hoakley December 17, 2018 Macs, Technology

Cleaning up sensitive files: How to sanitise storage

The most common reason for wanting to clean up sensitive files on internal or external storage is when you’re going to sell or give your Mac (or drive) away. If it’s going for recycling, the issue is quite different: I will consider that in a future article here.

Before you even think about how to clean these files up, you must know what they contain, and what risk they would pose if someone else were to be able to view them. Governments and large organisations use security classification systems, and you should think in similar terms:

Files which have national security content. If you ever handle any of these, you will be subject to national legal requirements and must follow those. Don’t go it alone, but get proper security advice. In most cases, the storage or computer must be returned to security experts, who will almost certainly send it for secure destruction.
Any legally-protected information, covered by national data protection law. Here you must follow best practice as laid down by your national data protection authority. This may well involve physical destruction, and you will need appropriate certificates to demonstrate that whatever you have done is within those legal requirements. Don’t try going this alone.
Private files which would potentially have serious consequences to you and others, but are not covered by data protection legislation. You need to be confident that these are completely destroyed, but can choose how to do that yourself.
All other private data which you don’t want others to see. This should, for example, include all your keychains and any other account information. Again, you need to satisfy yourself that it is destroyed.

The first two may seem irrelevant to almost everyone, but a lot of business information falls into the second category. However, we’re prone to pretend that it really isn’t that important, until something goes wrong. Here I’m going to concentrate on the latter two, as those are the ones for which you make all the decisions.

The next question is what type of medium they are stored on: a traditional rotating hard disk, an SSD, or both in a Fusion Drive?

Sanitising hard disks

If you just reformat the hard disk, this makes it relatively easy for a third party to recover all or most of your sensitive data using a cheap and readily-available tool. That is probably sufficient if your Mac is going to a close friend or relative who isn’t going to sell it (or have it stolen) in just a few days, and the private data are in category 4.

In all other circumstances, you should take active steps to ensure that your data can’t readily be recovered from the storage.

The reason that simple reformatting doesn’t do a good enough job is that the free space contains all your old files, and disk recovery utilities are designed to reassemble the contents of that free space into recovered files. What you therefore need to do is overwrite all the free space remaining after the reformat. This is easily done using the secure erase option in Disk Utility – click on the Security Options button.

Disk Utility offers three different levels of secure erase, above the Fastest setting which doesn’t overwrite free space at all. Those three offer different numbers of passes in which the erase is performed. The most basic overwrites all free space twice: the first time it writes random data, and the second time zero bytes. This is ample to ensure that someone can’t use a readily available tool to recover your old deleted files.

If your hard disk falls into the hands of a state-sponsored intelligence agency or another well-funded group, they may still be able to recover some of the data which were on your hard disk. In theory, you might then wish to choose a higher level of security at this stage, but that will take much longer and you should ask yourself whether that is really worth it.

Most secure erase features like that in Disk Utility can’t clean some storage blocks which have been marked as bad, so they might leave a small amount of data which could potentially be recovered. There isn’t any straightforward way of addressing that, but the risk is exceedingly low, even if that disk were to be passed to the best of data recovery specialists and cost were no object.

Sanitising SSDs

Unfortunately, SSDs perform a lot more low-level management with routines such as TRIM and wear-levelling. As a result they can be much harder to sanitise properly than a hard disk. If you’re concerned about category 4 data and the SSD is going to a good home, simply re-formatting the SSD should suffice.

Problems come with category 3 data, or when you don’t know where the SSD will end up. Studies carried out at UCSD some years ago drew attention to many problems which can occur using different techniques. Even writing non-sensitive data to an SSD until it appears full can’t be trusted to overwrite every storage unit because of the management features built in.

The snag is that Disk Utility won’t overwrite an SSD’s free space in the way that it does with hard disks. It pretends to offer the same three secure erase options, but in fact none of them does what the dialog says. Indeed, in Sierra they aren’t even available, which is perhaps a little more honest.

In Mojave, all three secure erase options offer is that the original APFS volume is completely deleted, with any Preboot and Recovery directories, and it is then added back as a new volume. This will destroy all APFS data about the original volume, but the file data for that volume will remain on the SSD. Although at present there appear to be no macOS utilities which can reconstruct such a removed volume, that situation will change in the future.

Mojave does provide a command which will overwrite all the storage according to a range of options:
diskutil secureErase freespace 0 /Volumes/volumeName
overwrites all the free space on the volume named volumeName with zero bytes. Replace the 0 with a 1 for random bytes, 2 for a US DoD 7 pass secure erase, 3 for a Gutmann 35 pass, or 4 for a US DoE 3 pass version. These can take a very long time: for a USB 3 drive, a single-pass erase may take as long as 100 minutes for 1 TB.

For each pass, diskutil secureErase freespace creates a temporary file which fills the free space on that volume, then ‘securely’ erases it. It then creates a secondary temporary file and mounts the disk normally. However, Apple warns:
“This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly “erased” by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms. Consider using APFS encryption (FileVault).”

To sanitise an internal SSD properly, you should:

Turn FileVault on, using a long, random password, and allow this to complete, if it is not already enabled on that disk.
Reformat the SSD in encrypted format (APFS strongly preferred) using a strong password, with any of the three ‘secure erase’ options selected, and provide that password to the new owner of that Mac.

If you want to use diskutil secureErase freespace, the best time to do so is at the end, when the SSD has been freshly reformatted.

You can’t simply enable FileVault on an external SSD, though: it isn’t covered by the FileVault pane, and changing its format from APFS to APFS Encrypted is a destructive process for that volume.

To sanitise an external SSD properly, you should reformat the SSD in encrypted format (APFS strongly preferred) using a long, random password, then perform diskutil secureErase freespace if you wish. Destroy that password before passing the SSD on to its new owner. When they get the SSD, they will then have to reformat it to their own requirements.

diskutil secureErase freespace isn’t something to use lightly: it takes a long time to complete, uses up some of the SSD’s working life, and may actually add little or nothing to the protection of your data.

Sanitising Fusion Drives

Fusion Drives are quite different in HFS+ and APFS. In the former they use CoreStorage, while in the latter they work as a complex APFS volume in which the SSD component acts more as a cache for the hard disk. They are not documented well, and the chances of anyone other than a disk recovery engineer being able to recover data from them are considerably less than with conventional storage. In most cases, simply reformatting them using Disk Utility should be sufficient.

If you want to go further than that, you will almost certainly need to split the drives and perform secure erase on each, before re-forming the Fusion Drive using command line tools. I wish you the best of luck.

What about the T2 chip?

Macs with T2 chips don’t behave any differently with respect to external storage and its sanitisation. They are quite different, though, in respect of sanitisation of their internal SSD storage.

The internal SSD of a Mac with a T2 is permanently encrypted, and can only be accessed while it is integral with the T2 chip. In most cases, SSDs are soldered to the logic board, and as far as recovering data from them, they all may as well be. To sanitise an SSD in such a Mac, all you need do is:

If FileVault isn’t already enabled, turn it on with a long, random password.
Reformat the SSD with FileVault enabled, using a different strong password which you must pass on to the Mac’s new owner.

All data on the SSD is already encrypted by the T2 chip; enabling FileVault in the first step is almost instantaneous, and makes it impossible to access the contents of the SSD without the password. The second step then renders the contents inaccessible to the original password. Even if the second password is discovered, it will not allow access to the contents prior to the reformat.

The T2 chip severely limits the number of attempts which can be made to guess a password during an attack on encryption. The first 14 attempts are allowed without any delay, thereafter increasing delay periods are enforced up to a maximum of 30 attempts. Then 10 further attempts are allowed in Recovery mode, and up to 30 in each of the FileVault recovery mechanisms. The maximum total number of attempts to guess the password is 90, following which decryption is not possible. This makes a brute force attack impractical, unlike normal software FileVault which doesn’t impose delays or any upper limit.

Simple, isn’t it?

29Comments

Add yours

1

sonam g on December 17, 2018 at 7:42 am

nice post

LikeLike
2

EcleX on December 17, 2018 at 8:03 am

Thanks for the comprehensive review. Still, we would love to have an application to duplicate a large monolithic file like a movie into a formatted drive to fill it (using smaller files if required to leave 0 bites left). Just in case you could make such application. It would be great. Thanks in any case.

LikeLiked by 1 person
- 3
  
  hoakley on December 17, 2018 at 8:43 am
  
  But if you read the UCSD paper, you’ll see that doing so is not a good way of performing a secure erase.
  Even if it were, it has one major problem: you cannot check whether it has worked, nor its coverage of the drive. This is because you aren’t using a distinctive byte pattern like all zeros, so there’s no way of telling whether any block contains original data or the overwriting file.
  Sadly, I can’t help at present, as the oldest macOS running here is on Mojave, and I don’t have any Mac with a boot disk in HFS+ still. It’s impossible to write for APFS anyway!
  Howard.
  
  LikeLike
4

Patrick on December 17, 2018 at 8:08 am

Wouldn‘t anyone with sensitive data (aka all of us) encrypt their drives anyway? Cleanup then becomes as simple as throwing the key away 🙂

LikeLiked by 1 person
- 5
  
  hoakley on December 17, 2018 at 8:47 am
  
  No. My previous iMac didn’t have an encrypted boot drive, and I suspect that is standard practice for all desktop Macs without a T2 chip. However, they all contain keychains which (while themselves encrypted) would make secure erase important before disposing of that Mac.
  I suspect that a majority of laptops without T2 chips have FileVault turned off too.
  Howard.
  
  LikeLike
  - 6
    
    Patrick on December 17, 2018 at 10:54 am
    
    Since FV2 all Macs can boot from encrypted boot drives. I agree that not everybody did enable it on desktop machines, but on laptops it should be standard practice.
    
    Nevertheless the advice „encrypt now do you don‘t need to worry later“ should be part of such a list.
    
    LikeLiked by 1 person
    - 7
      
      hoakley on December 17, 2018 at 1:28 pm
      
      It depends where you are and what you do. I have a MacBook Pro 2017 which has never gone any further than our local pub. Nothing on it is sensitive, apart from its keychain. As it doesn’t have a T2 chip, encryption does impose overhead, so its internal drive isn’t encrypted.
      One of the big advances with the T2 chip is encryption by default and without any overhead. You don’t have to make a choice, except whether to add your own password in the form of FileVault.
      Howard.
      
      LikeLike
8

Michele Galvagno on December 17, 2018 at 10:48 am

My 2016 MBP has FileVault turned off, most of all because I am afraid of losing the password myself (silly I know but…).

Anyway, when you say Enable FileVault and then format the encrypted drive, what of this has to be done from Recovery mode?

Sorry for the “beginner” question, but have never done this.
Also, what would you suggest for a Mac running El Capitain (MBP from 2009 I would like to give away)?

Thank you so much!

LikeLiked by 1 person
- 9
  
  hoakley on December 17, 2018 at 1:24 pm
  
  Yes, to format your boot volume you’ll either have to have started up from an external drive, or in Recovery mode.
  For your MacBook Pro, I suggest following the article above. If it’s going to a relative or close friend and will be used for a while before disposal, you can be more relaxed, and just formatting the boot volume can be fine.
  I will be writing another article this week about preparing your Mac more generally for disposal: there’s a simple routine you need to go through before parting with it, even if it’s just going for recycling.
  Howard.
  
  LikeLiked by 1 person
10

Michele Galvagno on December 17, 2018 at 2:48 pm

Thank you!
Forgive me but I’m not a native English speaker: what is intended for ‘overhead’?
The dictionary didn’t help that much in this context.

Thanks!

That 2009 MBP has an internal SSD because I replaced it so I may follow the SSD part.
Thank you!

LikeLiked by 1 person
- 11
  
  hoakley on December 17, 2018 at 2:56 pm
  
  Overhead in that context is additional processing work for the Mac. Before the T2 chip, encryption and decryption were handled by the CPU, and slowed access to the disk. A Mac with a T2 chip is much quicker with encrypted internal disks, because the T2 acts as the disk controller and does the encryption/decryption.
  Interestingly that is only true for the internal disk: encrypted external storage is not handled by the T2, so does still slow access slightly.
  Howard.
  
  LikeLike
- 12
  
  hoakley on December 17, 2018 at 2:58 pm
  
  Oh – and you need no forgiveness. Your English is excellent, my usage was not as clear as it should have been.
  Howard.
  
  LikeLiked by 1 person
  - 13
    
    Michele Galvagno on December 17, 2018 at 3:00 pm
    
    Thank you so much!!
    
    LikeLiked by 1 person
14

Christian on December 17, 2018 at 4:30 pm

What would be wrong if I fill up the drive (or SSD) in question with some irrelevant data? A long recording of a boring teleshopping night with EyeTV is all needed. Recorded file size not big enough? Duplicate the recording a couple times in the Finder until drive is full. Then delete and give away.

OT: Your “other section” of your site (about the paintings) is a wonderful thing. I never ever have found such a “good guide” to the painters and their work before. Many thanks for these beautiful insights! All the best for the upcoming holiday season for you and your family from Germany.

LikeLiked by 1 person
- 15
  
  hoakley on December 17, 2018 at 4:40 pm
  
  Thank you.
  Quite a few people try to overwrite their whole SSD in this way, thinking that it will eliminate any old data in the free space.
  The few studies which have been made of this have shown that it doesn’t work well, and can leave a lot of old data which is still recoverable. This is because of all the management being done on the SSD. For example, APFS itself won’t allow you to write to the full capacity of most SSDs, and always keeps some free space, which can sometimes be GB even. Underneath APFS the SSD’s own firmware is pulling similar tricks.
  The biggest problem, though, is that you can’t assess how effective your overwriting is, as you can’t tell which blocks are full of your new data, and still contain old.
  Duplicating in the Finder in APFS is most frustrating, as most times it doesn’t actually copy the file, but just makes a sort of hard link to it. You actually need to write bytes to the SSD, and that is what diskutil secureErase freespace does very effectively.
  Thank you for the kind words about the painting articles – and a very happy Christmas to you and your family too.
  Howard.
  
  LikeLike
16

EcleX on December 17, 2018 at 4:45 pm

You said “It’s impossible to write for APFS anyway!” Does it mean that is it not possible to write applications for it? I do not understand it. On the other hand, you can boot from an HFS+ external drive and do it that way. That would be much appreciated, either for HFS+, APFS or both. Thanks.

LikeLiked by 1 person
- 17
  
  hoakley on December 17, 2018 at 6:10 pm
  
  No: trying to get APFS to do this sort of thing is like nailing jelly to the wall. It does what it wants to do, which often isn’t what you want! To write this sort of tool, you’re best off using low-level access to the file system, something that APFS doesn’t really allow without getting seriously technical.
  I’m fairly sure that this iMac Pro won’t boot from an external HFS+ drive, and I don’t have such a drive now anyway. I have no way of testing with Sierra, except in a virtual machine, which is no good for doing low-down drive stuff. Sorry, Sierra and HFS+ are legacy now – I’ll continue to try supporting them and El Capitan in my existing tools, but trying to write new and adventurous code for them just isn’t an option without buying an old Mac specially for the purpose.
  Howard.
  
  LikeLike
18

EcleX on December 17, 2018 at 6:34 pm

OK, I understand. Hopefully, it will be possible to write such a tool in the future. Perhaps a trick would be to somehow change the file to be duplicated to fool the system thinking that it is a different file, in such a way that it really and fully copies it into the destination disk to be filled.

LikeLiked by 1 person
- 19
  
  hoakley on December 17, 2018 at 6:47 pm
  
  I haven’t crossed it off my to-do list, it’s just not too close to the top!
  Howard.
  
  LikeLike
20

EcleX on December 17, 2018 at 8:37 pm

Thanks. Well, that is great news for me!
🙂

LikeLiked by 1 person
21

Michael Tsai - Blog - Secure Erase and Mojave’s Disk Utility on February 6, 2019 at 9:05 pm

[…] Howard Oakley: […]

LikeLike
22

Anonymous on June 13, 2019 at 4:00 pm

Some of the stuff you write here isn’t correct, I believe.

Formatting the SSD on a mac with a T2 chip or an iPhone instantly renders all the former data permanently inaccessible whether you turned on FileVault or not, and whether you used a secure password or not. The drives are, in both cases, encypted with a key in the T2 chip in special effaceable memory. Formatting the drive deletes the key. If you turn on FileVault, Apple simply adds your password to the equation, so it matters little if your password is secure or not in terms of rendering the data inaccessible when formatting.

It’s documented in Apple’s security overview for the T2 chip and iPhone.

None of the data recovery companies are able to recover data that has been overwritten (once) on a modern mechanical hard drive.

I called asked one of the best companies in the business, and I’ve had that confirmed since.

I find it unlikely that government intelligence agencies possess better technology in this area, but the possibility is there, of course.

The last time anyone was able to recover any overwritten data was on diskettes, as far as I have been told, and noone has been able to replicate what Peter Gutmann did on modern drives, in a way that lead to actual data recovery.

In other words a one-pass wipe with zeroes (diskutil zeroDisk) should be sufficient for mechanical hard drives in all cases.

The only exception would be if you have to do more because of formal rules requiring you to use a specific algorithm.

Or if you are worried about possible secret technology or technology that might appear in the future. Then I would do a random scrub instead of zeroes, or perhaps three scrubs, at most.

This is likely why Apple no longer includes Gutmann’s 34-pass algorithm in the GUI anymore. Gutmann has his past research doesn’t make sense anymore either.

Also, you can’t know for sure what a “good home” for your old computer is. Your friend might have your former machine stolen or rooted, or something else. The less vectors, the better.

Furthermore, does turning FileVault on on a pre-2018 Apple SSD really encrypt all of the drive, or just used areas?

My guess is, that it just encrypts used areas prior to High Sierra and on Mojave, because of the short encryption times in the past and the long encryption times on High Sierra which disappeared again on Mojave (even on pre T2-drives).

If it just encrypts used space, you shouldn’t recommend turning on FileVault as a drive sanitazion method, as the SSD controller will not place the files back in the same space when writing them back after having read them to RAM and encrypted them, and if you have used only 1/3 of the space, for instance, a lot of data will still be unencrypted on a low level afterwards. I see some publications recommending this method, but I think they just started writing without knowing what they are talking about or researching it properly, in other words they made it up, and then someone else took that as a truth and wrote the same, etc.

If your SSD has TRIM, or if you enable it from the command line, simply reformatting the drive might set off deletion, clearing stuff on a low level through garbage collection. Apparently this happens in the background and continues if you turn the machine off and on again, as controllers live their own lives. Forensics experts and drive rescue companies complain that they can’t do much in these cases. However, you can’t know for sure what it does, or if it clears all of it, and if it does so on a low level, as different manufacturers have different controllers.

I would recommend formatting the drive, then doing a 1-3 pass random freespace wipe, to force the controller to write to as many places as possible and reach more areas with the second and third pass (wear leveling). That wouldn’t really cut it, but it’s the best we can do.

Some drives support sending a ATA Secure Erase command to them, though support is probably not widespread.

There are a couple of other things.

First of all, although Apple is trying to prevent the numer of guesses and prevent brute forcing with T2, I am not entirely convinced. If you somehow manage to image the drive and the chip, or the right stuff in the chip, you wouldn’t have to go through it and could have unlimited guesses. I think this is what the company that “cracked” the iPhone for police departments for a while did, as their method did not work on iPhones with a secure alphanumeric password.

On Linux, disk encryption utilites have started using an iteration count to increase computational cost. Even KeePassXC and ssh on macOS supports this. Does Apple do this as well for FileVault? I would trust that more than a secret chip hardware hackers might be able to reverse engineer at some point.

That said, a secure password is a must. Most people, even in IT, have no idea what is and isn’t.

LikeLike
- 23
  
  hoakley on June 13, 2019 at 7:38 pm
  
  Sorry: that comment had been trapped in the spam filter, and I couldn’t even see it there in the WordPress app!
  Howard.
  
  LikeLike
- 24
  
  hoakley on June 13, 2019 at 8:10 pm
  
  Thank you for your comments on what is a controversial area.
  The recommendations given above are based on what I believe to be reliable sources, including Apple. If your Mac has a T2 chip, enabling FileVault on its internal storage takes as long as it takes to type in your long, random password – the cost is zero. It is not impossible that someone could find a vulnerability which enables the standard (non-FileVault) encryption to be broken, and I have seen claims that some companies might be able to. However even those accept that once FileVault has been turned on, they can’t. So for zero cost you have what could be a significant benefit.
  For other SSDs which don’t have a T2 as their controller, the situation isn’t simple, as I explain above. I have quoted Apple’s current recommendations word-for-word, and users need to consider then whether or not we feel we should do better. With the current state of APFS data recovery, it could actually be sufficient! With an already well-used SSD, if you’re passing it on or selling it, you need to appreciate that each pass is reducing its remaining working life.
  I think that we agree about multi-pass erasing of hard disks, if you read what I wrote above.
  So I’m not sure what of the above recommendations aren’t “correct”.
  Howard.
  
  LikeLike
25

Anonymous on June 13, 2019 at 4:05 pm

I forgot to mention something. The quality of random data used to create the T2 effaceable keys would matter, to defend against rainbow tables and such…

I think Apple will just have to hope their chip won’t be analyzed by Chaos Computer Club veterans 🙂 … if they already employed them, maybe we can trust this stuff.

LikeLiked by 1 person
26

Anonymous on June 13, 2019 at 4:06 pm

I just posted a long comment, but it did not register, I think?

LikeLiked by 1 person
- 27
  
  hoakley on June 13, 2019 at 7:43 pm
  
  Sorry, I have now freed it from spam jail.
  Howard.
  
  LikeLike
  - 28
    
    Anonymous on June 14, 2019 at 10:04 am
    
    Thanks.
    
    How reliable are your sources in Apple? I’ve read a lot on disk encryption and SSDs and I think it’s safe to assume that encrypted data won’t be written back in the same space. I just think someone “clever” thought this up without checking it properly.
    
    In any case, drive recovery companies are having lots of trouble recovering anything from an SSD, and complain that just a quick format will set off something of a self destruct of previous data. They apparently need knowledge of lots of different drives and their controllers to recover anything.
    
    I would call and check with experts in Drivesavers if we want to be sure, I won’t trust Apple on this.
    
    And I agree that FileVault with a proper password is a good extra security in case Apple’s secret sauce does not hold up (it has on iPhone though?). Provided it’s properly implemented of course. From looking at your blog it seems like Apple is in a hurry and not properly taking care of less visible or older parts of their OS while embracing new ideas too quickly. Maybe they should employ more older people and slow down the release cycle.
    
    I also don’t like how they are transforming more and more of the system to a closed one, like iOS, even if I appreciate the security I think their security department has been given too much of a free pass after the Facebook scandal.
    
    LikeLiked by 1 person
29

Anonymous on June 14, 2019 at 10:10 am

Linus visits Drivesavers:

LikeLiked by 1 person