How to Secure Erase / Zero Out external hard drive in El Capitan?

Since this showed up in my search, I figured I would post how to do this from the command line. Note that for my disk, the "Security Options" button does not appear on that screen (it is an old 160 GB drive)...

Step 1: Identify the device using diskutil list. In my case, this was a 160 GB drive that previously held Linux. I underlined my disk below.

$ diskutil list

/dev/disk0 (internal, physical):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *500.3 GB disk0

1: EFI EFI 209.7 MB disk0s1

2: Apple_CoreStorage Macintosh HD 499.4 GB disk0s2

3: Apple_Boot Recovery HD 650.0 MB disk0s3

/dev/disk1 (internal, virtual):

#: TYPE NAME SIZE IDENTIFIER

0: Apple_HFS Macintosh HD +499.1 GB disk1

Logical Volume on disk0s2

8FC580CC-1577-4B34-8EC3-9741EE1321C8

Unlocked Encrypted

/dev/disk2 (internal, physical):

#: TYPE NAME SIZE IDENTIFIER

0: FDisk_partition_scheme *128.7 GB disk2

1: Apple_HFS SD Card 128.7 GB disk2s1

/dev/disk3 (external, physical):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *1.0 TB disk3

1: EFI EFI 209.7 MB disk3s1

2: Apple_CoreStorage Time Machine Disk 999.9 GB disk3s2

3: Apple_Boot Boot OS X 134.2 MB disk3s3

/dev/disk4 (external, virtual):

#: TYPE NAME SIZE IDENTIFIER

0: Apple_HFS Time Machine Disk +999.5 GB disk4

Logical Volume on disk3s2

21DD3F59-ECE6-43BC-BE77-F2B003A241F2

Unlocked Encrypted

/dev/disk5 (external, physical):

#: TYPE NAME SIZE IDENTIFIER

0: FDisk_partition_scheme *160.0 GB disk5

1: Linux 524.3 MB disk5s1

2: Linux_LVM 159.5 GB disk5s2

Step 2: Use the diskutil secureErase command to erase the disk.

$ diskutil secureErase 1 /dev/disk5

started erase on disk5

[ \ 0%................................................. ] 3% 3:29:40

Disk Utility is not showing me an obvious place to find an option to Secure Erase (zero out) an external hard drive.

I was able to zero an external drive. And since erasing an external drive was your stated goal, why didn't you select an external drive instead of your internal Apple SSD?

And Disk Utility is not going to knowingly erase the boot drive, which it appears you have selected for you screen shot.

And it turns out disk drives and SSDs make it extremely difficult to perform a true guaranteed secure erase, as the rotating devices perform sector replacement where knowledgeable individuals can recover data from it after a secure erase, and SSDs never write to the sector where the data is stored, then always write to a new sector, and must move the original sector to a garbage collection area, where again knowledgeable individuals can recover your data. As a result it is not wise to declare something 'secure' when it isn't.

Finally, writing zeros on an SSD, besides not actually zeroing what you think you are zeroing (as in it can leave a few gigabytes of your original data still accessible), the zeroing also shortens the life of the SSD. SSDs have a limited number of writes per sector before the material physically wears out. The SSD does wear leveling to help avoid this, but zeroing an entire SSD (or worse 7 or 35 pass random patterns), can seriously reduce the life of the SSD.

With SSDs, it is better to operate them full time as FileVault encrypted drives and then as Barney-15E suggests, just do a reformat which will throw away the old encryption key and then sectors will just be a bunch of random bits. No need to write any zeros and shorten the life of the SSD.

There is a secure erase in Disk Utility for non SSD hard drives.

1 - select the disk in the sidebar.

2 - click on the Erase button:

3 - click on the Security Options button:

4 - select the level of secure erase in the next window:

Again, that option does not appear if the disk is an SSD.

You can use Disk Utility to securely erase an external HD.

1 - launch DU and select the drive.

2 - click on the erase button:

3 - click on the Security Options button:

4 - select the degree of secure erasure you want.

As long as the disk is not an SSD disk this option is available thru Disk Utility.

I'm still at a loss here because I have the same issue. While secure deleting multiple USB drives, I had no problem on other USB sticks until I ran into this with 2 other stick drives. Is it the USBs or was there an update during my process that took out the secure delete features. Added a screen shot - I'm on OS X El Capitan 10.11.6, using Disk Utility 15.0.

If there's a 3rd party program that you recommend for secure wipe of USBs please comment thank you.

There are various workarounds available.

1. You could do this via the command line in Terminal.app just like you can do RAID operations to replace that lost functionality as well
2. You can copy the Yosemite version of Disk Utility.app and hack that in to working
3. You could connect the drive to a Yosemite (or earlier) Mac
4. or You could create a bootable USB stick that does nothing but offer a secure erase facility - see this free tool https://www.paragon-software.com/home/dw-mac/

- This is unrelated to my above questions, but can someone recover deleted files off of an SSD drive in the same way one can on a traditional disk drive? (i.e. is there any point to doing a multi-pass wipe of an SSD drive)

Yes. It just requires different technology. But there are people with those skills. Although there is a shelf life to the data if the SSD is actively being written to.

And SSD sector can ONLY be written to ONCE, and then it must have a special process applied that resets the sector so it can be written to again. Zeroing is not a reset, it is a totally different process.

For each write the SSD remaps the target sector into the garbage collection pool. It then maps a previously reset sector at the logical offset you wish to write. It then applies your write to the sector. It does this for every write you do. That is to say you NEVER over write your data. It is always moved into the garbage collection pool. If you do a 7 pass erase, it will just keep remapping the target offset into the garbage collection pool. So the garbage collection pool with have your original data, and 7 copies of random data. And of course each sectors with those 7 copies of random data just had their life shortened by 1 write cycle.

SSDs might have a write life of from 1,000 writes to 10,000 writes (they are getting better on the life of the writes, but it is still not a huge number). The SSDs get around this by A) they do wear leveling to avoid writing to the same sector too many times. B) they are over provisioned (a few extra gigabytes of additional sectors) so that as a group of sectors becomes unreliable, they can be retired, and the loss of storage made up for from the over provisioned pool.

The SSD CANNOT reset just 1 sector. It applies the reset to a group of sectors that may be as few as 64K, or maybe 512K, or even larger. When it need to reset a group, if there are any still good sectors in the group, the SSD must copy the good sectors to somewhere outside the reset group, perform the remapping to make the new copy appear that the correct offset, and put the original copy in the garbage collection pool. Then it can reset the group. The reset group gets put into the ready for writing list.

So if say MOST of the reset group contains good data, then it is possible the SSD will avoid choosing that reset group to be reset and whatever data was in the part of the reset group that still has old data on it, will hang around for as long as the SSD avoids resetting that group. Remember, if just 1 out of say 128 sectors is in the garbage collection pool, to reset that pool would require doing 127 copies, shortening the life of some other sectors just to reset that 1 sector in the garbage collection pool. That is a loosing proposition for the SSD, so it is not going to do that. Thus some of your data may hang around for years as long as those other 127 sectors do not changed. I do not know where an SSD would choose to make that trade-off, but if you are talking about a social security number that can live in 1 sector without a problem.

Garbage collection. The SSD will, when not busy reading or writing data, attempt to reset groups in the pool and put them on the ready to write list. That way when you do a large write (think pictures, music, videos, etc...), there lots of available sectors ready to be written, so the SSD can proceed at the fastest possible speed.

If the ready to write list becomes exhausted, then the SSD must start cleaning things from the garbage pool which A) requires the special reset operation, B) may require coping good data out of almost empty reset groups. This slows down your write speed.

NOTE: While you are using sectors from the ready to write list, you are also moving sectors being remapped into the garbage pool. So you will always have sectors to reset, it is just a matter of how much work must be done to get them ready to be written again, and if the SSD is idle so you do not notice it, or if it has to stop accepting your data while it does the resets.

An Apple SSD has TRIM enabled (3rd party SSDs can have TRIM enabled as well, but you have to manually do that). TRIM is a way for the file system to tell the SSD that it just deleted a file, and that all the storage for that file can be put in the garbage collection pool. This gives the SSD more available sectors to find entire reset groups that do not need to have good data copied out of them, which is better for the life of the SSD.

A little more on the short shelf life. Assuming you change over enough data on the SSD, then except for reset groups the SSD decides should be left alone to avoid excessive resets, over time sectors in the garbage collection pool will get reset and the original data will be gone.

NOTE: Any SSD sectors that become unreliable get retired, and those will most likely retain their data for a much longer period of time, just like a mapped out rotating disk sector that becomes unreliable.

Bottom line.

• An SSD has a limited number of writes that the SSD goes through huge efforts to avoid writing to the same physical sector too many times (wear leveling).
• The SSD does not over write your data.
• Your data may sit in the garbage collection pool forever if the SSD decides to avoid shortening the life of the unchanged part of the reset group.

I am curious why apple did this. I know there are concerns with people using the utility and wiping things they shouldnt, damaging their machines.

I would guess that when you say something is secure and it is not, that you open yourself up to all kinds of legal issues.

Also more and more of Apple's products are moving to SSD storage. Writing erase patterns to an SSD, shorten the life of the SSD and do not actually write over what you want.

But for people selling computers and drives you would think there would be a way for people to securely remove their data. Computers have social security numbers and a lot of personal things you would think Apple would be willing to help protect when their devices are disposed of or sold?

Apple did provide something. System Preferences -> Security -> FileValut. If you have been using FileVault all along, then when you want to sell your Mac, you just reformat the storage, which destroys the keys, then install a clean copy of OS X, and you are good to go. Because without the encryption keys, all that data is just a bunch of random bits. And because you have been using FileVault from the beginning, any data sitting in the over provisioning pool, or data that has been mapped out because the sectors have become unreliable, etc... are also just random bits without the encryption keys.

Also with FileVault on, you deleted files are just a bunch of random bits.

Problem solved.

Thanks Timothy,

I had the same issue, I have an external HDD (not an SSD) and the "Security Options" button wasn't showing up when I tried to erase the drive. I deleted the drive without any security selected (which took about 15 seconds) and then ran "First Aid" on the drive, which succeeded in about 30 seconds. When I went back to erase the drive again, the "Security Options" button had reappeared. Hope this helps.

Steps:

1. Erase drive non-securely.
2. Run "First Aid"
3. Erase drive again, security options should appear.

Cheers,

RecoveryPartition was just a partition on an external USB disk. The key being it was on an "External" disk as you said you wanted to erase. Just as your names do not mean anything to me, I don't expect my names for things to matter to you.

If you look at my images, there is a "Security Options..." button that gave me the extra passes. Your screen shot does not show that button.

Now I was using a partition, and you are pointing at the entire disk. That might make a difference to Disk Utility whether it shows the "Security Options..." or not. This was done on an El Capitan system.

To note, sector replacement regarding hard drives has nothing to do with erasing the data on them.

When you secure erase an entire rotating hard drive with Disk Utility, it actually does overwrite each sector/block for as many passes as you choose. When you do a Secure Empty Trash, the areas of the drive where the data is stored are overwritten seven times with random data. There is virtually nothing that can recover anything from a seven pass erase. Not even proprietary lab equipment. And for the typical user, even a one pass erase is as good as gone.

Sector replacement is a highly incorrect term that you'll find all over the web. There is no such procedure. A drive has as many sectors on it that it will ever have when it ships from the factory. It can't create more from out of nowhere.

When you have bad blocks/sectors on a drive, the drive's own firmware will attempt to move the data in the corrupt area of the drive to a new location. Whether it succeeds or not, there is a small area of the drive set aside for mapping out bad blocks/sectors. It's no different than any other part of the drive as far as holding data, except neither the OS or you are allowed to touch it. The drive keeps track of all bad sectors/blocks in the user area of the drive so nothing is ever written to them. As the drive develops more bad areas and are mapped out, the fixed amount of space the drive has to keep track of these areas fills up. When it has no more room to write bad block data, the drive must be thrown away.