There’s a huge difference between wiping media in a way that software can no longer recover it, and wiping media in a way that a data recovery company or government agency can no longer recover it.
The former is pretty easy to do and there are lots of different techniques.
The latter is not easy to do and for many kinds of storage devices may be impossible to guarantee predictably-secure results. As @ace wrote, read the article for the ugly details.
I beg to differ. I use this method I describe and nothing has ever been recovered. Tested by sending to pros be recovered. Admittedly they are spinners, not ssd. Law work.
A 2tb drive cannot contain a 2tb movie and my reports. That is illogical. But I am willing to have my mind changed and be chilled. I have another set of drives due for collection, I will ask for anything more invasive/intensive on one of them.
I beg to differ with you. Short of physical destruction it is possible to potentially recover information from a spinning drive. Can’t see where or who or how…but I’ve seen the results. Not complete recovery of course and potentially no recovery at all…but in at least the couple of cases I know about some of the data was recovered.
Now…whether that’s enough to be useful is a whole different question…if it’s software then probably not but if it’s a text file or word doc or something like that…yeah, some came back…and it wasn’t cheap. Don’t recall the exact numbers but it made DriveSavers look like the Dollar General’s prices.
Intelligence work…they have more money than law work I guess.
A drive with 2TB of user-accessible storage actually has a capacity of more than 2TB. For some devices, it may be much more.
Hard drives have hot-spare blocks, in order to improve reliability over time. If a block is detected as bad by the controller firmware, its data will be relocated to a spare block. Subsequent overwriting is going to erase the swapped-in spare block, not the original, which might have recoverable data.
A recovery service that doesn’t modify the drive’s firmware will probably be unable to read data in the marked-bad blocks (that were swapped for spares). You would need to hack the drive’s firmware (or maybe use a proprietary diagnostic mode, if one exists) to bypass the normal LBA mechanism and access the physical disk sectors.
SSDs are even worse. Any SSD that isn’t complete garbage will have so-called “spare storage” in excess of what is user-accessible. This storage is maintained for a few reasons, including:
Consumer SSDs typically have 5-10% more physical storage than is user-accessible. High performance and enterprise SSDs may have a lot more - even 50% more (which is one of the reasons why these devices also cost a lot more, BTW)
When you write 2TB of data to that 2TB SSD, some of the overwritten data will remain (as garbage) in the spare storage until garbage is collected. Depending on your particular model, this may be as much as 1TB of data. You have no way of knowing what overwritten data is in that garbage storage, nor can you know when those flash cells will actually be erased (via garbage collection). A data recovery process that bypasses the SSD controller (either by directly reading the chips or by replacing the controller’s firmware) to gain access to the spare storage area will be able to read any overwritten data that has not yet been erased.
The article linked to does not seem to specifically mention the following and therefore seems slightly dated, I will however confess I only quickly skimmed the article.
For some time now Apple has fitted SSD drives to their Macs which use Apple’s own SSD controller chip rather than as was the case longer ago using standard PCI or NVMe type SSDs which had their own drive controllers.
When using a Mac which uses Apple’s own SSD controller the drive is shipped already paired to the unique logic board of that Mac. If you happen to have one of the earliest examples of this type of Mac it might have been physically possible to remove the drive and fit it to a different logic board but that different logic board would not recognise the content as it would not have the matching logic board encryption key. Newer Macs still using Apple’s own controller now have SSD storage that is part of the logic board and cannot be removed unless you have industrial grade tools and you then still have the same logic board pairing issue.
These Macs - T2 and onwards also come with the drive always encrypted - even if you have not yourself explicitly encrypted it. If you have not turned on Filevault there is still an active encryption key which is the paired logic board code. Obviously with FileVault2 not enabled it is easier to bypass logins e.g. if SecureBoot is also disabled. The big benefit however is that since ALL these drives are encrypted even if ‘only’ with a logic board paired code you can then do a simple erase command. This in reality does not write blank data to the drive, nor does it delete the disk directory it just destroys that paired encryption key and sets a new one meaning the logic board cannot read the drive anymore and therefore treats the drive as effectively blank. The fact that the drive is always encrypted on these newer Macs is why turning on FileVault2 is instantaneous since all it has to do is set a new different encryption key.
SSDs also have built-in measures which as a side effect make traditional erasing ineffective. These measures are intended to compensate for the fact the ‘flash memory’ i.e. SSD drives have a finite number of write cycles each ‘block’ can support. So one of these measures is ‘wear levelling’. This means ‘track 1, block 1’ is virtualised on an SSD and over time might point to many, many different parts of the SSD memory chips. They also for the same reason will spot traditional ‘secure erase’ attempts and prevent them so as to also prevent excessive ‘wear’ to the SSD.
So for the overwhelming majority of people the best option is to have FileVault2 or equivalent for other operating systems e.g. Bitlocker enabled and when you erase it by destroying the encryption keys you render it unreadable. As mentioned on Macs at least and possibly newer Windows PCs also effectively a drive is always encrypted even if you have not yourself turned it on.
For those who have a higher level of concern, physical destruction is the only option. Degaussers do not work on SSDs. I used to manage IT for a specialist law firm and had to get drives and even entire laptops physically ‘shredded’.
This is, in fact, a very good tl;dr summary for the article.
This is important. Although the T2 (or Apple Silicon) will encrypt the data that only serves to prevent the flash memory from being moved to another computer. If you don’t enable File Vault, then you can boot another operating system (e.g. a macOS installer), boot to Recovery mode, or use Target Disk mode to access the internal file system. With File Vault, however, this kind of access requires the password to unlock the device.
BTW, flash modules are removable on Mac Pros and on Mac Studios. But after being moved to a new Mac, they need to be paired with it, which re-generates the keys and effectively wipes the contents. On T2 Macs, you can use Apple’s Configurator 2 software to do this. I don’t know if it is yet possible to do it for Apple Silicon Macs.
Does this also apply to external drives?
External drives are not managed by a Mac’s built-in SSD controller (T2 or Apple Silicon). As such, they are not automatically encrypted. If you don’t encrypt the content yourself (e.g with File Vault) then anybody can access its content, simply by plugging it into their own computer.
FWIW, I generally don’t encrypt my external media, because I move my external drives between Mac, Windows and Linux computers. But I will encrypt sensitive data that I store on them, either via an encrypted disk image, password-protected zip file, or a password-protected document (e.g. via Microsoft Office - which encrypts password-protected documents.)
That won’t work on APFS. Even aside from how SSDs actually work, it’s already bound to fail on the FS level.
On APFS, when you “copy a file” the bits of that file do not get duplicated on your platter or flash. There’s merely a couple pointers that get added in your FS table. That’s why these days on APFS the Finder can duplicate a 100GB file in 2 sec. 
I think folks would be wise to go read the original thread first. A whole bunch of stuff is being repeated here that was detailed at length already over there. Read count > post count IMHO.
The link is of course front and center in @ace’s nice article, but perhaps some folks are not even reading that. So here. Read this first:
True…but I remember a terminal command using cat and pointing it to device /null will create a new file of all 1s or 0s…let that fill the disk, erase, and repeat a couple times with reboots in the middle after erasing any vm files as well from /etc/var or wherever they live…can’t remember off the top of my head…that will be sufficient I honk to remove your data from any casual or even more than casual user…as previously noted only physical destruction is a guarantee and that means you can’t trade it in or pass it on. One could also just record a ery long video from the camera until the drive fills as well…but gain not perfect as any of the marked don’t use blocks could still potentially have some data…but gain short of destruction some of that might remain.
But seriously…for most normal people…and even the majority of greater than normal people…the above should be sufficient…and the greater than greater than normal VIP type people have enough money to not worry about a trade in just don’t worry and just smash it with a sledge hammer works just fine.
As a long time computer security guy…don’t forget that better is the enemy of good enough. Back when I worked in the ‘in the closets world…we just hit the dead drives with a sledge to break them open, pulled the platters and tossed them into a box in the server room…and every year or so me and one of my buddies would get ourselves a couple of Marines, arm the 4 of us with 1911s, and take them out to a local foundry who melted them for us. Some of the slightly less sensitive stuff we could have used the giant computer shredder…think of a wood chipper on steroids that could shred an entire computer into confetti…but separating the drives was too hard since we had to melt some of them anyway…and trying to get permission to use the shredder for all ran into the ‘we’ve always done it this way’ problem.
The rules never caught up to the tech.
There ya go suggesting common sense Simon…this is the intertubes and I’m not sure that’s legal. :-)
Seriously though…if the drive was encrypted from the get go…the crypto erase is good. If some data got written to it before encryption then potentially blocks containing data got swapped out as bad…and I don’t know enough about the encryption part of macOS to know whether those swapped out blocks get encrypted or not…if so crypto erase is still fine but if not…eh maybe not. That gets you back to still good enough for almost all purposes or destruction if you’re really paranoid…and I highly doubt that Samsung is going to do anything with the old drive besides toss it in the landfill or send it to the recycling folk if it has some value there.
neil
The three kinds of stress…nuclear, cooking and a&&hole. Jello is the key to the relationship.
This is no different from diskutil’s secure-erase (overwrite with one or more passes of zeros or random data).
But, for reasons already mentioned above, that will only wipe software-accessible data. It won’t necessarily wipe data that is inaccessible, but could possibly be recovered by someone able to bypass the device’s normal firmware (hot-spare blocks, SSD garbage blocks, etc.)
And although I haven’t seen actual reports, it wouldn’t surprise me if some SSD firmware takes shortcuts (optimizations?) like marking a block as garbage without writing anything when you write all-zeros to a block (which you would never see as a user, since a logical block that isn’t mapped to physical storage will simply read back as all-zeros).
Hardware de-duplication (assigning two logical blocks to a single physical block when the data is identical) is also something that wouldn’t surprise me (depending on what kind of files are stored on the device, this could greatly reduce the number of write cycles on the flash storage.)
Modern storage is far too complicated to assume that simple solutions, which worked just fine in the 80’s and 90’s, are going to work as expected today.
If you don’t think the next person in possession of your drive will send it to a data recovery company or a government agency, then a simple one-pass erase (or reformatting with TRIM) is sufficient. But there are plenty of people (some of whom are probably represented here) who don’t believe they can afford to take that chance.
Then physical destruction is really the only viable option…because we just don’t know how the device firmware works.
… or encryption. Encrypt the drive when it is new - before you add any content. Then at disposal time, reformat it and change/lose the key. Any data remaining in the garbage space will be encrypted with a key that nobody has, and will be meaningless to anyone scavenging it for data.
… and now we’re back to the article’s conclusions. 
Yep…that’s the only choice except for destruction if one is either that paranoid or has NDA or HIPP or legal dealings or whatever on the drive so. That only 100% non-recoverability is acceptable. However…most of us don’t fall into those categories…and absent those cases, which every user must decide for themselves…erasing the drive, new partition and encrypted, fill with a large file or a series of large files that aren’t duplicates, then deleting the key is good enough for the majority of users since most people aren’t really going to pay the money to see if they can recover anything.
I went over this thread a couple of times, unfortunately most of the information is over my head. I have a 2019 macbook air I plan to trade in/recycle to Apple so I obviously need to keep the drive intact. Apple’s instructions are simply to erase, then install a new system – no mention of safe-reboot per @ernst …
Do we even know what Apple does with these trade-in’s …?
The computer had FileVault at some point, which was removed when it exchanged hands within the family, so it’s no longer encrypted.
Appreciate any insight, Brenda
A 2019 MacBook Air has a T2 chip and the flash memory is soldered to the board.
Since there is a T2, the data is already encrypted and therefore can not be accessed if the T2 is bypassed (e.g. by removing the chips). FileVault on this Mac simply associates a password with the encryption keys, but doesn’t actually change the underlying beheavior.
So an erase-and-reinstall from Recovery mode should be sufficient to securely erase everything. Erasing the volume will cause TRIM to be called for the entire volume, marking all the old data as garbage, and making it inaccessible to software. And since the chips are cryptographically tied to the SSD controller (the T2), there is no other way to access it.
I suppose it is theoretically possible for someone to replace the T2’s firmware with something that could provide access to the garbage data, but as far as I know, only Apple would have the ability to develop this firmware and based on everything I’ve read, I think they would refuse to do this (just like they refused to develop firmware that would let the FBI bypass iPhone security), and even if they did, I suspect it wouldn’t work unless the replacement firmware was installed before you erased the SSD.
In other words, unless you’ve got something so secret that government agencies are trying to force their way in, I would just follow Apple’s instructions and be comfortable with the result.
Thanks so much, David. I really appreciate it.