My rights to MacOS?

[chrfr]

the OS needs to be able to boot before you unlock FileVault, so there might be risk of residual data under /var or /etc.

No, Filevault 2 is full disk encryption. The Mac does not boot before the disk is unlocked.

 

[ZapNZs]

You can buy the current generation 13-inch without the touchbar, and the SSD is removable, brand new.
Apple also stills sell the previous generation 15-inch with a removable SSD, brand new.
Alternatively, you could also buy one of the touchbar models with the soldered on SSD, and, should you need to remove the SSD, simply destroy the computer as it isn't like the price of a MacBook Pro is a very big business expense. We're only talking 2-3 grand here and a device made of materials that are mostly recyclable...


On that Mac, you can enable FileVault 2 and use the Mac with Little Snitch to monitor both incoming and outgoing connections.
Within that Mac, you can run a Virtual Machine that is isolated from the rest of the computer, and does not have web access.
Within the virtual machine on the Mac, you can run Veracrypt to make an encrypted vault for your most important files.

 

[Ambrosia7177]

@theluggage,

Short answer: yes.

You have a 2015 MBP with Sierria (and dust) on it: use it to google "create sierra bootable usb" and download and create a USB installer. Then boot the refurb machine straight from that and perform a clean install.

Okay.

If Mr Putin's putative nastyware survives that then I suggest you just five up and raise a glass of vodka to your new Russian overlords.

Ha ha

More accurately, you can't Secure Erase an SSD using the multiple-overwrite technique designed for HDs because it just won't work (you can't overwrite data on a SSD the way you can on a HD) and even if it did doing it regularly might even reduce the life of the SSD (SSDs have a limited number of write/erase cycles - the longevity depends on the fact that you don't often re-write the "whole" disc, and the wear can be spread around).

In reality, a SSD is a separate little computer sitting inside your computer, running a software simulation of an old-fangled spinning rust hard drive with tracks and sectors, carefully optimising how the data is actually stored in the Flash memory which is quite different to how it is arranged on the "virtual" disk.

That is consistent with what I have read online so far.

but if you're worried about the Men In Black getting hold of your old drive then you need to enable whole-disk encryption. At least then they'll stop waterboarding you once you've given them the password instead of expecting you to prove that there isn't one.

I had an external HDD that was a clone backup on my internal HDD on this 2012 Mac. It was encrypted with FileVault 2.

When I went to reformat the drive (externally) using Disk Utility it wouldn't let met.

Based on that experience, while FV2 would protect data on a soldered SSD, it would mean that anyone I would donate the old MBP to wouldn't be able to use it because they couldn't install a new OS on top of my FV2 container.

Comments on this?
[doublepost=1506160472][/doublepost]

The point with disk encryption is supposed to be that you erase the decryption key, at which point even if someone can read some of the encrypted SSD blocks it won't help them. I would personally be more worried that some of the basic OS files are not encrypted by FileVault 2, since the OS needs to be able to boot before you unlock FileVault, so there might be risk of residual data under /var or /etc.

@hughm123

I believe that was a fatal flaw of FileVault 1. My understanding is that FIleVault 2 pretty much fixes that, but your caution is certainly valid!

 

[hughm123]

No, Filevault 2 is full disk encryption. The Mac does not boot before the disk is unlocked.

Well, yes and no. There is full disk encryption, so the main OS may not boot before the disk is unlocked. But the system pre-boots via EFI to a list of usernames so you can log in and decrypt the disk. So by definition at least these usernames are available without full decryption [*]. From the Wikipedia page:

"For this approach to disk encryption, authorised users' information is loaded from a separate non-encrypted boot volume (partition/slice type Apple_Boot)."

[*] at least when plugged into the same motherboard, depending how pre-boot security is implemented. For example in Windows Bitlocker, AFAIK the disk unlocks in part with a platform-level DRM key, so if you plug the SSD into a different system you need the recovery key, but this is automated when on the same motherboard. Mac OS may or may not be the same.