Everyone needs to securely erase data at some point—even on a Mac. After all, securely erasing your data ensures your personal and private information does not end up being found and abused by someone else.
So, when should you erase data from your Mac? A few common scenarios that warrant a secure wipe of your drive include:
- The Mac is sold or donated
- A hard drive is replaced (think upgrades)
- The Mac is not yours and needs to be handed over (Apple Store loaner or a Mac that belongs to your work)
- A hard drive is being trashed
What if I have nothing to hide?
There are plenty of users out there who say, "It's ok, I have nothing to hide," when issues like these are brought up. But how much would you bet that almost everyone who says these things also have a front door on their home, locked when they're sleeping, and curtains covering their windows for privacy, as well as passwords protecting their email accounts to keep others out? Odds are everyone does these things.
Nothing to hide, huh? 😉
Whether it's the NSA, a burglar or someone who rummages through garbage for old hard drives with the intention of extracting data, we can rest assured (or not so much) that there are people out there who are after your data. Targeted or by accident, if a nefarious individual gets their hands on your data, you can very well end up in trouble.
Why would hackers target the data on your Mac?
In all of the above mentioned scenarios that warrant a secure wipe of your drive, your data is leaving your possession, so making sure it is properly deleted is paramount. Whether your Mac is used to store school work, projects at work, personal files or just used for browsing the web, information from that Mac is valuable to someone other than you. Some of the things that can happen if data recovered from your old Mac or hard drive can be devastating, including:
- Identity theft
- Employment-related fraud
- Loan fraud
- Credit card fraud
- Phone or utilities fraud
- Bank fraud
- Government benefits fraud
- Tax fraud
- Get hacked
Your browser history, auto-saved names and passwords in your browser, email contents, sensitive documents, like tax returns, are all very valuable to someone who knows how to use it against you. Also think of photos, videos, chats and again email contents that may include sensitive and personal content that can be used to blackmail you or destroy your reputation.
Of course, you can keep every hard drive and flash drive you've ever owned to reduce the chances of the above happening, but after a while this method starts taking up a lot of space. So the next best thing is to securely erase them.
How do you securely erase a hard drive?
Even though all new Macs these days come with Flash storage (which I'll cover later), there are still plenty of hard drives around and in use today. Whether it's a hard drive in an older Mac or an external hard drive, if it is accessible, you can use Disk Utility to securely erase it. Here's how:
- Open Disk Utility via your Applications > Utilities folder.
- Select the hard drive you want to securely erase from the list of available drives in the left column. (Make sure you select the drive and not the partition.)
- Once selected, click the "Erase" button.
- A window will pop up asking you what to name the drive after erasing is complete, and how you want to format it. The default settings are good as is, but you can name it if you want to. Click the "Security Options" button at the bottom of the window.
- Another window will pop up where you can select how thoroughly you want to erase the drive. As the default option indicates, it is the fastest way to erase a drive, but data recovery applications may be able to recover your files. While careful wording on Apple's part, with the slider at its default, data recovery software is definitely able to recover your files. Adjust the slider and read to see what each security option does.
- Security Option 1 (Fastest) - This option does not securely erase the files on the disk. A disk recovery application may be able to recover the files.
- Security Option 2 - This option writes a pass of random data, and then a single pass of zeros over the entire disk. It erases the information used to access your files and writes over the data two times.
- Security Option 3 - This option is a DOE-compliant 3-pass secure erase. It writes 2 passes of random data followed by a single pass of known data over the entire disk. It erases the information used to access your files and writes over the data 3 times.
- Security Option 4 (Most Secure) - This option meets the US Department of Defense (DOD) 5220-22 M standard for securely erasing magnetic media. It erases the information used to access your files and writes over the data 7 times.
"Maximum" secure cleaning tip: Wish you could overwrite files with more than 7 passes as allowed by Disk Utility? Intego's Mac Washing Machine can overwrite files with 35 passes of random data before deleting them, offering maximum security.
Which Security Option should you choose?
From the available options that Disk Utility provides, Security Option 1 is, of course, the least secure. Someone will be able to recover your data without much effort. Security Option 4 is the most secure, but it is also widely believed to be a waste of time and electricity. Personally, I always go with option 2, but if you want to feel more confident your data is securely erased, or if you must comply with company rules, use option 3 or 4. As long as you don't use option 1, your data will be gone.
This works for any hard drive, internal or external. Just be aware that if you want to properly erase the hard drive that is also your startup drive, you will have to start your Mac from an external media first. (An external hard drive or thumb drive will do.) For help creating a bootable external drive, have a look at Apple's page here, or use a popular tool such as DiskMaker X. As you can imagine, having an external bootable drive or installer drive can come in handy.
How do you securely wipe a Mac SSD?
Because Solid State Drives (SSD) and Flash Drives store data differently, a secure erase with Disk Utility is not possible. Even if it was possible (sometimes Disk Utility gives you the option when it shouldn't), it is not recommended to do so. Writing a pass of all zeros on an SSD may actually wear down the memory cells more and could affect reliability. While this may not be the case anymore with current SSD technologies, Apple took the option out of Disk Utility for a reason.
Some people say that the standard erasing of an SSD makes data recovery hard enough for it to be "secure." Others say that securely erasing an SSD is very hard to do, so any technique used is insecure. Technology such as wear leveling, which tries to ensure each memory block on an SSD is used the same amount of times, can really mess with a secure erase. Disk Utility may think it has written zeros or random data to the whole disk, but on the SSD itself, wear leveling may have actually left certain blocks alone—as pointed out by the Electronic Frontier Foundation (EFF):
This means, however, that even if you try to overwrite a file, there’s no guarantee the drive will actually overwrite it—and that’s why secure deletion with SSDs is so much harder.
If we can't be confident an SSD was properly erased, then there is only one route to take that will ensure all data is beyond the reach of anyone: Using encryption.
By using FileVault to encrypt the drive (startup drive) and Disk Utility to encrypt external drives, all the data on the drive will be garbled, unless someone has the encryption key (your password). If you want to know how to use FileVault and/or encrypt external drives, have a look here.
Now, when it comes time to part with your drive, all you have to do is a basic erase in Disk Utility. This will delete your encryption key, leaving nothing but garbled data on the drive. Without a way to decrypt the garble, even if all of it is recovered, it will be useless. Of course, you can apply this to hard drives as well, but as those have actual secure erase options available, it's better to use those.
What if the drive is not accessible?
If you are unable to mount the drive, whether it's a hard drive or solid state drive, tools like Disk Utility won't help you. You might think that if you can't access it, neither will someone else. Unfortunately, this is not the case. While a dumpster diver won't go through the trouble of repairing the drive, someone with more time, deeper pockets and more motivation certainly can. Hard drive platters can be extracted from the drive enclosure and read out using specialized equipment. If the controller is the problem, it can be replaced to make the drive functioning again.
For drives that are not accessible, there is only one option to ensure the data is unrecoverable: Smash it to bits.
Professional data recovery companies can extract data from drives that were under water for long periods of time—or even in a serious fire. Smashing a drive is your best bet to ensure the data is unrecoverable, or at least very, very time consuming and expensive to recover. Smashing a hard drive with a sledgehammer or baseball bat is strangely satisfying too, but unless you open the enclosure to make sure the platters or chips are pulverized, even a few well-placed hits may not be enough to destroy your data.
Of course, there is also a health hazard with debris flying around. So take precaution with this fun, albeit super destructive, method to securely erase data.
A professional service that uses hard drive shredders is a safer and probably more effective option. Hard drive destruction services from PROSHRED is one example. That said, if you think you can do better than this, or if a professional service is not in your budget, or if you simply believe smashing it with a hammer is more satisfying, have at it! Just make sure you take the necessary safety precautions.
Go forth and securely erase your data...
You can use FileVault and Disk Utility to encrypt startup drive and external drives, use a 7-pass wipe in Disk Utility or overwrite files with 35 passes in Mac Washing Machine, hire a professional shredding service or use a combination of these methods. Either way, with these methods you can be sure your data does not end up in the wrong hands.
Have something to say about this story? Share your comments below!