Erasing Hard Drive - No More "Secure" Options?

I have an SSD in my MBP and have NO secure option in Disk Utility; as I installed it, I have decided to take a hammer to it and reinstall the original hard drive if it dies or I'm going to sell the MBP. I do not trust any of the available options as none are really secure or safe, especially after reading that secure erase never really was secure.

M5Marco wrote:

... however I have no other drive to test this theory out.

If you erase the SSD & it is the only drive you have you will lose everything that was on it. Is that really what you want to do?

From my perspective: absolutely, yes. That is all I've ever used for an erase and install (if I'm not selling it). The data will be overwritten sooner or later on a regular HD - SSD not so much.

Per Apple, Secure Delete does not work on SSD devices, and accordingly has been removed. The associated details were in a security report
identified as CVE-2015-5901, and this behavior is specifically mentioned in About the security content of OS X El Capitan v10.11 - Apple Support.

SSD doesn't deletem doesn't erase and doesn't overwrite in the same way as hard disks did, so overwrites are — until you flush the entire cache of TRIMmed data within the SSD repeatedly — futile. What you asked to have multiply-overwritten — until the cache of pre-erased "free space" has been repeatedly flushed — hasn't been.

The whole basis for using multiple overwrites — that the exactly read-write head alignments varied slightly on hard disks, and you could potentially access deleted data by offsetting the heads slightly — also does not apply to SSDs.

Simply deleting the SSD data with whole-disk encryption will get most folks where they want to be here.

If you're still working with hard disks, then you can use the srm command.

M5Marco wrote:

Potential eventually for an SSD to start acting up and going corrupt if this old data starts tripping it up for one reason or another?

As far as the file system is concerned, the old data doesn't exist so in that respect it doesn't matter if the drive (SSD or spinning) is erased normally or securely. In fact, most of the secure erase algorithms that have been used for decades on spinning disks write random data patterns to them, which can no more trip up the drive than the old data pattern could.

The only benefit of a secure erase -- no matter what data pattern it uses -- is to make the data unrecoverable. That's why it is called a security erase & not a magic-keep-the-drive-from-acting-up one.

The referenced Apple tech paper says:

Available for: Mac OS X v10.6.8 and later

Impact: The "Secure Empty Trash" feature may not securely delete files placed in the Trash

Description: An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the "Secure Empty Trash" option.

Note that this seems to indicated flash storage, not disks. But, whatever. I have learned in this thread that it is impossible to run out of room on a hard-drive, because you can never write over all the data. Thus there must be blocks always available, right? If you start at block A and step through every byte, until you reach block Z, you indeed will write over all the data. The disks will probably skip bad bytes and blocks, which means they are bad and not-recoverable, anyway. Or we can do it the hard way and randomly write data, here and there, and hope we erase what we are worried about.

M5Marco wrote:

So what does one do when selling a Mac with an SSD. Sell it without a hard drive?

Will a simple erase (the only option Apple offers me) suffice for a home use user who wants to "erase and start over" and reinstall OS fresh? All this old data just sitting on the disk from previous OS installs.

Also should I refrain from erasing the SSD as I understand it deteriorates the drive?

Overwrites don't work the same on SSDs as they do on hard disks — hard disks use the same storage area — the same sector — for each rewrite and for overwrites, up until when that sector gets an error and the host then revectors the storage to a spare block. (Downside of revectoring, the old data can still be readable, even if there are errors in it. Use drive encryption.) Unlike hard disks, SSDs keep a pool of erased blocks handy — this pool is managed with the TRIM command and drive firmware — and SSDs then remap the storage address that OS X uses for the location of that erased data — the OS X sector address stays the same, but the mapping to the storage changes — as erasing SSD storage is very slow. This means that — unlike hard disks — the storage location changes on each rewrite of a sector of SSD storage. This then leads the data security erase (srm, secure delete, etc) to be fundamentally problematic on SSD. Hence its removal.

As for your question... In some high-security or highly-sensitive environments, folks will not sell systems with an SSD or with a hard disk, yes. They'll have specific procedures for erasing or for physically destroying the disk or SSD. Most folks aren't in these sorts of environments, but if you are — if you are in a commercial or government environment — then check with your IT organization for the local guidelines and recommendations for data disposal.

Okay, now to the part that matters for most folks... In general, enable FileVault 2. If it's not already enabled. Like backups, you want this. Use a decent password for the encryption. Without knowing this password, the disk is effectively filled with junk. Always. This means that if the SSD or the MacBook Pro is lost or stolen, the data is not accessible. This means that when the device is no longer needed and due for retirement or sale or disposal, the data is not accessible. Even the stuff in the trash is not accessible.

When you're done with the Mac, follow the Apple instructions.

Yes, an SSD overwrite will be enough for most folks. Particularly if you're overwriting a disk that was previously protected with FileVault 2.

Yes, SSDs do have a write limit — a total capacity that needs to be written — but that limit is usually far past what most folks realize. Hard disks also have a useful limit, and — worse — the SMART data is not predictive of many common failures. In short, catastrophic failures are common with motorized rotating-rust storage devices, too; with hard disks.

I don't know the lifetime specs on the Apple SSD drives (nor even if they're published anywhere), but other vendors do report the whole-disk-writes per day, such as for a variety of SSD devices from HPE — DWPD, the drive writes per data; the number of times the whole disk is written each day, for five years. You're probably not writing the whole disk several times a week, which is the very low-end of the cheapest of the SSD devices available from HPE, too.

Again, I don't know what Apple specifies here (nor if they report terabytes or petabytes written; TBW, PBW), but go have a look at the SMART data for a well-used SSD and see what it reports, as has been suggested by some folks. (That link also as a DWPD - TBW conversion.) Samsung publishes a terabytes-written (TBW) specification. With that data, you'll have some idea of how much "wear" actually exists for your particular use.

Skippy Stone wrote:

Note that this seems to indicated flash storage, not disks. But, whatever. I have learned in this thread that it is impossible to run out of room on a hard-drive, because you can never write over all the data. Thus there must be blocks always available, right? If you start at block A and step through every byte, until you reach block Z, you indeed will write over all the data. The disks will probably skip bad bytes and blocks, which means they are bad and not-recoverable, anyway. Or we can do it the hard way and randomly write data, here and there, and hope we erase what we are worried about.

For hard disks — and ignoring revectored (bad) blocks — yes.

For SSDs, the overwrite involves the entire disk plus the capacity of the pool of spare blocks.

It's the secure delete that does not work the same with SSDs as it did with hard disks.

The deleted data in an SSD eventually gets erased and released into the free pool and ready for use later.

As mentioned in my earlier reply, sectors don't have fixed mapping on SSDs. This for various reasons not the least of which is that the erasure process is slow, and because it's beneficial to level the wear across all of the available storage rather than wearing out one or two specific sectors.

A request for a multiple-overwrite does nothing useful with an SSD, as it's not actually overwriting the same physical storage each time. It's just churning through the free pool, uselessly writing to various parts of the SSD. If you blow through the free pool, then the data will get erased — but it's erased secondary to the erasure process that the SSD does with each sector before it can be reallocated and reused, and not due to the erasure request.

Not until the deleted data goes through the erasure process — or the whole drive gets a security erase — is the data from the original deletion actually deleted.

Not that getting at the data that's still in the storage that's pending an erasure is at all easy, either.

Typical end-user of a Mac that's preparing for sale or disposal? Wipe the disk and reload OS X, and you're very likely fine. Use FileVault 2 for best results here, too.

If you're operating in an environment with specific disposal requirements or extremely sensitive information, then please check with the folks in your organization that deal with these questions directly, or chat directly with somebody that specializes in the area of data and hardware disposal.