How to Securely Erase a Mac SSD

May 31st, 2016

How to erase an SSD

If you’re prepping your Mac for sale, trade-in or handing it down to a friend or relative, you should erase the hard drive first – that way your data won’t fall into the wrong hands. If your Mac is newer and has an SSD, you need to take additional steps.

Securely erasing your Mac’s hard drive

We’ve already covered how to prep your Mac’s hard drive to make sure that what’s on the drive is securely deleted. Using a process called “zeroing out,” you overwrite the entire contents of the disk with binary zeroes.

Users with a need for even more security can use a 7-pass erase feature that writes data over free disk space seven times. Short of hitting the hard drive with really expensive forensics gear, this guarantees you your data is gone for good.

There’s a hitch, though: Those instructions only apply to older Macs with conventional hard disk drives. They do not help if you have an SSD.

Securely erasing SSDs, and why not to

Most new Macs ship with solid state drives (SSDs). Only the iMac and Mac mini ship with regular hard drives anymore, and even those are available in pure SSD variants if you want.

If your Mac comes equipped with an SSD, Apple’s Disk Utility software won’t actually let you zero the hard drive.

Wait, what?

In a tech note posted to Apple’s own online knowledgebase, Apple explains that you don’t need to securely erase your Mac’s SSD:

With an SSD drive, Secure Erase and Erasing Free Space are not available in Disk Utility. These options are not needed for an SSD drive because a standard erase makes it difficult to recover data from an SSD.

In fact, some folks will tell you not to zero out the data on an SSD, since it can cause wear and tear on the memory cells that, over time, can affect its reliability. I don’t think that’s nearly as big an issue as it used to be – SSD reliability and longevity has improved.

If “Standard Erase” doesn’t quite make you feel comfortable that your data can’t be recovered, there are a couple of options.

FileVault keeps your data safe

One way to make sure that your SSD’s data remains secure is to use FileVault. FileVault is whole-disk encryption for the Mac. With FileVault engaged, you need a password to access the information on your hard drive. Without it, that data is encrypted.

There’s one potential downside of FileVault – if you lose your password or the encryption key, you’re screwed: You’re not getting your data back any time soon. Based on my experience working at a Mac repair shop, losing a FileVault key happens more frequently than it should.

When you first set up a new Mac, you’re given the option of turning FileVault on. If you don’t do it then, you can turn on FileVault at any time by clicking on your Mac’s System Preferences, clicking on Security & Privacy, and clicking on the FileVault tab. Be warned, however, that the initial encryption process can take hours, as will decryption if you ever need to turn FileVault off.

With FileVault turned on, you can restart your Mac into its Recovery System (by restarting the Mac while holding down the command and R keys) and erase the hard drive using Disk Utility, once you’ve unlocked it (by selecting the disk, clicking the File menu, and clicking Unlock). That deletes the FileVault key, which means any data on the drive is useless.

FileVault doesn’t impact the performance of most modern Macs, though I’d suggest only using it if your Mac has an SSD, not a conventional hard disk drive.

Securely erasing free space on your SSD

If you don’t want to take Apple’s word for it, if you’re not using FileVault, or if you just want to, there is a way to securely erase free space on your SSD. It’s a little more involved but it works.

Before we get into the nitty-gritty, let me state for the record that this really isn’t necessary to do, which is why Apple’s made it so hard to do. But if you’re set on it, you’ll need to use Apple’s Terminal app. Terminal provides you with command line interface access to the OS X operating system. Terminal lives in the Utilities folder, but you can access Terminal from the Mac’s Recovery System, as well. Once your Mac has booted into the Recovery partition, click the Utilities menu and select Terminal to launch it.

From a Terminal command line, type:

    diskutil secureErase freespace VALUE /Volumes/DRIVE

That tells your Mac to securely erase the free space on your SSD. You’ll need to change VALUE to a number between 0 and 4. 0 is a single-pass run of zeroes; 1 is a single-pass run of random numbers; 2 is a 7-pass erase; 3 is a 35-pass erase; and 4 is a 3-pass erase. DRIVE should be changed to the name of your hard drive. To run a 7-pass erase of your SSD drive in “Peters-Macbook”, you would enter the following:

    diskutil secureErase freespace 2 /Volumes/Peters-Macbook

And remember, if you used a space in the name of your Mac’s hard drive, you need to insert a leading backslash before the space. For example, to run a 35-pass erase on a hard drive called “Macintosh HD” you enter the following:

    diskutil secureErase freespace 3 /Volumes/Macintosh\ HD

Something to remember is that the more extensive the erase procedure, the longer it will take.

Your type of drive

One final thing, and maybe this should have been first, before you can securely erase your files on your Mac, you need to know if you have a standard hard drive or an SSD. To find out, or at least to make sure, you click on the Apple menu and select “About this Mac”. Once there select the “Storage” tab to see which drive is in your system.

Mac Storage

Peter Cohen
Peter will never give you up, never let you down, never run around or desert you. He also manages the Backblaze blog.

Follow Peter on:
His web site: peter-cohen.com | Twitter: @flargh | LinkedIn: Peter Cohen | Google+: Peter Cohen
  • Mary Sue

    Is there a way to see what data is recoverable? Ok, so I am no where near as intelligent as you guys, but help a girl out. If I did my bill paying and banking on it, are account numbers or logins recoverable?

  • Most SSDs have a “security erase” command you can send to it, and it’ll erase all the blocks in parallel, even the parts the computer doesn’t see. Takes about 2 minutes. Unfortunately, I have not found any way of sending this command from a Mac. There’s various howtos out there on how to do this from Linux using the “hdparm” command, and I’ve used these successfuly in the past. However, it’ll also require you to plug the drive directly into a SATA connector: USB controllers will prohibit the necessary “SCSI” commands being sent.

  • brerlappin

    Hi! What would you recommend doing for Fusion Drives? Thanks!

  • I don’t recall the title or author but I found an academic paper which found that you could “logically” secure-erase an SSD such that the SSD itself would not give up any securely-erased bits, but that, depending on the methods of how the hard drive was assembled, &c. they were able to disassemble some SSDs, pull the chips out, and without too much effort they could still read several fragments of the “securely erased” data.

    The take-away being that unless you really really really know how the drive is built, &c. you can not reliably “secure erase” an SSD if you are really really really paranoid about your data.

    The good thing is that if you are merely really paranoid, then the very first thing you’ll do on a new Mac is to activate FileVault and set a difficult-to-crack password. That way, the data on the chips doesn’t mean jack unless you supply credentials to unencrypt it. No need to “secure erase” if you “secure write” your data …

    -d

    • The good thing is that if you are merely really paranoid, then the very first thing you’ll do on a new Mac is to activate FileVault and set a difficult-to-crack password.”

      Good plan! I’m actually covering FileVault in more depth in a new blog post.