How to Secure Erase / Zero Out external hard drive in El Capitan?

Question

Level 3

502 points

How to Secure Erase / Zero Out external hard drive in El Capitan?

Let me put on my Bite My Tongue mode on lest the censors here delete this thread as they seem to do if a frustrated user points out serious flaws in current versions of Mac OS El Capitan.

Maybe I am missing something, but the cartoonish Disk Utility is not showing me an obvious place to find an option to Secure Erase (zero out) an external hard drive. The unhelpful Help File clearly states it is "one of the secure erase options in Disk Utility" but I can't seem to find it.

Can someone please let me know where to look so I can zero out yet another defective Western Digital external drive.

Thanks.

IMRAN

MacBook Pro with Retina display, OS X El Capitan (10.11.1), 2X iPhone6S+/6+/4S,NikonD300.iPad3

Posted on Nov 26, 2015 7:37 PM

Reply

Answer 1

Best reply

forgery

Level 1

6 points

Apr 27, 2016 10:46 AM in response to IMRAN

Since this showed up in my search, I figured I would post how to do this from the command line. Note that for my disk, the "Security Options" button does not appear on that screen (it is an old 160 GB drive)...

Step 1: Identify the device using diskutil list. In my case, this was a 160 GB drive that previously held Linux. I underlined my disk below.

$ diskutil list

/dev/disk0 (internal, physical):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *500.3 GB disk0

1: EFI EFI 209.7 MB disk0s1

2: Apple_CoreStorage Macintosh HD 499.4 GB disk0s2

3: Apple_Boot Recovery HD 650.0 MB disk0s3

/dev/disk1 (internal, virtual):

#: TYPE NAME SIZE IDENTIFIER

0: Apple_HFS Macintosh HD +499.1 GB disk1

Logical Volume on disk0s2

8FC580CC-1577-4B34-8EC3-9741EE1321C8

Unlocked Encrypted

/dev/disk2 (internal, physical):

#: TYPE NAME SIZE IDENTIFIER

0: FDisk_partition_scheme *128.7 GB disk2

1: Apple_HFS SD Card 128.7 GB disk2s1

/dev/disk3 (external, physical):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *1.0 TB disk3

1: EFI EFI 209.7 MB disk3s1

2: Apple_CoreStorage Time Machine Disk 999.9 GB disk3s2

3: Apple_Boot Boot OS X 134.2 MB disk3s3

/dev/disk4 (external, virtual):

#: TYPE NAME SIZE IDENTIFIER

0: Apple_HFS Time Machine Disk +999.5 GB disk4

Logical Volume on disk3s2

21DD3F59-ECE6-43BC-BE77-F2B003A241F2

Unlocked Encrypted

/dev/disk5 (external, physical):

#: TYPE NAME SIZE IDENTIFIER

0: FDisk_partition_scheme *160.0 GB disk5

1: Linux 524.3 MB disk5s1

2: Linux_LVM 159.5 GB disk5s2

Step 2: Use the diskutil secureErase command to erase the disk.

$ diskutil secureErase 1 /dev/disk5

started erase on disk5

[ \ 0%................................................. ] 3% 3:29:40

Reply

Answer 2

ckuan

Level 10

120,680 points

Nov 26, 2015 7:49 PM in response to IMRAN

There's none in El Capitan.

For your external HD, do a format.

Reply

Answer 3

IMRAN Author

Level 3

502 points

Nov 26, 2015 7:54 PM in response to ckuan

Thank you. Major disappointment. Mere format still leaves the data on the hard drive for someone else to recover.

Making the UX even worse is that the Help information is false.

Thanks for the input.

Imran

Reply

Answer 4

Nov 27, 2015 2:24 AM in response to IMRAN

There are various workarounds available.

You could do this via the command line in Terminal.app just like you can do RAID operations to replace that lost functionality as well
You can copy the Yosemite version of Disk Utility.app and hack that in to working
You could connect the drive to a Yosemite (or earlier) Mac
or You could create a bootable USB stick that does nothing but offer a secure erase facility - see this free tool https://www.paragon-software.com/home/dw-mac/

Reply

Answer 5

Barney-15E

Level 10

112,470 points

Nov 27, 2015 6:29 AM in response to IMRAN

A fifth option is to encrypt the drive then format it as unencrypted.

Reply

Answer 6

BobHarris

Level 9

52,907 points

Nov 27, 2015 12:46 PM in response to IMRAN

Disk Utility is not showing me an obvious place to find an option to Secure Erase (zero out) an external hard drive.

I was able to zero an external drive. And since erasing an external drive was your stated goal, why didn't you select an external drive instead of your internal Apple SSD?

And Disk Utility is not going to knowingly erase the boot drive, which it appears you have selected for you screen shot.

And it turns out disk drives and SSDs make it extremely difficult to perform a true guaranteed secure erase, as the rotating devices perform sector replacement where knowledgeable individuals can recover data from it after a secure erase, and SSDs never write to the sector where the data is stored, then always write to a new sector, and must move the original sector to a garbage collection area, where again knowledgeable individuals can recover your data. As a result it is not wise to declare something 'secure' when it isn't.

Finally, writing zeros on an SSD, besides not actually zeroing what you think you are zeroing (as in it can leave a few gigabytes of your original data still accessible), the zeroing also shortens the life of the SSD. SSDs have a limited number of writes per sector before the material physically wears out. The SSD does wear leveling to help avoid this, but zeroing an entire SSD (or worse 7 or 35 pass random patterns), can seriously reduce the life of the SSD.

With SSDs, it is better to operate them full time as FileVault encrypted drives and then as Barney-15E suggests, just do a reformat which will throw away the old encryption key and then sectors will just be a bunch of random bits. No need to write any zeros and shorten the life of the SSD.

Reply

Answer 7

IMRAN Author

Level 3

502 points

Nov 27, 2015 1:18 PM in response to BobHarris

Well, Bob, during that time the disk I was trying to secure erase stopped mounting and failed so Disk Utility's screenshot showed the internal SSD as chosen. Whether writing zeros on an SSD shortens the life or if it matters to the user or not is the not stated question. But, yes, I would never do dozens of full write passes on limited writable life SSDs, but your comment about that will surely be useful to many.

I know the system won't let it format or erase my primary drive. But, here is the same Disk Utility with a different disk chosen (which I do not wish to erase but just chose it to take this screenshot). Your screenshot applies to some Recovery Partition, which is also not my stated target to secure erase. Can you tell me where you see the option to Secure Erase it for my external data disk in Disk Utility here?

Thanks.

Imran

Reply

Answer 8

BobHarris

Level 9

52,907 points

Nov 27, 2015 1:45 PM in response to IMRAN

RecoveryPartition was just a partition on an external USB disk. The key being it was on an "External" disk as you said you wanted to erase. Just as your names do not mean anything to me, I don't expect my names for things to matter to you.

If you look at my images, there is a "Security Options..." button that gave me the extra passes. Your screen shot does not show that button.

Now I was using a partition, and you are pointing at the entire disk. That might make a difference to Disk Utility whether it shows the "Security Options..." or not. This was done on an El Capitan system.

Reply

Answer 9

Kurt Lang

Level 9

57,774 points

Nov 27, 2015 3:10 PM in response to IMRAN

To note, sector replacement regarding hard drives has nothing to do with erasing the data on them.

When you secure erase an entire rotating hard drive with Disk Utility, it actually does overwrite each sector/block for as many passes as you choose. When you do a Secure Empty Trash, the areas of the drive where the data is stored are overwritten seven times with random data. There is virtually nothing that can recover anything from a seven pass erase. Not even proprietary lab equipment. And for the typical user, even a one pass erase is as good as gone.

Sector replacement is a highly incorrect term that you'll find all over the web. There is no such procedure. A drive has as many sectors on it that it will ever have when it ships from the factory. It can't create more from out of nowhere.

When you have bad blocks/sectors on a drive, the drive's own firmware will attempt to move the data in the corrupt area of the drive to a new location. Whether it succeeds or not, there is a small area of the drive set aside for mapping out bad blocks/sectors. It's no different than any other part of the drive as far as holding data, except neither the OS or you are allowed to touch it. The drive keeps track of all bad sectors/blocks in the user area of the drive so nothing is ever written to them. As the drive develops more bad areas and are mapped out, the fixed amount of space the drive has to keep track of these areas fills up. When it has no more room to write bad block data, the drive must be thrown away.

Reply

Answer 10

Old Toad

Level 10

207,271 points

Nov 27, 2015 3:12 PM in response to IMRAN

There is a secure erase in Disk Utility for non SSD hard drives.

1 - select the disk in the sidebar.

2 - click on the Erase button:

3 - click on the Security Options button:

4 - select the level of secure erase in the next window:

Again, that option does not appear if the disk is an SSD.

Reply

Answer 11

IMRAN Author

Level 3

502 points

Nov 27, 2015 5:39 PM in response to Barney-15E

Thank you, that sounds like a possible workaround. I wonder if it will take a bit longer than a straight forward Write Zeros. But thank you for the interesting suggestion.

Imran

Reply

Answer 12

IMRAN Author

Level 3

502 points

Nov 27, 2015 5:40 PM in response to Old Toad

Thanks, OT. I am not seeing that Security option in my case. And none of my externals is an SSD.

Reply

Answer 13

IMRAN Author

Level 3

502 points

Nov 27, 2015 5:41 PM in response to BobHarris

I had thought of that and also tried clicking the partition, Bob, I should have stated that in my comment but here is a screenshot to show that even in that case I am not seeing the option.