How to Securely Erase a Mac SSD

By  /  May 31st, 2016

How to erase an SSD

If you’re prepping your Mac for sale, trade-in or handing it down to a friend or relative, you should erase the hard drive first – that way your data won’t fall into the wrong hands. If your Mac is newer and has an SSD, you need to take additional steps.

Securely erasing your Mac’s hard drive

We’ve already covered how to prep your Mac’s hard drive to make sure that what’s on the drive is securely deleted. Using a process called “zeroing out,” you overwrite the entire contents of the disk with binary zeroes.

Users with a need for even more security can use a 7-pass erase feature that writes data over free disk space seven times. Short of hitting the hard drive with really expensive forensics gear, this guarantees you your data is gone for good.

There’s a hitch, though: Those instructions only apply to older Macs with conventional hard disk drives. They do not help if you have an SSD.

Securely erasing SSDs, and why not to

Most new Macs ship with solid state drives (SSDs). Only the iMac and Mac mini ship with regular hard drives anymore, and even those are available in pure SSD variants if you want.

If your Mac comes equipped with an SSD, Apple’s Disk Utility software won’t actually let you zero the hard drive.

Wait, what?

In a tech note posted to Apple’s own online knowledgebase, Apple explains that you don’t need to securely erase your Mac’s SSD:

With an SSD drive, Secure Erase and Erasing Free Space are not available in Disk Utility. These options are not needed for an SSD drive because a standard erase makes it difficult to recover data from an SSD.

In fact, some folks will tell you not to zero out the data on an SSD, since it can cause wear and tear on the memory cells that, over time, can affect its reliability. I don’t think that’s nearly as big an issue as it used to be – SSD reliability and longevity has improved.

If “Standard Erase” doesn’t quite make you feel comfortable that your data can’t be recovered, there are a couple of options.

FileVault keeps your data safe

One way to make sure that your SSD’s data remains secure is to use FileVault. FileVault is whole-disk encryption for the Mac. With FileVault engaged, you need a password to access the information on your hard drive. Without it, that data is encrypted.

There’s one potential downside of FileVault – if you lose your password or the encryption key, you’re screwed: You’re not getting your data back any time soon. Based on my experience working at a Mac repair shop, losing a FileVault key happens more frequently than it should.

When you first set up a new Mac, you’re given the option of turning FileVault on. If you don’t do it then, you can turn on FileVault at any time by clicking on your Mac’s System Preferences, clicking on Security & Privacy, and clicking on the FileVault tab. Be warned, however, that the initial encryption process can take hours, as will decryption if you ever need to turn FileVault off.

With FileVault turned on, you can restart your Mac into its Recovery System (by restarting the Mac while holding down the command and R keys) and erase the hard drive using Disk Utility, once you’ve unlocked it (by selecting the disk, clicking the File menu, and clicking Unlock). That deletes the FileVault key, which means any data on the drive is useless.

FileVault doesn’t impact the performance of most modern Macs, though I’d suggest only using it if your Mac has an SSD, not a conventional hard disk drive.

Securely erasing free space on your SSD

If you don’t want to take Apple’s word for it, if you’re not using FileVault, or if you just want to, there is a way to securely erase free space on your SSD. It’s a little more involved but it works.

Before we get into the nitty-gritty, let me state for the record that this really isn’t necessary to do, which is why Apple’s made it so hard to do. But if you’re set on it, you’ll need to use Apple’s Terminal app. Terminal provides you with command line interface access to the OS X operating system. Terminal lives in the Utilities folder, but you can access Terminal from the Mac’s Recovery System, as well. Once your Mac has booted into the Recovery partition, click the Utilities menu and select Terminal to launch it.

From a Terminal command line, type:

    diskutil secureErase freespace VALUE /Volumes/DRIVE

That tells your Mac to securely erase the free space on your SSD. You’ll need to change VALUE to a number between 0 and 4. 0 is a single-pass run of zeroes; 1 is a single-pass run of random numbers; 2 is a 7-pass erase; 3 is a 35-pass erase; and 4 is a 3-pass erase. DRIVE should be changed to the name of your hard drive. To run a 7-pass erase of your SSD drive in “Peters-Macbook”, you would enter the following:

    diskutil secureErase freespace 2 /Volumes/Peters-Macbook

And remember, if you used a space in the name of your Mac’s hard drive, you need to insert a leading backslash before the space. For example, to run a 35-pass erase on a hard drive called “Macintosh HD” you enter the following:

    diskutil secureErase freespace 3 /Volumes/Macintosh\ HD

Something to remember is that the more extensive the erase procedure, the longer it will take.

Your type of drive

One final thing, and maybe this should have been first, before you can securely erase your files on your Mac, you need to know if you have a standard hard drive or an SSD. To find out, or at least to make sure, you click on the Apple menu and select “About this Mac”. Once there select the “Storage” tab to see which drive is in your system.

Mac Storage

Peter Cohen
Peter will never give you up, never let you down, never run around or desert you. He also manages the Backblaze blog.

Follow Peter on:
His web site: peter-cohen.com | Twitter: @flargh | LinkedIn: Peter Cohen | Google+: Peter Cohen
  • Use Bootcamp Assistant

    When ready to wipe the internal hard drive(s) SSD or spindle, I recommend creating a USB Mac OS installer drive (many websites describe how to create them) and then using BootCamp Assistant also create a USB Boot Camp Windows Installer drive. Two 8GB or 16GB USB drives are inexpensive to acquire. When you reboot the Mac to “install” Windows, at the format the BootCamp Partition screen simply delete every partition on every drive until the hard drives are unallocated (i.e., no partitions of any kind). Then cancel the process and reboot with the Mac OS USB Installer drive, use the Mac OS Disk Utilities to format and install a clean copy of Mac OS, and you know there are no easily recoverable remnants of any kind of your prior work left on the Mac. It’s similar to running the Clean command (see Note below) at a Windows CMD Prompt (a.k.a., Mac Terminal), and the hard drives remain inside the Mac. You may even wish to reformat and un-allocate the drives at the Windows format screen for a little more peace of mind. Short of running a DBAN-type zeroing program, it’s a reasonably easy way to completely wipe the data off the drive, and it doesn’t add any wear and tear to the drive like a DBAN program would. Peace of mind at point of departure – a beautiful thing.

    Note: The Windows 10 Bootcamp Assistant USB drive can also be used on other Macs. Plug the USB into another Mac, and upon the Mac boot chime, hold down the Option key, and choose the EFI Boot drive option for startup. If you choose Repair your computer at the Install now screen, you may go to the Troubleshoot, Advanced options screen, and choose Command Prompt. There you may follow the directions posted on many sites for how to use the Windows cmd.exe Clean command (i.e., At the cmd prompt type diskpart, list disk, select disk x, list disk again to see the asterisk by the chosen drive, then type clean or even clean all if you wish to zero out the drive). Use with caution. This method also removes ALL partitions and using the clean all command – which may take a very long time depending on the size of the drive – means even the NSA would have a tough time retrieving data from the re-initialized drive. The nicety of this approach is that the internal hard drive is pristine and made like new before undertaking a reinstall of MacOS. Similar to my comment above – being able to easily run the Windows clean command on an internal Macintosh drive to make it pristine – also a beautiful thing.

    Note 2: I usually do not use the clean all command or zero SSD’s because research suggests the process adds additional wear to the storage device itself and shortens the lifespan more than on spindle HD’s. In any case, writing over an unallocated and reinitialized drive with a new OS install makes the device essentially like new and should be enough for almost anyone. Otherwise, for those more paranoid replacing the drive is the only real proven alternative. Any digital data security and/or encryption method used today including FileVault is prone to future attack and failure. Acoustic cryptanalysis, brute force attacks, and research on how Diffie-Hellman fails in practice have taught us that over time. Plus, do we really know there is no form of a back-door strategy or method to un-encrypt any security protocol provided to the end user? No, we really don’t – we trust that is the case. For most people, the clean command with a reformat is more than enough. The remaining folks should probably consider replacing the hard drive or not selling the device. A hammer to a hard drive has been shown to make data tough to recover.

  • I’m Right You’re Wrong

    Dude, this really helped. Thanks so much!

  • eyes_open46

    Longest most vacuous article I’ve read on the topic. Huge waste of time.

  • Mary Sue

    Is there a way to see what data is recoverable? Ok, so I am no where near as intelligent as you guys, but help a girl out. If I did my bill paying and banking on it, are account numbers or logins recoverable?

  • Most SSDs have a “security erase” command you can send to it, and it’ll erase all the blocks in parallel, even the parts the computer doesn’t see. Takes about 2 minutes. Unfortunately, I have not found any way of sending this command from a Mac. There’s various howtos out there on how to do this from Linux using the “hdparm” command, and I’ve used these successfuly in the past. However, it’ll also require you to plug the drive directly into a SATA connector: USB controllers will prohibit the necessary “SCSI” commands being sent.

    • Scunner Darkly

      I was also wondering if this was possible from within Terminal which is what led me to this page. The “internal SATA secure erase” function supported by SSDs should not be overlooked as being simply unnecessary, it’s actually extremely useful due to its ability to completely erase all cells in a single pass (without incurring the write-amplification incurred by a zero-fill), generally taking seconds in my experience. Importantly (and a point not touched on in this article), the internal secure erase function on SSDs returns the drive to its “factory” state and restores its performance to that of a new device as all cells have been effectively zeroed.

      There IS a way to do this on a Mac, Parted Magic is the tool you need. It boots a Linux distro with various tools including an erase utility. The utility offers both “internal” erase (handled internally by the drive) and “external” software-based erase routines. Again, from experience, this is a very effective tool but it’s not free – hence my wondering if there was a method of sending the internal secure erase command via Terminal.

  • brerlappin

    Hi! What would you recommend doing for Fusion Drives? Thanks!

  • I don’t recall the title or author but I found an academic paper which found that you could “logically” secure-erase an SSD such that the SSD itself would not give up any securely-erased bits, but that, depending on the methods of how the hard drive was assembled, &c. they were able to disassemble some SSDs, pull the chips out, and without too much effort they could still read several fragments of the “securely erased” data.

    The take-away being that unless you really really really know how the drive is built, &c. you can not reliably “secure erase” an SSD if you are really really really paranoid about your data.

    The good thing is that if you are merely really paranoid, then the very first thing you’ll do on a new Mac is to activate FileVault and set a difficult-to-crack password. That way, the data on the chips doesn’t mean jack unless you supply credentials to unencrypt it. No need to “secure erase” if you “secure write” your data …

    -d

    • The good thing is that if you are merely really paranoid, then the very first thing you’ll do on a new Mac is to activate FileVault and set a difficult-to-crack password.”

      Good plan! I’m actually covering FileVault in more depth in a new blog post.