Secure Erase SSD/Fusion Drive pre-T2

[dada_dave]

I'm getting rid of a couple of early Macs that are pre-T2 and would like to donate one (2013 iMac) and sell the other (2017 MacBook Pro). Neither were encrypted by FileVault before erasure. I understand why SSDs don't have the same overwrite mechanism as the earlier magnetic drives. I also know that post-T2 and now, Apple Silicon, the hard drives are encrypted by default. I believe that, like a modern iPhone, when one does an erase all content that it trashes the encryption keys and redoes them, effectively rendering the data unreadable. However, for SSDs without said encryption (or FileVault turned on) if I erase from Disk Utility and reformat the drive, how secure is the erase? I've read some people say that SSD data recovery for drives with TRIM enabled that have been told to erase themselves and reformat from disk utility is basically impossible encryption or not - in fact that ATA Secure Erase is the same thing as a full device TRIM. But others have said that ATA Secretary Erase/TRIM is not really that secure. I'm not capable of judging those claims and most of those people are unknown to me so I'd like to solicit some knowledge here (and please feel free the correct anything else I've sad that might be wrong).

For the Mac with the Fusion drive of course I'm SOL unless I go into terminal from Recovery and manually erase the magnetic hard drive with multiple 0s and 1s even if the SSD portion is basically gone. Which I might do, though the 2013 iMac with said drive is so old that I do wonder if even donating it to charity is worth it for the charity and especially I'm especially leery if I haven't securely erased the drive.

 

[Nycturne]

But others have said that ATA Secretary Erase/TRIM is not really that secure. I'm not capable of judging those claims and most of those people are unknown to me so I'd like to solicit some knowledge here (and please feel free the correct anything else I've sad that might be wrong).

I think I fall into this type of camp. The issue is that you need to guarantee that the SSD stomps all the blocks, including the reserve blocks. And how do you confirm that? OEMs might provide tools, but those might not exist for your specific drive. Is the drive self-encrypting which means there's an internal key to smash for secure erase? And how does a particular OEM do secure erase if this isn't the case? It leads to a giant pile of "It depends".

My take is that if you have data that you cannot afford the risk of someone else recovering, you are better off introducing the drive to a drive destruction service than a recycler/charity. For something like a 2013 iMac, I would consider seeing if a PC-specific group (We have RE-PC in Seattle for example) might take it without the drive, or if it is worth throwing in a cheap replacement SATA drive before donating it.

This was true even in the spinning platter era to be honest, we just lost the ability to address the storage more directly with SSDs thanks to need to wear level.

 

[dada_dave]

I think I fall into this type of camp. The issue is that you need to guarantee that the SSD stomps all the blocks, including the reserve blocks. And how do you confirm that? OEMs might provide tools, but those might not exist for your specific drive. Is the drive self-encrypting which means there's an internal key to smash for secure erase? And how does a particular OEM do secure erase if this isn't the case? It leads to a giant pile of "It depends".

My take is that if you have data that you cannot afford the risk of someone else recovering, you are better off introducing the drive to a drive destruction service than a recycler/charity. For something like a 2013 iMac, I would consider seeing if a PC-specific group (We have RE-PC in Seattle for example) might take it without the drive, or if it is worth throwing in a cheap replacement SATA drive before donating it.

This was true even in the spinning platter era to be honest, we just lost the ability to address the storage more directly with SSDs thanks to need to wear level.

Ah well. Sounds like I'll just be delivering both to Apple for recycling then (they promised to fully physically destroy any drives, hopefully they actually do - I don't have the time/energy for much else). I should've FileVaulted before erasing, lesson learned. Although I suppose an unnecessary lesson going forward? After all for the new Apple Silicon Macs this shouldn't be an issue right? Even without FileVault, correct me if I'm wrong but the SSD encryption keys are trashed and remade rendering the drive unreadable, correct?

Thanks for the reply!

 

[Nycturne]

Although I suppose an unnecessary lesson going forward? After all for the new Apple Silicon Macs this shouldn't be an issue right? Even without FileVault, correct me if I'm wrong but the SSD encryption keys are trashed and remade rendering the drive unreadable, correct?

Yes, T2 and Apple Silicon Macs encrypt the internal drive by default. The only difference is if the drive's encryption keys are protected by your password or not.

External drives still need to be managed by you using FileVault.

 

[dada_dave]

In-laws taking the laptop so that’s that problem solved.

 

[mr_roboto]

I'm getting rid of a couple of early Macs that are pre-T2 and would like to donate one (2013 iMac) and sell the other (2017 MacBook Pro). Neither were encrypted by FileVault before erasure. I understand why SSDs don't have the same overwrite mechanism as the earlier magnetic drives. I also know that post-T2 and now, Apple Silicon, the hard drives are encrypted by default. I believe that, like a modern iPhone, when one does an erase all content that it trashes the encryption keys and redoes them, effectively rendering the data unreadable. However, for SSDs without said encryption (or FileVault turned on) if I erase from Disk Utility and reformat the drive, how secure is the erase? I've read some people say that SSD data recovery for drives with TRIM enabled that have been told to erase themselves and reformat from disk utility is basically impossible encryption or not - in fact that ATA Secure Erase is the same thing as a full device TRIM. But others have said that ATA Secretary Erase/TRIM is not really that secure. I'm not capable of judging those claims and most of those people are unknown to me so I'd like to solicit some knowledge here (and please feel free the correct anything else I've sad that might be wrong).

For the Mac with the Fusion drive of course I'm SOL unless I go into terminal from Recovery and manually erase the magnetic hard drive with multiple 0s and 1s even if the SSD portion is basically gone. Which I might do, though the 2013 iMac with said drive is so old that I do wonder if even donating it to charity is worth it for the charity and especially I'm especially leery if I haven't securely erased the drive.

For what it's worth, if I need to erase a pre-T2 Macs with a SSD, I find a Linux distro known to work well on pre-T2 Macs, make a boot USB stick, boot that, and use hdparm to perform an ATA Secure Erase on the SSD.

That said, ATA SE is not always great. The spec leaves enough wiggle room for drives to implement it in very different ways, and of course in the world of disks there's also always bugginess and incompetence.

You mention doing the equivalent of TRIMming every block. This would leave the flash media intact, and therefore theoretically recoverable by an attacker who dismantled the SSD and scanned out the flash chips using a different controller. I believe this is technically not a legal implementation of Secure Erase, but once again, disk firmware is involved, so you never know.

The better ways of implementing Secure Erase are cryptographic erasure (data is always encrypted and thus the controller can cryptographically erase the drive by destroying the old key and creating a new one), or erasing every block. Some drives really do implement the latter despite it costing the entire media one R/W cycle; you can't beat this method for its totality.

(It goes a lot faster than you might expect, because erase blocks are so huge and the entire block gets erased in one operation. The throughput of erase is generally at least 10x the raw write throughput, if not more. Nevertheless, full erase is still lots slower than crypto key destruction. My rule of thumb is that less than 5sec hints the drive's either doing crypto key destruction or has insecure firmware which doesn't really securely erase the media, and greater than 10sec means it's probably erasing everything.)