hoakley December 17, 2018 Macs, Technology

**Disk Utility 18.0 (Mojave):** Not exactly the truth

As mentioned earlier, Disk Utility 18.0 in macOS 10.14.2 Mojave doesn’t do what it claims when you select Security Options for formatting SSDs. This article explains exactly what it does, how to perform what it doesn’t, and details another separate bug and its workaround.

Security Options

When you erase or format a disk in Disk Utility, there is a button offering Security Options for secure erase. These appear to work as claimed on conventional rotating hard disks, but work quite differently on SSDs.

The first option (control at the far left) is the default, and doesn’t attempt any form of secure erase.

The second option claims to overwrite the free space with random data (first pass), then with zeros (second pass). It doesn’t do that at all.

Instead, according to its own commentary, it deletes the APFS volume completely, removes any Preboot and Recovery “directories”, then adds a new APFS volume in the chosen format, which is exactly the same process which is followed when no secure erase option is chosen, or the first option is chosen. Disk Utility doesn’t overwrite any free space at all.

To perform the secure erase which it describes, you have to use the diskutil command in Terminal instead. For a volume named volumeName, the two commands required to perform the advertised secure erase would be
diskutil secureErase freespace 1 /Volumes/volumeName
diskutil secureErase freespace 0 /Volumes/volumeName
which would be expected to take several hours for a 1 TB USB 3 SSD.

The third option claims to perform a DOE-compliant 3-pass secure erase, but actually performs the same volume removal and replacement as the default.

To perform the secure erase which it describes, you have to use the diskutil command in Terminal instead, using a command of the form
diskutil secureErase freespace 4 /Volumes/volumeName
which would again be a very slow process.

The fourth option claims to perform a US DOD 7-pass secure erase, but actually performs the same volume removal and replacement as the default.

To perform the secure erase which it describes, you have to use the diskutil command in Terminal instead, using a command of the form
diskutil secureErase freespace 2 /Volumes/volumeName
which is an even slower process.

Before using diskutil secureErase, you should read man diskutil, where Apple cautions:
“This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly “erased” by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms. Consider using APFS encryption (FileVault).”

Bug reformatting APFS volumes

It isn’t possible to encrypt an existing APFS volume non-destructively using Disk Utility, and in some cases when attempting to erase and reformat a volume, Disk Utility returns “an internal state error” and fails to perform the operation.

This occurs when you select the volume, container, or disk and use the Partition tool instead of Erase. In the next dropdown sheet, select Partition, then select the format for the partition.

This consistently results in the error shown below.

The workaround is to select the volume and use the Erase tool instead.

22Comments

Add yours

1

Disk Utility 18.0 (Mojave): Not exactly the truth – The Eclectic Light Company – Jerry's Mac Blog on December 17, 2018 at 2:57 pm

[…] Source: Disk Utility 18.0 (Mojave): Not exactly the truth – The Eclectic Light Company […]

LikeLike
2

John Lockwood on December 17, 2018 at 3:55 pm

It is generally accepted that doing a secure erase on an encrypted SSD is pointless and potentially damaging.

Firstly erasing the drive using the standard erase command destroys the keys which would be required to decrypt the drive and secondly forcing it to write to each ‘block’ or worse _repeatedly_ to each block could cause premature ageing and possible failure of the SSD. This is because unlike traditional spinning hard drives SSDs can only write to each block a finite number of times. As a result SSDs normally implement wear levelling features to spread this across the entire SSD so no individual block gets prematurely worn out.

This is supposedly why Apple in Disk Utility do not really do secure erase if the device is an SSD.

This article – https://protect.iu.edu/online-safety/hardware-software/How%20to%20securely%20erase%20a%20Solid%20State%20Drive.html looks one of the more informative ones.

LikeLiked by 2 people
- 3
  
  hoakley on December 17, 2018 at 4:09 pm
  
  Thank you. I think that I do actually cover those points, and I quote Apple’s warning word for word.
  However, what Disk Utility currently does is incorrect. It explains to you what it would do if you were trying to secure erase a hard drive. It then pretends to go ahead and reports that it has done what you asked – it doesn’t say that you’re silly and shouldn’t be doing that – which is very misleading.
  The diskutil secureErase command doesn’t erase the whole SSD, only free space, so it doesn’t destroy any keys if the SSD is already encrypted. Neither does the hard disk version on encrypted hard disks.
  If you just do one pass of zeros, for example, that is one write to each block on the drive, and one less ‘life’. That is hardly excessive to do only when you are about to sell or give your Mac away to someone else.
  I have no problem whatsoever if Disk Utility in Mojave does the same as it does in Sierra – and make the secure options unavailable when the drive is an SSD. Those who really want to do a secure erase can then use the command tool if they wish. However for Disk Utility in Mojave to purport to do a secure erase and go through all the motions without being honest with the user is deliberately deceptive, and could easily cause serious problems.
  At the moment, hardly anyone can recover the contents of a re-formatted SSD in APFS. Several tools are coming along which will eventually be able to do that. Then there is a real problem for users to try to address.
  Howard.
  
  LikeLike
- 4
  
  hoakley on December 17, 2018 at 4:16 pm
  
  I should also point out that diskutil secureErase freespace works by writing a single large file to fill the free space on the SSD, then deleting it, and writing a secondary file (which presumably kicks in TRIM). It cannot, as some have suggested, write thousands of times to a small number of blocks on the SSD and age them prematurely. And if it did, Apple shouldn’t include it as an option in one of its own command tools either.
  Howard.
  
  LikeLike
5

John Daniel (@etresoft) on December 17, 2018 at 6:19 pm

Apple’s support document (https://support.apple.com/kb/PH22241?locale=en_CA) clearly explains that “with a solid-state drive (SSD), secure erase options are not available in Disk Utility. For more security, consider turning on FileVault encryption when you start using your SSD drive.”

But since USB doesn’t pass media type, you are still going to have that button with any USB drive.

LikeLiked by 1 person
- 6
  
  hoakley on December 17, 2018 at 6:45 pm
  
  Thanks.
  Yes, that support article was one of the first that I went to, before I saw that it referred to Disk Utility in Sierra, and doesn’t cover APFS at all. A couple of other articles referred to Sierra not even offering the option for SSDs, which is different from Disk Utility’s behaviour now in Mojave. I haven’t been able to find any more recent info about Mojave, apart from what is shown on screen by Disk Utility, which is completely misleading.
  I’m interested that you say that Disk Utility can’t tell whether a USB drive is SSD or not, as it makes no attempt to perform a secure erase of an SSD, although I understand that it still does perform secure erase on hard disks. I wonder how it tells the difference then? Or maybe it won’t even secure erase a hard disk, which would be a serious omission? Either way, if it can’t do what it tells the user it is doing, it shouldn’t promise to do so, and certainly shouldn’t tell the user that it has completed correctly.
  Howard.
  
  LikeLike
  - 7
    
    John Daniel (@etresoft) on December 18, 2018 at 3:13 pm
    
    The only real change in Disk Utility for Mojave is the ability to create shared volumes inside an APFS container. Otherwise, it is a pretty standard increment of an increasingly buggy app. Apple doesn’t support external disks anymore. Those features in Disk Utility that involve external disks sometimes just don’t work. If you want secure data, use FileVault. If you want to go your own way, you are on your own. macOS is EOL. You aren’t going to get any usability improvements or polish.
    
    LikeLike
8

EcleX on December 18, 2018 at 9:40 pm

If Disk Utility does not do it, perhaps a developer could make an application that does it with a GUI for Mac users.

LikeLiked by 1 person
- 9
  
  hoakley on December 18, 2018 at 11:11 pm
  
  I’ve been thinking of that. It wouldn’t be hard to build a really powerful back end to use diskutil, but the hard work is in giving it a friendly interface.
  I have been busy with another project and a new app today which I will be unveiling just before Christmas which might prove a little more important. All I have to do now is document it properly, and 1.0b1 should be in Downloads in the next couple of days. You might not like what it shows – but for the moment at least, I’m afraid that it’s going to be Mojave-only.
  Howard.
  
  LikeLike
10

EcleX on December 19, 2018 at 8:24 am

Thanks for the heads up and all your great amazing work. Second to none as far as I know!

LikeLiked by 1 person
11

Adam on December 21, 2018 at 6:30 pm

Or just use Paragom’s Hard Disk Manager for Mac. Problem solved.

LikeLike
12

EcleX on December 21, 2018 at 6:38 pm

Adam, use it for what? Thanks.

LikeLike
- 13
  
  hoakley on December 21, 2018 at 9:11 pm
  
  It’s Hard Disk Manager for Mac, from Paragon (who were first to market with an APFS implementation for non-Mac platforms and older macOS).
  I’ve never even seen it. It’s named Hard Disk Manager, which doesn’t seem ideal for SSDs. It’s not cheap, and currently isn’t claimed to be compatible with Mojave. So it doesn’t appear particularly encouraging.
  Has anyone else here had experience with it, please?
  Howard.
  
  LikeLike
14

jruth on January 21, 2019 at 11:53 am

Nice detail, thanks. I actually was searching to see if Mojave’s Disk Utility (or Terminal) can fix my corrupted Jetdrive 256GB SD card. I’m using High Sierra. Card won’t mount. Commercial software show that my data is still there, but I can’t afford to purchase it. Any ideas? Many thanks.

LikeLiked by 1 person
- 15
  
  hoakley on January 21, 2019 at 12:23 pm
  
  Thank you.
  Disk Utility wasn’t one of the highlights of High Sierra, but seems rather better in Mojave. It also depends on the format of the card: if that’s APFS, then the best tool is most likely Disk Utility in Mojave, although I’m not sure whether that’s any better at unscrambling the version 2 APFS in High Sierra.
  If it’s in a FAT family format, then you may find a PC tool as good.
  If there’s a Mac user group in your area, this is the sort of problem which they may be able to help with.
  Howard.
  
  LikeLike
  - 16
    
    Jeff on January 21, 2019 at 12:40 pm
    
    THanks. Card is formatted in HFS+. I have a hunch that there is something in Terminal, but just can’t figure this out!
    
    LikeLike
    - 17
      
      hoakley on January 21, 2019 at 12:46 pm
      
      The terminal command which you could use is fsck, which usually calls fsck_hfs, but those are also used by Disk Utility as far as I know. Doing a repair from Terminal isn’t simple, and unless you really know what you’re doing, Disk Utility is a much safer approach. If Disk Utility can’t or won’t, then with HFS+ the third party tools are very good, and probably your only option.
      Sorry.
      Howard.
      
      LikeLike
18

Michael Tsai - Blog - Secure Erase and Mojave’s Disk Utility on February 6, 2019 at 9:08 pm

[…] Howard Oakley: […]

LikeLike
19

Bernard on March 13, 2019 at 1:07 am

But If we have turned on File Fault and our data is secure and we don’t need to securely delete individual files, everything on the drive and is decrypted on the fly, as you open them and as you close them, they’re encrypted again.

Why not just create a blank disk image file to move any files you really want to securely delete.

Create an encrypted disk image, open Disk Utility from the Applications > Utilities folder. Then, go to File > New Image > Blank Image.

On the dialog box that displays, enter a name for the disk image in the Save As box. Be sure the name contains “.dmg” at the end

Select Where to save the disk image file, enter a Name, and specify the Size for the disk image. Type a space and then KB, MB, GB, or TB after the number.
Encrypt the disk image, and require a password to open it, select an Encryption method. Apple recommends the 128-bit AES encryption choice because it makes the disk image very secure, without being too slow.

When you select an Encryption method, a dialog box automatically displays asking for a password.
Enter your password twice and then click Choose. Then, click Save. Click Done on the progress dialog box once the operation is successful. Your new disk image shows up under Disk Images in Disk Utility.

Double-click on the disk image name to open it in Finder. Move any files and folders you want to delete into your new disk image. To close and lock the disk image, right-click on the disk image’s icon and select Eject. Any files you copy to the disk image are encrypted. You can move the .dmg file to the trash and the files inside it are securely deleted. Even if they are recovered, they will not be readable.

Also, don’t delete files from an open disk image. This puts them in the trash like regular files

LikeLike
20

Bernard on March 13, 2019 at 1:11 am

Why not just create a blank disk image file to move any files you really want to securely delete.

Create an encrypted disk image, open Disk Utility from the Applications > Utilities folder. Then, go to File > New Image > Blank Image.

On the dialog box that displays, enter a name for the disk image in the Save As box. Be sure the name contains “.dmg” at the end

Select Where to save the disk image file, enter a Name, and specify the Size for the disk image. Type a space and then KB, MB, GB, or TB after the number.
Encrypt the disk image, and require a password to open it, select an Encryption method. Apple recommends the 128-bit AES encryption choice because it makes the disk image very secure, without being too slow.

When you select an Encryption method, a dialog box automatically displays asking for a password.
Enter your password twice and then click Choose. Then, click Save. Click Done on the progress dialog box once the operation is successful. Your new disk image shows up under Disk Images in Disk Utility.

Double-click on the disk image name to open it in Finder. Move any files and folders you want to delete into your new disk image. To close and lock the disk image, right-click on the disk image’s icon and select Eject. Any files you copy to the disk image are encrypted. You can move the .dmg file to the trash and the files inside it are securely deleted. Even if they are recovered, they will not be readable.

Also, don’t delete files from an open disk image. This puts them in the trash like regular files.

LikeLiked by 1 person
- 21
  
  hoakley on March 13, 2019 at 7:51 am
  
  Thank you.
  I can see how the copies of files moved to the encrypted disk image are securely deleted, but I can’t see how that removes or encrypts the originals of those.
  In HFS+, straight copies would be made, and there seems no way this would affect the originals.
  With APFS ‘smart copy’, the moment those files were encrypted that would surely only affect the copies. I can’t see how the data for the original files would be securely erased in this process.
  Howard.
  
  LikeLike
- 22
  
  hoakley on March 13, 2019 at 7:59 am
  
  Sorry – your original comment ended up being marked as spam, so I have restored it.
  If you have turned on FileVault encryption, then why would you need secure erase at all – as Apple advises, a fully encrypted drive with a robust passphrase is effectively already securely erased the moment the passphrase is forgotten, or changed to something long and random?
  Howard.
  
  LikeLike