Questions regarding secure erasing MBP2018 and questions about restoring Time Machine

[white7561]

Hello guys ... Anyways I have a new MBP 2018 coming in a few weeks and I have a few questions...

So first regarding the time machine...
So I have a time machine backup (same version : Mojave) from a 2014 MacBook air . So can I just fully restore my system thru the option on recovery mode? The one to restore my time machine? Or do I need to use the setup assistant because it's a different machine?

Second, regarding about secure erase... So I've been meaning to buy PartedMagic since it's a good tool to secure erase etc. So I know about the T2 chip problem . So latest PartedMagic users, is it possible to secure erase MBP 18 with T2 chip with the latest PartedMagic? I'm asking this because as far as I can read on the internet. It's said that Linux can't access the internal SSD even after disabling the T2 chip... But the PartedMagic changelogs says otherwise...
https://i.vgy.me/P3iXCR.jpeg

Last but not least. If I disable the T2 chip . Could I still use touchid to login etc? (As in computer login etc)

Thanks so much !!

 

[leman]

1. Use migration assistant to copy the data from time machine
2. You don’t need to secure erase anything, just enable FileVault and then reformat. It’s completely unrecoverable. No need to waste money on tools that don’t do anything useful.
3. You cannot disable T2, I’m not sure what you mean here

 

[white7561]

1. Use migration assistant to copy the data from time machine
2. You don’t need to secure erase anything, just enable FileVault and then reformat. It’s completely unrecoverable.
3. You cannot disable T2, I’m not sure what you mean here

1. Oh it'll still restore all my apps and settings like before completely?
2. Yeah but say I want to. Usually you can use Linux to secure erase or use PartedMagic (seeing people using it on YouTube and on forums) can we do it? Since the Linux can't detect the internal storage or access it AFAIK..
3. You can. Somewhat... On recovery mode we can disable it. so we can boot to other OS and we can enable another option too so we can boot using say external harddrive or USB

 

[leman]

1. Oh it'll still restore all my apps and settings like before completely?
2. Yeah but say I want to. Usually you can use Linux to secure erase or use PartedMagic (seeing people using it on YouTube and on forums) can we do it? Since the Linux can't detect the internal storage or access it AFAIK..
3. You can. Somewhat... On recovery mode we can disable it. so we can boot to other OS and we can enable another option too so we can boot using say external harddrive or USB

1. It should, ideally
2. I do not know how PartedMagic does it, but what these tools usually do is overwrite all data blocks either with zeros or with random data. There is really no point in doing it with Apples implementation. Of course, if you want to, you are free to do so. And of course Linux can access the internal storage, it appears as a system disk, not sure what you mean. If you mean like bypassing the controller and accessing the storage chips directly, that’s just not possible in any case.
3. The T2 chip is the SSD controller and the power management unit. If you disable it, the computer simply won’t start. I think you mean disabling some of the non-essential security features such as boot medium verification. And yes, Touch ID will work if you disable stuff like secure boot etc.

 

[white7561]

1. It should, ideally
2. I do not know how PartedMagic does it, but what these tools usually do is overwrite all data blocks either with zeros or with random data. There is really no point in doing it with Apples implementation. Of course, if you want to, you are free to do so. And of course Linux can access the internal storage, it appears as a system disk, not sure what you mean. If you mean like bypassing the controller and accessing the storage chips directly, that’s just not possible in any case.
3. The T2 chip is the SSD controller and the power management unit. If you disable it, the computer simply won’t start. I think you mean disabling some of the non-essential security features such as boot medium verification. And yes, Touch ID will work if you disable stuff like secure boot etc.

Parted magic sends out a secure erase command to the SSD controller . So not the old way which was replacing all blocks with 0.... Also . I've read that Linux can't read the internal ssd because of the T2 chip. Also yeah I hope touchid still works on login etc. Because I've read that disabling the security on the T2 disables the touchid for apple pay (which I don't use)

 

[Thysanoptera]

The drive is already encrypted on T2 macs, no need to enable filevault (it is only a requirement to type a password before decryption) or using ssd secure erase (don't even know if that command is supported in apple implementation at all). You need to remove encryption keys from secure enclave, boot in recovery and type:

xartutil --erase-all

This will flush everything from T2, including your fingerprint and disk keys. Your data will be gone forever.

 

[white7561]

The drive is already encrypted on T2 macs, no need to enable filevault (it is only a requirement to type a password before decryption) or using ssd secure erase (don't even know if that command is supported in apple implementation at all). You need to remove encryption keys from secure enclave, boot in recovery and type:

xartutil --erase-all

This will flush everything from T2, including your fingerprint and disk keys. Your data will be gone forever.

Yeah I guess I could do that too on the new macbooks . Anyways so no way whatsoever to say install Linux on internal ssd? Since the T2 chip preventing to see the internal etc?

 

[leman]

Parted magic sends out a secure erase command to the SSD controller . So not the old way which was replacing all blocks with 0.... Also . I've read that Linux can't read the internal ssd because of the T2 chip. Also yeah I hope touchid still works on login etc. Because I've read that disabling the security on the T2 disables the touchid for apple pay (which I don't use)

That’s a very cheap way to “secure erase” a disk and it depends on whether the controller can implement it securely. As Thysanoptera points out (thanks for the command btw!) functionally equivalent way on the MBP is to purge the encryption keys.

And yes, Linux can see the internal SSD and you can also I stall it on the MBP, just need to disable secure boot feature.

 

[white7561]

That’s a very cheap way to “secure erase” a disk and it depends on whether the controller can implement it securely. As Thysanoptera points out (thanks for the command btw!) functionally equivalent way on the MBP is to purge the encryption keys.

And yes, Linux can see the internal SSD and you can also I stall it on the MBP, just need to disable secure boot feature.

Oh it can?? Nice then!! Because all Information I saw on the internet says we can boot Linux etc from external drive but can't install it into our SSD because it can't see the SSD because of the T2 chip. Anyways .. you said . To disable secure boot. As in the T2 options on recovery mode or another different thing? Thanks!!

Also why can't we just restore our time machine from the recovery mode to the new computer? Since it should be compatible (?) Please correct me if I'm wrong. Since the way I see it. We can say install a MacOS into external harddisk and we can boot it just fine in our computer or others MacBook etc..

Thanks!

 

[white7561]

That’s a very cheap way to “secure erase” a disk and it depends on whether the controller can implement it securely. As Thysanoptera points out (thanks for the command btw!) functionally equivalent way on the MBP is to purge the encryption keys.

And yes, Linux can see the internal SSD and you can also I stall it on the MBP, just need to disable secure boot feature.

I see. Yeah . Parted magic does support both Normal and Enhanced secure erase. Enhanced does the purging of the encryption keys and the "normal" basically zero/one - out the disk by sending a command to purge all blocks . Although if Mac now has it then it's prob better to use the built in one.

 

[Fishrrman]

leman wrote:
" The T2 chip is the SSD controller and the power management unit. If you disable it, the computer simply won’t start."

Huh...?

I have a 2018 Mini (not a MacBook Pro).
I "disabled" the t2 chip within 5 minutes of first booting it, insofar as it CAN BE "disabled", using the "Startup Security" panel.
It's run absolutely fine ever since.
Boots from external drives.
In fact, I even erased the INTERNAL drive and reformatted it to HFS+ (not APFS).

I don't see why this wouldn't work just as well with a MacBook Pro-variety of t2...

 

[white7561]

leman wrote:
" The T2 chip is the SSD controller and the power management unit. If you disable it, the computer simply won’t start."

Huh...?

I have a 2018 Mini (not a MacBook Pro).
I "disabled" the t2 chip within 5 minutes of first booting it, insofar as it CAN BE "disabled", using the "Startup Security" panel.
It's run absolutely fine ever since.
Boots from external drives.
In fact, I even erased the INTERNAL drive and reformatted it to HFS+ (not APFS).

I don't see why this wouldn't work just as well with a MacBook Pro-variety of t2...

Ooh since you have tried to format the whole disk. I'd like to ask you a question. So . Say I have it all disabled. So I can boot from external drives and I can boot other OS. Then I go to recovery mode then I remove all the partitions and make a new empty one. If I reboot now holding alt to go to my external drive which has the OS X installer, would it work?

I guess the simple question is. Is the chip the one holding the information on say if the computer is able to boot from other drives or not etc? Because if it doesn't work and it needs the original partitions to read the current security configuration. That means if I were in that situation I may need to go use internet recovery then redownload the OS X installer . Rather than just use the bootable installer ...
Thanks !

 

[leman]

I have a 2018 Mini (not a MacBook Pro).
I "disabled" the t2 chip within 5 minutes of first booting it, insofar as it CAN BE "disabled", using the "Startup Security" panel.

You didn’t disable the chip, you just turned off the secure boot feature of the chip.

 

[Fishrrman]

"You didn’t disable the chip, you just turned off the secure boot feature of the chip."

Yes, of course.

I've "disabled" it as far as it can be "disabled" using the Startup Security utility.
It may -- or may not -- be possible to limit it further. We don't know that, Apple may have "internal utilities" that can work with it that we don't yet know about.

But once you limit the t2's scope via Startup Security, numerous boot/format options become possible.

 

[leman]

"You didn’t disable the chip, you just turned off the secure boot feature of the chip."

Yes, of course.

I've "disabled" it as far as it can be "disabled" using the Startup Security utility.
It may -- or may not -- be possible to limit it further. We don't know that, Apple may have "internal utilities" that can work with it that we don't yet know about.

But once you limit the t2's scope via Startup Security, numerous boot/format options become possible.

Sorry if I was being annoying I just wanted to be very clear about the difference between disabling a chip and disabling one of the chips features, since OP seems to be confused about the nature of the T2 chip. It’s not just some optional security device, it’s an integral component of the system that controls most of Macs low-level hardware and disabling it is akin to disabling the CPU or RAM.

 

[TriBruin]

"You didn’t disable the chip, you just turned off the secure boot feature of the chip."

Yes, of course.

I've "disabled" it as far as it can be "disabled" using the Startup Security utility.
It may -- or may not -- be possible to limit it further. We don't know that, Apple may have "internal utilities" that can work with it that we don't yet know about.

But once you limit the t2's scope via Startup Security, numerous boot/format options become possible.

No, you have disabled secure boot, that is not the same thing at all. The T2 chip is still very much active and performing a number of function, most importantly is the SSD Controller. I am not a Linux user, but I am guess that one of the biggest issues is that, even with Secure Boot turned off, you still need a driver for the T2 SSD controller for Linux. Without the proper driver, the Linux kernel will not be able to read the drive. (Since the T2 chip has been out for over a year now, it is possible that Linux drivers exist for it, but I have never looked for it.)

 

[leman]

you still need a driver for the T2 SSD controller for Linux. Without the proper driver, the Linux kernel will not be able to read the drive. (Since the T2 chip has been out for over a year now, it is possible that Linux drivers exist for it, but I have never looked for it.)

Ag, so the standard interface is not supporter at all? I suppose that running Linux natively is not really a high priority it even supported use case by Apple. To be honest, I have difficulty understanding why anyone would want to do it on the first place... for Linux dev, virtual machines are more then sufficient.