Is secure erase supported in Sierra

In the past, I found Filevault to work pretty well, but it would slow down some video playback as it had to unencrypt on the fly. Right now, I have Sierra on a SSD boot and my user folder sits on a standard hard drive on my Mac Pro. But I had an old program that can erase files in the Trash, which you can set in its preferences to work at different levels of security. It's called Permanent Eraser. After upgrading to Sierra, and backing up files, it opened and ran when I tested it. So it has effectively replaced what Apple took out. I simply leave a Permanent Eraser alias on my desktop. You double click the icon to start the erase process without touching the Trash can itself. It gives an option to ask for confirmation. Then erases what's in the Trash.

Hello TaxiFish,

You need to encrypt the drive with FileVault first. Then just delete. Apple now uses SSD drives in most of their machines and those drives do not support secure erase.

Let me see if I understood,

1-Encrypt the drive with FileVault

2.-Restart Mac and Command +R after

3-Open Disk Utility

4-Erase Macintosh HD

5-Reinstall macOS Sierra

Its that correct? and two more questions

This is the same as erase the drive with secure options ?,

If I erase without Filevault I can erase malware(trojan horse)?

Thanks

You should use FileVault from the first day you purchase your Mac. Then all your data is encrypted, including any bad blocks, or on SSD's the blocks that have not been pre-cleaned.

Then when you reformat your storage, the encryption key will be thrown away, and all the encrypted data is just a bunch of random bits.

Encrypting after the fact, means that any bad blocks will have readable data with the right tools, any SSD's with block that have not been pre-cleaned will be readable with the correct tools.

Basically if you have a SSD and did not keep the SSD always encrypted, then you will expose some portion of your personal data to anyone with the correct tools when you sell your Mac.

As for the old Secure Erase of individual files, that is no-longer a Finder option as of El Capitan, and no longer an 'srm' command via Terminal in Sierra. Using Secure Erase on an SSD never deletes the data you want, and shortens the life of your SSD. On a rotating disk drive, as long as none of the blocks became a bad block, secure erase would wipe the file.

If you have a rotating hard disk, you can use a package manager, such as Home Brew, MacPorts, or Fink to install an open source 'srm' package, or you can search for an App that claims to do secure erase. But keep in mind it is a waste of effort doing this on an SSD, and not 100% reliable on an rotating hard disk.

As EtreSoft says, Apple has been shipping most of their Macs using SSDs, and going forward, it appears they will be moving towards all Macs shipping with SSD, so a secure erase is not useful for these Macs. Apple's new APFS file system which is being previewed on Sierra includes the ability for each file encrypted with its own dynamically created encryption key, so that deleting that file will throw away that key so there is no way to get that data back. No individual file secure erase needed.

Hello again TaxiFish,

On your previous OS version, it was doing something. It was securely erasing maybe 95% of what you requested. But that isn't considered good enough.

> If you have a rotating hard disk, you can use a package manager, such as Home Brew, MacPorts, or Fink to install an

> open source 'srm' package, or you can search for an App that claims to do secure erase. But keep in mind it is a

> waste of effort doing this on an SSD, and not 100% reliable on an rotating hard disk.

Or you could just use Sierra's diskutil command line program which supports secureErase subject to the note on its man page that "This kind of secure erase is no longer considered safe because modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware. The modern solution for quickly and securely erasing your data is strong encryption, with which mere destruction of the key more or less instantly renders your data irretrievable in practical terms."

Hello again TaxiFish,

APFS does not really exist yet. It is still experimental right now. I don't think it supports encryption at all. You would have to jump through a lot of hoops to create any kind of APFS disk right now.

Otherwise:

Previously the secure erase/secure empty trash function would overwrite files but was not entirely effective due to the inherent limitations of an overwrite strategy when using an SSD?

Yes

Thus an SSD's free space encrypted and running Sierra is more secure (once trash is emptied) than the same encrypted system under 10.11 using secure empty trash/erase or other overwriting technique? With the added advantage of being faster and easier on the SSD?

No. If your disk was encrypted under 10.11, then none of any of this would have made any difference. You would have to use an unencrypted SSD on 10.11 and secure erase a file. In that case, there would be a slight possibility that some of the original file would be left over somewhere.

Am assuming that the Sierra upgrade procedure processes all existing data to allow these capabilities for existing files?

APFS, while available to try in Sierra, really should not be used for anything except experiments to see what it is all about. It is NOT used by default.

Sierra uses your existing HFS+ file system, and you should continue to use your existing HFS+ file system, because a "New" file system is going to have all kinds of issues and problems with it (my day job is as a file system developer for Unix operating system (never for Apple), and I know very well how difficult it is to get everything working perfectly on the first release).

This is the APFS encryption summary

<https://developer.apple.com/library/content/documentation/FileManagement/Concept ual/APFS_Guide/Features/Features.html#//apple_ref/doc/uid/TP40016999-CH5-DontLin kElementID_7>

Here are some additional links about APFS

<https://www.backblaze.com/blog/apfs-apple-file-system/>

<https://en.wikipedia.org/wiki/Apple_File_System>

<http://www.cultofmac.com/435718/apfs-new-apple-file-system/>

Google can find you more by search for APFS

BTW this stuff important to me as I travel with the Mac book (my only system) and want to avoid (as much as possible) any issues associated with theft/loss or some strange customs guy...

They if you do not have FileVault enabled, you should consider doing that "Real Soon Now"

Hello again TaxiFish,

Sierra only eliminates the secure erase. That was meaningless to begin with since this hypothetical machine was already encrypted.

But if your hypothetical thieves were really that fast, even secure erase wouldn't help you. If you are logged on, then they would be able to copy all of your files. Since this is a MacBook Pro, it likely has Time Machine local snapshots enabled. If I assume these thieves are as clever as they are fast, they will make sure to recover any recently deleted files from your snapshots.

I'm not sure what you are getting at. I think we've been through this several times by now. Due to the nature of an SSD, secure erase is simply not possible. FileVault is better and has always been better. The idea of thieves snatching your MacBook Pro and running down the street with it, careful moving the mouse pointer every 45 seconds to ensure it doesn't go to sleep or lock the screen, and then raiding your carelessly deleted files, is just silly. A MacBook Pro is not a device the CIA issues to secret agents. People use it to watch movies, do term papers, and post on Facebook. It has really good security - far, far better than you will ever need. Just don't worry about it.

If your Macbook Pro has an SSD, then today FileVault with

System Preferences -> Security -> General -> Require password after sleep or screen saver begins

and a moderately short Screen Saver "Start after" interval (not too short, as it can make it difficult to get any work done), is the current Best Practice approach.

If your Macbook Pro has a rotating hard disk, then go to the Applications -> App Store and search for "Secure Erase", and you will find several utilities that do the same LESS THAN 100% secure erase as you had before, but it might be good enough for what you want. DO NOT use these on an SSD, as it does nothing except shorten the life of the SSD.

Again for a rotating hard disk, you could get the open source 'srm' command line utility via something like <http://brew.sh>, <http://macports.com>, <http://finkproject.org>, then create an Automator drag and drop app that will use the 'srm' command via "run shell script" to use the same LESS THAN 100% secure erase.

If you wish to experiment with APFS, then it is available on Sierra. You could create a partition for APFS and keep those sensitive files on the experimental APFS partition.

In a few years, when APFS has proven itself, then you can use it full time for everything.

NOTE: I think you have the right attitude towards data safety. EtreSoft are I are just trying to educate you as to the realities of Secure Erase with today's industry standard storage systems (rotating and solid state disks). And know that Apple is working on improving your security with every release, including removing utilities and features that give a false sense of security, or worse shorten the life of your storage.