Monday, Jul 4, 2022

How to use Terminal securely erase any space on a Mac's hard drive

If you’re selling an old Mac, a spare hard drive, or you’re just quite paranoid about your deleted data, you’re either familiar with—or should be..


If you’re selling an old Mac, a spare hard drive, or you’re just quite paranoid about your deleted data, you’re either familiar with—or should be familiar with—the Erase Free Space button on the Erase tab in Disk Utility (found in your Applications -> Utilities folder).

When you click this button, you’re presented with three options for securely erasing the free space on your hard drive: write over the free space with zeros (fast and relatively safe), write over the free space three times (more secure, very slow), or write over the free space seven times (extremely slow).

I use this feature whenever I sell an old machine. First I format the drive and install a fresh copy of macOS, then I use Disk Utility to erase the free space (typically the one-time write-with-zeros option). This gives me a good sense of security, as it would take a team of dedicated professionals, and possibly special hardware, to have some chance of recovering any of my deleted data—though I really only care about a few financial files, and those are kept on an encrypted disk image, so they’re probably safe anyway.

Use Terminal to securely erase a drive

What if you want to do this from Terminal instead? In Terminal, a program named diskutil provides most of the features of macOS’s Disk Utility.

(Please note that, as with many Terminal commands, there’s a chance of Really Bad Things happening if you make a mistake with the following instructions. Proceed with caution, and make sure your backups are current before you try any of the following.)

To find out about diskutil in detail, type man diskutil at the Terminal prompt. Within the man pages, you’ll find the explanation for how to securely erase a disk’s free space using diskutil:

secureErase [freespace] level device

Erase, using a "secure" (but see the NOTE below) method, either a whole-disk (including all of its partitions if partitioned), or, only the free space (not in use for files) on a currently-mounted volume.  Secure erasing makes it harder to recover data using "file recovery" software.

Erasing a whole-disk will leave it useless until it is partitioned again.  Erasing freespace on a volume will leave your files intact, indeed, from an end-user perspective, it will appear unchanged, with the exception that it will have attempted to make it impossible to recover deleted files.

If you need to erase all contents of a partition but not its hosting whole-disk, use the zeroDisk or randomDisk verbs.  Ownership of the affected disk is required.
Level should be one of the following:
  o   0 - Single-pass zero fill erase.
  o   1 - Single-pass random fill erase.
  o   2 - Seven-pass erase, consisting of zero fills and all-ones fills plus a final random fill.
  o   3 - Gutmann algorithm 35-pass erase.
  o   4 - Three-pass erase, consisting of two random fills plus a final zero fill.
NOTE: This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly "erased" by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms.  Consider using APFS encryption (FileVault).

But how do you figure out what to list for device, which is the disk (or partition) that has the free space you’re trying to securely erase? diskutil can provide that information, too. Just use diskutil list to see a list of all drives and partitions. On the far right, you’ll see an IDENTIFIER column; that column contains the identifier that diskutil needs. Here’s an example of the list output on my machine:

terminal erase freespace


There’s just one last bit of information you need to know to erase the free space on a drive from the command line. In Unix, all devices appear as part of the file system tree, and in macOS, they’re all listed in the /dev directory. So if I want to use diskutil to erase the free space on my Apple_HFS Untitled volume on my external drive, using the single-pass method, the final command would look like this:

diskutil secureErase freespace 1 /dev/disk2s1

Warning! It’s critically important that you include the freespace portion of that command. If you don’t, diskutil will happily start securely erasing the entire disk, instead of just the free space! Yes, that’s a Really Bad Thing, especially because it will be securely erased, meaning there’s no chance you’ll be able to recover the data.