 7 items per customer per day) most forms of e-waste.

As mentioned in the article, this will mark all the data as garbage (making it inaccessible to software), but until the SSD controller runs garbage collection for those locations on the flash chips, a data recovery process that bypasses the SSD controller chip may be able to recover the data. Once the garbage is collected, however, it will be gone for good.

The big problem is that you have no way to know when your garbage data has actually been collected. If you let it sit powered-on but idle (e.g. connect it, but unmount all of its volumes) for a few days, then it would be reasonable to assume that all of the garbage has been collected, but without documentation from the SSD manufacturer, you have no way to know for certain.

Whether this matters to you will depend on the sensitivity of the data and what you will be doing with the drive after you’ve erased it.

Yes and no. TRIM will quickly and immediately mark all the blocks as garbage, making them inaccessible to software. But the physical flash memory won’t actually be erased until garbage collection runs, and there’s no way to know when that will actually take place. See above.

BTW, on macOS, Disk Utility will TRIM an SSD as a part of its normal disk erase process (only if macOS supports TRIM on it, of course).

Yes. Hardware-encrypted drives are a thing. When used without access credentials, they should (if implemented correctly) pair the flash chips to the SSD controller, so they can’t be read without it. But anyone connecting a computer to the SSD can still get access.

When used with access credentials (a password or a secondary key), then the data is secure and can’t be read if the password is lost.

The problem with these devices is that your computer must have the ability to provide the credentials (typically via a SATA or NVMe command). While there are PCs whose BIOS or EFI firmware are equipped to do this, I don’t think any Macs have this ability, which would make it useless for a boot device (but might be OK as a data device, if you have a software app that can send the the credentials after macOS starts up.)

As far as I know, Apple’s “solution” in this product space is their own SSD encryption based on Apple Silicon or a T2 chip. Older Macs must use a software encryption mechanism.

A few comments of my own on the article:

• Degaussing is physical destruction.

  While you might think “that’s just erasing the drive”, it’s more than that. A degaussing process scrambles all of the magnetic fields on an HDD’s platters. This includes the servo-positioning data needed for correct head alignment. There is no way to re-create this data without specialized equipment at the factory.

  Once upon a time, when hard drives still used stepper motors and controller cards would count steps on the motor for head positioning (this would be 30-40 years ago now), you could perform a “low level format” to re-create the physical disk blocks that get wiped by a degauss operation. But ever since hard drives started using servo motors (which are necessary for the high track densities required by all not-completely-ancient drives), low-level formatting has become impossible outside of the factory.

  In other words, unless you’ve got an incredibly ancient drive, once you degauss it, it will be forever be incapable of holding data.

• A hammer might completely destroy a hard drive

  Although older hard drives typically have platters made of metal, modern drives (including most 2.5" and smaller drives) typically have platters made of glass or ceramic.

  So hitting them with a hammer (especially after opening the case) may be enough to shatter the platters, which will completely destroy your data. If you try this with the case open, I recommend putting it in a bag first, in order to contain the shards.

• About the 35-pass Gutmann algorithm

  The idea behind this is that when data is overwritten on a hard drive, there is a residual magnetic afterimage of the older data. It can be viewed with a magnetic force microscope. Some people have expressed concern that this might make it possible to recover data that has been overwritten although I have never read of an example (even anecdotally) of an organization actually recovering a file this way.

  The Gutmann algorithm is based on the fact that magnetic media doesn’t directly record ones and zeros as magnetic positive and negative fields. For a variety of reasons, doing this produces data that can not be reliably read. Instead, a variety of algorithms (e.g. GCR, MFM and RLL) are used to encode data bytes into sequences of magnetic impulses. Each byte value may be represented by several different patterns of impulses, depending on the context of the surrounding data.

  This means that if you want to completely scramble the residual magnetic fields, you want to write patterns that ensure that every magnetic impulse is reversed several times. The Gutmann algorithm attempts to do this, based on all of the different encoding schemes that were in use at the time.

  But it is really pointless voodoo. Modern drives encode data using hardware like PRML, PMR/CMR and SMR that are completely different from the earlier generations of magnetic media. With these, you can adequately scramble the magnetic fields just as well by writing random data over a small number of passes.

  Additionally, even if you are erasing an old HDD that uses old recording hardware, you only need to write the patterns designed for the encoding your drive is using. Using all 35 passes means that in addition to writing the patterns designed to scramble the fields used by your drive, you’re also writing many patterns that are pointless for your drive.

  The Wikipedia article includes a quote from Gutmann himself pointing out these factors.

Smashing and tiresome secure erasing? Why not make or copy a large unimportant file (video, audio) and duplicate it until the drive is full? Maybe do it more than once. Isn’t that the fastest, simplest, and most secure method?

Because that doesn’t work, as the article says, and as was described in even more detail in the initial TidBITS Talk discussion linked in the article.

There’s a huge difference between wiping media in a way that software can no longer recover it, and wiping media in a way that a data recovery company or government agency can no longer recover it.

The former is pretty easy to do and there are lots of different techniques.

The latter is not easy to do and for many kinds of storage devices may be impossible to guarantee predictably-secure results. As @ace wrote, read the article for the ugly details.

I beg to differ. I use this method I describe and nothing has ever been recovered. Tested by sending to pros be recovered. Admittedly they are spinners, not ssd. Law work.
A 2tb drive cannot contain a 2tb movie and my reports. That is illogical. But I am willing to have my mind changed and be chilled. I have another set of drives due for collection, I will ask for anything more invasive/intensive on one of them.

I beg to differ with you. Short of physical destruction it is possible to potentially recover information from a spinning drive. Can’t see where or who or how…but I’ve seen the results. Not complete recovery of course and potentially no recovery at all…but in at least the couple of cases I know about some of the data was recovered.

Now…whether that’s enough to be useful is a whole different question…if it’s software then probably not but if it’s a text file or word doc or something like that…yeah, some came back…and it wasn’t cheap. Don’t recall the exact numbers but it made DriveSavers look like the Dollar General’s prices.

Intelligence work…they have more money than law work I guess.

A drive with 2TB of user-accessible storage actually has a capacity of more than 2TB. For some devices, it may be much more.

Hard drives have hot-spare blocks, in order to improve reliability over time. If a block is detected as bad by the controller firmware, its data will be relocated to a spare block. Subsequent overwriting is going to erase the swapped-in spare block, not the original, which might have recoverable data.

A recovery service that doesn’t modify the drive’s firmware will probably be unable to read data in the marked-bad blocks (that were swapped for spares). You would need to hack the drive’s firmware (or maybe use a proprietary diagnostic mode, if one exists) to bypass the normal LBA mechanism and access the physical disk sectors.

SSDs are even worse. Any SSD that isn’t complete garbage will have so-called “spare storage” in excess of what is user-accessible. This storage is maintained for a few reasons, including:

• Reliability. Like with HDDs, hot-spare flash blocks to replace those that go bad over time.
• Performance. Garbage collection algorithms can take a very long time to run, and can bog-down overall device performance if there isn’t a significant pool of unused flash space. The lack of spare storage on first generation SSDs is a big reason why they would end up performing very badly as they fill up with data. It is also a big reason why other kinds of flash storage (like SD cards and thumb drives) usually perform poorly.

Consumer SSDs typically have 5-10% more physical storage than is user-accessible. High performance and enterprise SSDs may have a lot more - even 50% more (which is one of the reasons why these devices also cost a lot more, BTW)

When you write 2TB of data to that 2TB SSD, some of the overwritten data will remain (as garbage) in the spare storage until garbage is collected. Depending on your particular model, this may be as much as 1TB of data. You have no way of knowing what overwritten data is in that garbage storage, nor can you know when those flash cells will actually be erased (via garbage collection). A data recovery process that bypasses the SSD controller (either by directly reading the chips or by replacing the controller’s firmware) to gain access to the spare storage area will be able to read any overwritten data that has not yet been erased.

The article linked to does not seem to specifically mention the following and therefore seems slightly dated, I will however confess I only quickly skimmed the article.

For some time now Apple has fitted SSD drives to their Macs which use Apple’s own SSD controller chip rather than as was the case longer ago using standard PCI or NVMe type SSDs which had their own drive controllers.

When using a Mac which uses Apple’s own SSD controller the drive is shipped already paired to the unique logic board of that Mac. If you happen to have one of the earliest examples of this type of Mac it might have been physically possible to remove the drive and fit it to a different logic board but that different logic board would not recognise the content as it would not have the matching logic board encryption key. Newer Macs still using Apple’s own controller now have SSD storage that is part of the logic board and cannot be removed unless you have industrial grade tools and you then still have the same logic board pairing issue.

These Macs - T2 and onwards also come with the drive always encrypted - even if you have not yourself explicitly encrypted it. If you have not turned on Filevault there is still an active encryption key which is the paired logic board code. Obviously with FileVault2 not enabled it is easier to bypass logins e.g. if SecureBoot is also disabled. The big benefit however is that since ALL these drives are encrypted even if ‘only’ with a logic board paired code you can then do a simple erase command. This in reality does not write blank data to the drive, nor does it delete the disk directory it just destroys that paired encryption key and sets a new one meaning the logic board cannot read the drive anymore and therefore treats the drive as effectively blank. The fact that the drive is always encrypted on these newer Macs is why turning on FileVault2 is instantaneous since all it has to do is set a new different encryption key.

SSDs also have built-in measures which as a side effect make traditional erasing ineffective. These measures are intended to compensate for the fact the ‘flash memory’ i.e. SSD drives have a finite number of write cycles each ‘block’ can support. So one of these measures is ‘wear levelling’. This means ‘track 1, block 1’ is virtualised on an SSD and over time might point to many, many different parts of the SSD memory chips. They also for the same reason will spot traditional ‘secure erase’ attempts and prevent them so as to also prevent excessive ‘wear’ to the SSD.

So for the overwhelming majority of people the best option is to have FileVault2 or equivalent for other operating systems e.g. Bitlocker enabled and when you erase it by destroying the encryption keys you render it unreadable. As mentioned on Macs at least and possibly newer Windows PCs also effectively a drive is always encrypted even if you have not yourself turned it on.

For those who have a higher level of concern, physical destruction is the only option. Degaussers do not work on SSDs. I used to manage IT for a specialist law firm and had to get drives and even entire laptops physically ‘shredded’.

This is, in fact, a very good tl;dr summary for the article.

This is important. Although the T2 (or Apple Silicon) will encrypt the data that only serves to prevent the flash memory from being moved to another computer. If you don’t enable File Vault, then you can boot another operating system (e.g. a macOS installer), boot to Recovery mode, or use Target Disk mode to access the internal file system. With File Vault, however, this kind of access requires the password to unlock the device.

BTW, flash modules are removable on Mac Pros and on Mac Studios. But after being moved to a new Mac, they need to be paired with it, which re-generates the keys and effectively wipes the contents. On T2 Macs, you can use Apple’s Configurator 2 software to do this. I don’t know if it is yet possible to do it for Apple Silicon Macs.

Does this also apply to external drives?

External drives are not managed by a Mac’s built-in SSD controller (T2 or Apple Silicon). As such, they are not automatically encrypted. If you don’t encrypt the content yourself (e.g with File Vault) then anybody can access its content, simply by plugging it into their own computer.

FWIW, I generally don’t encrypt my external media, because I move my external drives between Mac, Windows and Linux computers. But I will encrypt sensitive data that I store on them, either via an encrypted disk image, password-protected zip file, or a password-protected document (e.g. via Microsoft Office - which encrypts password-protected documents.)