{"id":24208,"date":"2019-02-06T16:05:13","date_gmt":"2019-02-06T21:05:13","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=24208"},"modified":"2019-02-06T16:08:42","modified_gmt":"2019-02-06T21:08:42","slug":"secure-erase-and-mojaves-disk-utility","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/02\/06\/secure-erase-and-mojaves-disk-utility\/","title":{"rendered":"Secure Erase and Mojave’s Disk Utility"},"content":{"rendered":"

Howard Oakley<\/a>:<\/p>\n

\n

The snag is that Disk Utility won’t overwrite an SSD’s free space in the way that it does with hard disks. It pretends to offer the same three secure erase options, but in fact none of them does what the dialog says. Indeed, in Sierra they aren’t even available, which is perhaps a little more honest.<\/p>\n

In Mojave, all three secure erase options offer is that the original APFS volume is completely deleted, with any Preboot and Recovery directories, and it is then added back as a new volume. This will destroy all APFS data about the original volume, but the file data for that volume will remain on the SSD. Although at present there appear to be no macOS utilities which can reconstruct such a removed volume, that situation will change in the future.<\/p>\n<\/blockquote>\n\n

Howard Oakley<\/a>:<\/p>\n

\n

To perform the secure erase which it describes, you have to use the diskutil<\/code> command in Terminal instead, using a command of the form<\/p>\n

diskutil secureErase freespace 2 \/Volumes\/volumeName<\/pre>\n
which is an even slower process.<\/p>\n
Before using diskutil secureErase<\/code>, you should read man diskutil<\/code>, where Apple cautions:<\/p>\n
This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly “erased” by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms. Consider using APFS encryption (FileVault).<\/p><\/blockquote>\n
[…]<\/p>\n
It isn’t possible to encrypt an existing APFS volume non-destructively using Disk Utility, and in some cases when attempting to erase and reformat a volume, Disk Utility returns “an internal state error” and fails to perform the operation.<\/p>\n<\/blockquote>\n\n
Previously:<\/p>\n