hoakley May 23, 2024 Macs, Technology

How secure is Secure Erase (EACAS)?

This week has brought worrying reports that securely erased devices have seemingly ‘recovered’ old images stored on them before their erasure, a bug addressed by the iOS/iPadOS 17.5.1 update. Although this doesn’t appear to affect Macs, it has led some to claim that securely erasing your Mac or device may not remove all old data from it. This article explains why that’s incorrect, and how those reports are false.

Structure of internal storage

Since macOS Catalina, Macs have started up not from a single system volume, but from a group of volumes. This is simpler on the internal storage of an Intel Mac, which now has five volumes, of which the relevant ones are the System and Data volumes.

bootdiskstructureintelvent

The internal SSD in an Apple silicon Mac consists of three APFS containers, and lacks the legacy EFI partition. Only the Apple_APFS container is normally mounted, and that has a similar structure to the boot container of an Intel Mac.

Since Big Sur, the System volume remains unmounted, and the boot system is a read-only snapshot stored on that volume. Outside macOS installation and updating, nothing can write to either of those, so the only volume capable of storing user data is the Data volume. If old images were to be stored anywhere, they could only be on the Data volume.

Data volume encryption

Intel Macs without T2 chips only encrypt the Data volume when FileVault is turned on. However, Data volumes on the internal SSD in T2 and Apple silicon Macs are invariably encrypted; the SSD is connected directly to the Secure Enclave, which performs its encryption and decryption using keys generated and stored within it. Keys and processes involved are shown in the diagram below.

filevaultpasswords1

All volumes on the internal SSD that are encrypted have a Volume Encryption Key (VEK), protected by two internal keys, one the unique hardware UID from the Secure Enclave, the other from xART and intended to protect from replay attacks. The VEK isn’t exposed outside the Secure Enclave, nor is it handled by CPU cores. When FileVault is enabled, the same encryption is applied to the Data volume, but its VEK is additionally protected by a Key Encryption Key (KEK) requiring entry of the user password for that to be unwrapped, and give access to the VEK.

Data volume encryption is all-or-none, and can’t be partial. It applies to the volume’s file system, its data, metadata, even its snapshots. macOS can’t forget to encrypt some parts of the volume, indeed it’s not possible for any of the Data volume to be stored unencrypted, nor can its contents be ‘cached’ somehow to the System volume, which isn’t even mounted. Decryption can only succeed when the whole VEK is used; you can’t provide part of the VEK or KEK to decrypt part of the volume.

EACAS

Intel Macs with a T2 chip and Apple silicon Macs can take advantage of this scheme of encryption when they need to be securely erased. This is offered by Erase All Content and Settings (EACAS), or Erase Assistant, and Erase Manager. This is initiated from System Settings > General > Transfer or Reset > Erase All Content and Settings…. In older versions of macOS still using System Preferences, open them and this is available as a command in the app menu there.

eacas

EACAS handles all the signing out that’s required before disposing of a Mac, and disables Find My Mac and Activation Lock. But most importantly it ensures that no one can access the contents of its Data volume, by destroying the encryption keys (both KEK and VEK) used to encrypt that volume. Without those keys, it’s practically impossible for anyone to break that encryption and recover any of the protected data.

This has the effect of destroying the Data volume, as it can’t be mounted or accessed in any way without being decrypted. When that Mac is started up after EACAS has been used, it has to create a new Data volume using a fresh VEK before that can be mounted and macOS goes through its configuration and personalisation sequence. Once complete, that Mac uses the new Data volume and the storage used by the previous Data volume is freed for reuse.

Potential problems

For the great majority of users, secure erase using EACAS is quick, simple, and completely reliable. Unfortunately, there can’t be an equivalent for older Intel Macs without T2 chips, but many of them don’t have internal SSDs, so can be erased conventionally using Disk Utility. Neither does EACAS work with external storage, as that can’t use hardware encryption and the Secure Enclave, so must also be erased conventionally if required.

If your Mac has more than one boot volume group installed on its internal SSD, you might wonder whether you have to run EACAS from each of those systems in turn. Although Apple’s description isn’t accurate, it appears that running EACAS will destroy all encryption keys for internal storage, including other boot volume groups, even Boot Camp. However, as explained above, it doesn’t erase the System volume, which isn’t encrypted anyway.

Claims

As far as I can tell, claims made about securely erased devices recovering old images originate from a single post on Reddit, since deleted by the person who posted it. Although that brought a series of cogent responses pointing out how that isn’t possible, it was picked up and amplified elsewhere, under the title iOS 17.5 Bug May Also Resurface Deleted Photos on Wiped, Sold Devices, which is manifestly incorrect. Sadly, even those who should know better have piled in and reported that single, retracted claim as established fact.

No doubt that will soon be making its way into AI, where we’ll be told that EACAS isn’t reliable, and we should revert to traditional secure erase tools that attempt to overwrite the entire contents of the internal SSD of a Mac we’re going to dispose of.

Summary

Use Erase Assistant (EACAS) to securely erase your Mac’s internal storage before disposing of it, when it’s available.
When someone makes an outlandish claim, verify before you amplify. If you do get it wrong, retract promptly.

16Comments

Add yours

1
EcleX on May 23, 2024 at 6:59 am
Reply
This simple erasing method should be 100% efficient:
1. Erase the disk with Disk Utility.
2. 2. Copy a big monolithic file like a movie and continue to copy items until no free space is left (in APFS disks should be done in such a way that a real file is copied, instead of just a kind of alias). Eject and mount the disk to confirm that no free space is left.
3. Erase again the disk (optional).
That way, a single write pass would erase all previous contents. If someone tries to get information from it, only the movie would be recoverable. And this procedure is faster, wasting less energy and wearing less the disk. If only we had an application to do it automatically on Mac (for both older HFS+ and newer APFS disks)!

LikeLiked by 1 person
- 2
  
  hoakley on May 23, 2024 at 8:44 am
  Reply
  
  I’m sorry, but for any modern Mac with a T2 or Apple silicon chip running Big Sur or later, that’s totally and utterly incorrect. What’s worse, not only is it a complete waste of time, but it’s not in the least bit secure, as it doesn’t destroy the encryption keys in the Secure Enclave.
  Have you ever used EACAS?
  It’s quick, and as I have gone to great lengths to explain in this article, it’s also totally secure. It doesn’t write much to the internal SSD, doesn’t require you try to fill 2 or 4 TB of SSD with vast files, and it also does all the other tasks required in preparing your Mac for disposal.
  For the few older Macs with internal SSDs, and without FileVault enabled, that laborious procedure might have its uses. But not for anything more recent.
  Howard.
  
  LikeLike
  - 3
    
    EcleX on May 23, 2024 at 10:03 am
    Reply
    
    Thanks. Yes, I meant for older Macs with without FileVault enabled.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on May 23, 2024 at 11:01 am
      
      OK. In that case:
      – with an internal hard disk the closest is probably to follow the traditional multiple overwrite cycle available in Disk Utility.
      – with an internal SSD or Fusion Drive, there really isn’t such a thing as a secure erase, as whatever you try, there’s a fair chance that any encryption key may remain recoverable. If you need to ensure that nothing is recoverable, then physical destruction of the storage is the only safe course. That’s why EACAS is such an important feature.
      Howard.
      
      LikeLike
    - 5
      
      EcleX on May 23, 2024 at 1:47 pm
      
      Thanks. Just for curiosity, I wonder how long would take before quantum computing could break any current password/encryption.
      
      LikeLiked by 1 person
    - 6
      
      hoakley on May 23, 2024 at 9:02 pm
      
      That’s a very interesting and important question. I think it’s best addressed in an article, and will try to write one for next week.
      For now, there’s no quantum computer powerful enough to do this at scale. Expectations are they will take another few years, then may not be commercially available until 5 years or more into the future.
      Although they should be able to break conventional or pre-quantum encryption methods including elliptic curve, the current best choice, that doesn’t mean they could guess or recover a password or phrase, but it’s more about how they might tackle substantial bodies of encrypted data.
      Trying to decrypt an encrypted Data volume on an SSD is even more of a challenge. You can’t do that with the Mac intact, as its defences won’t let you try. Apple silicon Macs, for instance, only offer around 10-20 attempts at a password, and the time between attempts gets progressively longer, eventually locking everyone out.
      So the storage would have to be removed. As the ‘SSDs’ in Apple silicon Macs aren’t actually full SSDs, because their controllers are in the Secure Enclave, an attacker would need very special engineering even to attempt to decrypt the contents.
      The greatest threat to current pre-quantum encryption is with Messages/iMessage, where an attacker can currently build a large store of all your traffic for later attempts to break its end-to-end encryption using quantum computing when it becomes available. Because of that, Apple is introducing the first of its post-quantum encryption this year, that should be resistant to such attacks for some years to come, and I gather US government requirements are that they will need to be built into other message services this year too. But those aren’t to protect from current attacks, but those in the future, maybe 8-15 years from now.
      Howard.
      
      LikeLike
    - 7
      
      EcleX on May 24, 2024 at 6:23 am
      
      Thanks! Looking forward to that! BTW, when you said “they they” I guess that you meant “that they”.
      
      LikeLiked by 1 person
    - 8
      
      hoakley on May 24, 2024 at 7:33 am
      
      Corrected, thank you.
      Howard.
      
      LikeLike
  - 9
    
    et2infinity on May 26, 2024 at 1:52 pm
    Reply
    
    Further troubling, the bad advice to use Disk Utility on Modern Macs with T2 or later can leave a user with a Mac that is unusable until they use Apple Configurator from another Mac to DFU restore that Mac “wiped” with Disk Utility https://it-training.apple.com/tutorials/support/sup085 . If a user lacks another Mac to perform the DFU restore, then they may need to trek to an Apple Store for support. As you note, using EACAS is the best method to prepare the Mac for sale or re-use.
    
    LikeLiked by 1 person
    - 10
      
      et2infinity on May 26, 2024 at 2:09 pm
      
      Wanted to clarify – this can happen when using Disk Utility from another macOS Boot Disk when attempting to “wipe” a Mac for re-use. Users using pre-T2 guidance mistakenly boot a a modern Mac to external macOS Boot Disk and run Disk Utility from the external boot disk or use a Thunderbolt connected Mac with the device to be wiped in Target Disk mode, and wipe the physical disk device, destroying the Recovery volumes and all other volumes on the disk. This then requires Apple Configurator to perform a DFU restore. Erase All Contents and Settings avoids the extensive DFU restore steps.
      
      LikeLiked by 1 person
    - 11
      
      hoakley on May 26, 2024 at 7:09 pm
      
      Thank you.
      The saving grace here is that, by default, T2 Macs can’t boot from an external disk, and creating an external boot disk for an Apple silicon Mac isn’t easy. You also can’t wipe an Apple silicon Mac’s internal storage when it’s in Target Disk mode. So it does take real determination to get it wrong!
      Howard.
      
      LikeLike
    - 12
      
      hoakley on May 26, 2024 at 7:07 pm
      
      Thank you.
      Howard.
      
      LikeLike
13

Rafal on May 25, 2024 at 10:28 pm
Reply

Just wanted to say thanks for all the informative Mac stuff on your blog! Whenever I’m researching Mac internals I usually invariably end up on your site.

It really is refreshing to read your content, compared to eg the site you linked and said “they should know better” – pointless AI pictures, spam, ads, “Buy now” buttons, and misinformation.

LikeLiked by 1 person
- 14
  
  hoakley on May 26, 2024 at 7:01 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLike
15

ssyydd on May 27, 2024 at 6:16 am
Reply

More on the bug was reported – https://9to5mac.com/2024/05/26/security-bite-heres-the-ios-17-5-bug-that-resurfaced-deleted-photos/

LikeLiked by 1 person
- 16
  
  hoakley on May 27, 2024 at 8:34 am
  Reply
  
  Thank you.
  Howard.
  
  LikeLike