Completely erasing the disk on a MacBook Pro

  • Tue 22 November 2016
  • misc

I recently had occasion to "completely" (or nearly so) erase the disk on a MacBook Pro with a solid state disk. There are varying assertions about "you don't need to worry about doing that if you have an SSD" and "you don't have to worry if the disk is encrypted with FileVault 2" (mine is, but the machine is tied to LDAP, and there may be ways for a "second account" to log in/unlock the disk). One can never be too careful when there have been things like SSH keys and X.509 certs on the machine - stuff that really needed to go away for sure.

The first plan that came to mind was that I should delete the files that I cared about and then run the "security erase free space" command from the Disk Utility GUI. The problems here were twofold: first, I don't trust myself to remember every single one of those files that needed to go away, and second, it turns out that Apple has removed that command from the Disk Utility GUI if you have an SSD, on the grounds that you "don't need it".

It turns out that you can still do this from the command line (you have to be root of course), like so:

{% raw %} diskutil secureErase freespace (level 0-4) /Volumes/(Drive Name) {% endraw %} or more to the point: {% raw %} diskutil secureErase freespace 1 /

Valid values for "level" are:

    0 - Single-pass zeros.
    1 - Single-pass random numbers.
    2 - US DoD 7-pass secure erase.
    3 - Gutmann algorithm 35-pass secure erase.
    4 - US DoE 3-pass secure erase.

But back to problem #1... I can't guarantee I got rid of all the important stuff (keychain, random cert files, etc) and I want to hand over a machine that shows a blinking "?" folder when powered on. I'm not terribly worried about remapped sectors or anything like that, but I still want to do a complete-plus wipe.

This turned out to not be such a tall order. First item to do was scare up a nice fast thumb drive (cuz I'm impatient) and turn it into a bootable El Capitan thumb drive.

Next, I booted it, using option-boot and selecting it as the boot volume.

When we got to the "To set up the installation of OS X, click Continue" screen, I launched a terminal from the Utilities menu.

Yup, command-line diskutil is here too. Convenient. I ran:

{% raw %} diskutil list

and perused the output to make sure that as expected, the internal hard drive was disk0 (it was).

Then I ran:

{% raw %} diskutil secureErase 1 /dev/disk0

which failed the first time due to a "resource busy" error, but after rebooting, using the Utilities->Disk Utility GUI to erase the Macintosh HD partition, unmounting that partition, and then running diskutil secureerase from a terminal, I was rewarded with a progress bar that suggested I had about four and a half hours till completion.

So, did I "completely" (you saw the quotes in the opening paragraph right?) erase the disk? Mostly. Or rather a whole lot more than I would have gotten by just doing the free space overwriting which Apple (correctly) removed from the disk utility tool.

The SSD actually has more blocks in it than it presents to the system (overprovisioning). If you delete a file, the blocks are put on a delete-future list, not necessarily deleted immediately. Also, there's wear-leveling (shuffling which physical blocks get written when rewriting the same logical block, so you don't polish a hole in your flash media). You can't get at this "hidden" block pool without using specialized manufacturer's tools. But this is as close as we are likely to get without issuing the ATA or SCSI commands to erase the drive; those don't necessarily work so well (depending on drive model and manufacturer; a lot are buggy)...

How big is the overprovisioning? According to Kingston, somewhere between 7% and 28%. That should be enough to give one pause, as there may be data sitting around that's not yet overwritten, but at this point we've done our best.

There are some interesting papers out there about performing forensics on SSD systems that go over the particulars here.