Securely erasing SSD using Filevault

Question

Securely erasing SSD using Filevault

I'm getting ready to sell my 2009 MBP with a 1tb SSD. I know I can't securely erase the drive like a traditional mechanical platter drive and so someone recommended the following which sounds pretty secure using filevault. I'm aware that this may take some time to do but I'm in no rush and willing to go through the process if indeed offers an extra layer of security if someone decides to hack. I would like anyone's expert opinion on this since I don't consider myself an Apple genius nor a guru on SSD and encryption technology:

1. Turn on Filevault and set up a complex password for decription. (Note this will take possibly hours to encrypt the drive)

2. After the drive is encrypted, boot into recovery mode and erase the drive.

3. Reinstall OS and then turn on Filevault with a different password. (Shouldn't take as long to encrypt since there's very little data)

4. Boot into recovery mode once more and erase the drive.

5. Reinstall OS.

Theoretically, any old original data is an encrypted mess. Also, the first Filevault password was erased and encrypted after the second OS installation.

MacBook Pro, OS X Yosemite (10.10.2), 2.0ghz, 8GB Ram

Posted on Sep 14, 2016 3:19 PM

Reply

Answer 1

Barney-15E

Level 10

122,318 points

Sep 14, 2016 3:33 PM in response to Brandon Garrido

Likely no reason to go beyond 2 except to reinstall the OS.

Reply

Answer 2

Barney-15E

Level 10

122,318 points

Sep 15, 2016 7:41 AM in response to Barney-15E

It would take a little more effort, but I would think booting into Internet Recovery and re-partitioning the disk would be a better plan because you would also destroy the Recovery partition. If you then did a straight reinstall, you would get the original OS that shipped on that Mac which would require you to then upgrade to the current OS. You could avoid that by creating a bootable USB installer first, though.

Reply

Answer 3

Sep 15, 2016 7:56 AM in response to Barney-15E

I do have El Capitan on a bootable usb drive and so I plan to install from that drive instead. Thanks for recommending to install from a second source especially if one's computer is a few years old and plan to use El Capitan. Although, with every install of a new OS, doesn't the install automatically create a new partition and essentially repartition the drive already?

Reply

Answer 4

babowa

Level 9

78,568 points

Sep 15, 2016 8:49 AM in response to Brandon Garrido

Unfortunately, you cannot sell your MBP with an OS downloaded from the app store as the license is for the Apple ID used to obtain it (you) and it is not transferable. Any buyer would not appreciate needing your Apple ID and password for updates or a reinstall. So, you need to erase your machine and reinstall the original OS on it. Using internet recovery won't work on yours as it came with an install DVD. If you no longer have that, you can either order one from Apple or get a retail Snow Leopard disk to install.

http://images.apple.com/legal/sla/docs/OSX1011.pdf

Excerpt:

3. Transfer.

A. If you obtained the Apple Software preinstalled on Apple-branded hardware, you may make a

one-time permanent transfer of all of your license rights to the Apple Software (in its original form

as provided by Apple) to another party, provided that: ℹ the Apple Software is transferred together

with your Apple-branded hardware; (ii) the transfer must include all of the Apple Software,

including all its component parts, printed materials and this License; (iii) you do not retain any

copies of the Apple Software, full or partial, including copies stored on a computer or other storage

device; and (iv) the party receiving the Apple Software accepts the terms and conditions of this

License. For purposes of this License, if Apple provides an update (e.g., version 10.11 to 10.11.1) to

the Apple Software, the update is considered part of the Apple Software and may not be

transferred separately from the pre-update version of the Apple Software.

B. If you obtained your license to the Apple Software from the Mac App Store, it is not transferable.

If you sell your Apple-branded hardware to a third party, you must remove the Apple Software from

the Apple-branded hardware before doing so, and you may restore your system to the version of

the Apple operating system software that originally came with your Apple hardware (the “Original

Apple OS”) and permanently transfer the Original Apple OS together with your Apple hardware,

provided that: ℹ the transfer must include all of the Original Apple OS, including all its component

parts, printed materials and its license; (ii) you do not retain any copies of the Original Apple OS,

full or partial, including copies stored on a computer or other storage device; and (iii) the party

receiving the Original Apple OS reads and agrees to accept the terms and conditions of the

Original Apple OS license

Reply

Answer 5

Sep 15, 2016 9:11 AM in response to babowa

Oh wow, I did not think of that. Thanks for pointing that out babowa. I still have the original leopard DVD's as well as the upgraded Snowleopard DVD which I will use to install.

It's been a while since I've done a Snowleopard install although do you know if it will ask me to log into my apple id account during the install process? I just want to do a generic install without any of my credentials tied to it. Also, if they want to upgrade the operating system, I'm assuming there's a straight upgrade path to El Capitan once they are logged into their own Apple ID?

Reply

Answer 6

babowa

Level 9

78,568 points

Sep 15, 2016 9:26 AM in response to Brandon Garrido

You're not asked for an Apple ID when using install DVDs, but you are asked for your admin password. I've always set up a simple one, such as 1 2 3 4 5 and the buyer can change that at any time. Some people suggest that you abort the install before you get to that part so the new owner can set it up on his own; that is great except that they cannot "test drive" it at all when you are showing the machine. So, do the install using a nondescript admin name (no name or something like joe bloe) and simple password which they can change later.

Reply

Answer 7

etresoft

Level 9

56,698 points

Sep 15, 2016 9:28 AM in response to Brandon Garrido

Hello Brandon,

You will need a new step. After turning on FileVault and before erasing the drive, you will need to run an operation to fill up all the free space on the drive. That will give you a better chance of erasing more of the unencrypted data. The ways SSDs work, I don't think you would ever be able to erase all of the low-level encrypted data. You should really turn on FileVault immediately after getting an SSD or a machine with an SSD. But for practical purposes, you don't have to worry about those last bits of data. It would take serious forensic skills to access them and there is unlikely to be any sensitive bits in those few remaining, low-level encrypted blocks.

Reply

Answer 8

Sep 15, 2016 10:14 AM in response to etresoft

Thanks etresoft. I'll be sure to fill up my drive with random music files or create one large blank video file to fill up the rest of empty space before turning on file vault.

Reply

Answer 9

Sep 15, 2016 10:25 AM in response to etresoft

Thanks babowa. I'll probably just set up the admin password with a simple number sequence for them to remember. Also, I believe Snowleopard offered the app store as I remember and so I'm thinking it's an easy upgrade path to El Capitan once they log in with their credentials. With OS X Sierra coming out on the 20th, I believe this will be the first OS that will not install on this laptop since it's considered a late 2008 model (very first unibody design). From the specs, one at least needs a mid 2010 or newer MBP or Sierra. I just hope El Capitan will be available after the 20th?

Reply

Answer 10

etresoft

Level 9

56,698 points

Sep 15, 2016 10:28 AM in response to Brandon Garrido

There are disk utilities that will do that more efficiently. You don't want to try it without your own, real data. Filling up the boot disk on OS X will trash the system and often make it unbootable. If you use a tool that is designed to fill up free disk space, it can do it safely and spare you a reformat.

Reply

Answer 11

Limnos

Level 10

428,363 points

Sep 15, 2016 10:43 AM in response to Brandon Garrido

We don't know what Apple plans on doing but typically they keep final version software around and available for a while. For example, not all iTunes versions are available but the final ones to run on certain system versions or hardware are, including iTunes 1.0.1. Apple did removed Mavericks and Yosemite, but anything that can run those two can, in theory, run El Capitan.

If you are installing Snow Leopard, give them the SL disc along with the Leopard ones. The Leopard ones are considered as much part of the machine package at the power cord, and if you are providing SL you also need to surrender the disc used to install it.

Reply

Answer 12

Sep 15, 2016 10:52 AM in response to etresoft

Do you know of a good and recommended disk utility that will fill up a hardrive's disk space?

Reply

Answer 13

etresoft

Level 9

56,698 points

Sep 15, 2016 11:07 AM in response to Brandon Garrido

Sorry. I would do it from the command line with "diskutil". There are a few other scripts one could use too. I am unfamiliar with other tools. I think Apple's Disk Utility used to perform operations like this, but they were removed since, technically, it is impossible on an SSD drive.

Reply