New 11" MBA 2011, Cannot Zero Drive

[KPOM]

So it only shows if you FileVault-protect your Macintosh HD partition? Otherwise, it won't show? If so, then only an encrypted partition will be allowed to secure erase and it won't let you for a non-encrypted partition?

----------



I see, but I guess it's too late for that now right?

You can activate FileVault2 at any time. It only took me about 30 minutes to encrypt about 70GB of data on my 11" i7.

 

[ntrigue]

This will be because "securely erasing" an encrypted storage medium (be it flash, SSD, hard drive, CD etc.) can be achieved by trashing the encryption keys. Once this is done the storage device is still full of your data but it is useless because it is just unintelligible noise to all intents and purposes. This isn't secure wiping, it just renders the data useless. In the case of a hard drive, after trashing the keys the hard drive will then go on a perform a secure erase as normal, on an SSD this will not happen AFAIK. The same technique is used for iPhone/iPod Touch/iPad for wiping the device (remotely or locally). It just trashes the encryption key once again.

Alec

I turned on FV2 and then restored the Air as new before returning.

 

[57004]

This will be because "securely erasing" an encrypted storage medium (be it flash, SSD, hard drive, CD etc.) can be achieved by trashing the encryption keys. Once this is done the storage device is still full of your data but it is useless because it is just unintelligible noise to all intents and purposes. This isn't secure wiping, it just renders the data useless.

This is not what it did on my Air. It did do a full wipe. Otherwise it wouldn't have taken 15 minutes.

 

[DieterRams]

This will be because "securely erasing" an encrypted storage medium (be it flash, SSD, hard drive, CD etc.) can be achieved by trashing the encryption keys. Once this is done the storage device is still full of your data but it is useless because it is just unintelligible noise to all intents and purposes. This isn't secure wiping, it just renders the data useless. In the case of a hard drive, after trashing the keys the hard drive will then go on a perform a secure erase as normal, on an SSD this will not happen AFAIK. The same technique is used for iPhone/iPod Touch/iPad for wiping the device (remotely or locally). It just trashes the encryption key once again.

Alec

I see but the original guy I'm quoting said he actually saw the options available and used them. So how is that possible? And even if it is, it seems that a secure erase option does nothing on SSD but no one is absolutely sure?

 

[DieterRams]

Also, how much does FileVault slow down computer performance? Does it at all? I'm afraid I'm not at all familiar with it and how it may affect my usage. I take it whenever I save anything, whether big or small, there is a performance hit of some sort due to it encrypting everything - is this true?

 

[AlecEdworthy]

Also, how much does FileVault slow down computer performance? Does it at all? I'm afraid I'm not at all familiar with it and how it may affect my usage. I take it whenever I save anything, whether big or small, there is a performance hit of some sort due to it encrypting everything - is this true?

See this review on osx daily. It looks like very little impact. The one issue is that it stops software designed to help you track your laptop down if it's stolen from working by requiring a username and password at boot time (whereas the software which helps you to track you Mac relies on the miscreant being able to access an account on the device, a guest account for instance).

Alec

 

[DieterRams]

See this review on osx daily. It looks like very little impact. The one issue is that it stops software designed to help you track your laptop down if it's stolen from working by requiring a username and password at boot time (whereas the software which helps you to track you Mac relies on the miscreant being able to access an account on the device, a guest account for instance).

Alec

Ah, thank you for the information, I was planning on running that tracking software actually. So it seems there's a choice here. Either run FileVault and have my data protected no matter what but not be able to use tracking software in case it gets stolen, or don't run FileVault and be able to use tracking software but my data is retrievable even if I do a standard erase with disk utility. Do I have that right? Which would you choose?

It seems funny to me (as well as annoying) that there is no guaranteed way of securely erasing an SSD like you could with a hard drive with a 7-pass erase or something equivalent.

 

[57004]

I see but the original guy I'm quoting said he actually saw the options available and used them. So how is that possible? And even if it is, it seems that a secure erase option does nothing on SSD but no one is absolutely sure?

Secure Erase is possible - I did do it to the 11" Air I returned. Used the normal Disk Utility in the preinstalled recovery image, I just had to unlock the drive to do it (by entering the password).

And yes it does do something, it was busy for 15 minutes and on an SSD that means it was doing a lot of writing. Basically what it does is overwrite the whole filesystem with zeroes (or repeatedly with multiple values if you choose a really high setting, which I would not recommend on an SSD because of the extra wear).

Writing zeroes does delete data, but the way SSDs work is that they move blocks around on every write. They have a spare capacity (between 8 and 20% or so) for their wear levelling algorithm and to cope with failed blocks due to wear.

The problem about doing a single pass (zeroeing the drive) is that you won't be deleting the spare capacity. However this isn't a big deal because there is no way to get the spare blocks (since they're marked as 'Spare' the SSD will never read from them until they are overwritten again with new data). The only way to get to them is by reading directly from the chips (and destroying the SSD), and because you have a random 8-20% of blocks from the drive it will be very hard to get any useful data from it. It will also require specialized equipment.

However zeroing the drive does make the 'visible' (to the computer) drive space completely blank. And yes, that does do something. If you don't do this, even without the password someone may be able to get data from it if for example they find the recovery key that is made when FileVault2 creates a new volume. If the volume was not encrypted then it will be fairly easy to recover some data.

Due to the wear & tear I wouldn't recommend zeroing an SSD much but in the event of handing it over to a third party (such as when selling or returning a laptop) it does, in my view, make much sense to zero the drive first.

 

[hfg]

This will be because "securely erasing" an encrypted storage medium (be it flash, SSD, hard drive, CD etc.) can be achieved by trashing the encryption keys. Once this is done the storage device is still full of your data but it is useless because it is just unintelligible noise to all intents and purposes. This isn't secure wiping, it just renders the data useless. In the case of a hard drive, after trashing the keys the hard drive will then go on a perform a secure erase as normal, on an SSD this will not happen AFAIK. The same technique is used for iPhone/iPod Touch/iPad for wiping the device (remotely or locally). It just trashes the encryption key once again.

Alec

How exactly do you "trash the keys" after you encrypt the drive?

Thanks,
-howard

 

[jon08]

Hey guys, I'll be selling my SSD in the Macbook Pro real soon and since the "Security Options" is grayed out for me in Disk Utility, I'm trying to figure out a different way of preventing anyone to access my *erased* data once I've sold the SSD.

Therefore, I'm thinking of encrypting my partition with FileVault. Could someone please instruct me what exactly am I supposed to do?

1. Turn on FileVault
2. Boot into Safe Mode
3. Will I be able to erase my SSD securely? If not, do I simply select the "Erase" option and I'll be safe anyway, since all my data has been encrypted with FileVault?

Thanks!