« Retrieving the password for Server Admin-generated Keys | Main | Flipped mouse buttons, plist and MS Remote Desktop Connection »

diskutil command line secureErase options

When I need to decommission a hard drive, it's necessary for me to to securely wipe the data prior to disposal. Stanford's data wiping policy is publicly accessible from the internet (though woefully out of date with the product recommendations—Mac OS 8 anyone?). It's usually not enough just to delete the files using the Finder or the rm command, since that action merely hides your files and makes their blocks eligible for possible future write-overs. Inexpensive file recovery software can usually return data when you simply delete files this way, to say nothing of real forensics software.
You may know that your Mac's Disk Utility program has the "Secure Erase" option, where you can choose from three degrees of security. You can zero-out the data, which means the computer erases your data and writes over the drive with zeros. This is a minimal, but sometimes acceptable, data sanitization effort. You can also choose the seven-pass Department of Defense wipe, which takes longer, but makes data recovery nearly impossible. Then there's the 35-pass wipe, for the hyper vigilant and possibly neurotic.

Here is Apple's KB article on securely erasing a disk: http://support.apple.com/kb/TA24002

What you may not know is that the diskutil command line tool has two additional options. In addition to the single-pass zero-out, you can choose a single-pass write over with random numbers. I would expect that process to take as long as a zero-out effort with Disk Utility. I'm not sure exactly sure what the benefit here is, except that it would remove the known delta between the state prior to the zero-out and the zeros. That is, if you used forensic analysis to examine a drive and it's all zeros, and your sophisticated tools detect prior states, it's reasonable to understand that that prior state is likely true (since we know that the new state will always be a zero).

The other option with diskutil is what Apple labels a "DoE [Department of Energy] three-pass secure erase". I don't know much about this option.  

Here is the man page for diskutil and the secureErase option; you can also just type diskutil secureErase at the prompt for the associated help.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


This page contains a single entry from the blog posted on November 16, 2010 1:03 PM.

The previous post in this blog was Retrieving the password for Server Admin-generated Keys.

The next post in this blog is Flipped mouse buttons, plist and MS Remote Desktop Connection.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Traffic analyzed by Google Analytics. Site powered by Movable Type 4.32-en