If you’re selling an old Mac, a spare hard drive, or you’re just quite paranoid about your deleted data, you’re either familiar with—or should be familiar with—the Erase Free Space button on the Erase tab in Disk Utility (found in your Applications -> Utilities folder).
When you click this button, you’re presented with three options for securely erasing the free space on your hard drive: write over the free space with zeros (fast and relatively safe), write over the free space seven times (more secure, very slow), or write over the free space 35 times (extremely slow!).
I use this feature whenever I sell an old machine. First I format the drive and install a fresh copy of OS X, then I use Disk Utility to erase the free space (typically the one-time write-with-zeros option). This gives me a good sense of security, as it would take a team of dedicated professionals, and possibly special hardware, to have some chance of recovering any of my deleted data—though I really only care about a few financial files, and those are kept on an encrypted disk image, so they’re probably safe anyway.
So that’s how you securely erase free space using a standard OS X application. But what if you need to do this from Terminal instead? For instance, say you’ve only got remote login (
ssh) access to another Mac, and you’d like to wipe its free space. Or you’re really paranoid, and would like to schedule a task (using
launchd) that regularly erases the free space on your drive.
It turns out OS X has an answer for that challenge, too.
(Please note that, as with many Terminal commands, there’s a chance of Really Bad Things happening if you make a mistake with the following instructions. Proceed with caution, and make sure your backups are current before you try any of the following.)
In Terminal, a program named
diskutil provides most of the features of OS X’s Disk Utility. To find out about it in detail, type
man diskutil at the Terminal prompt. Within the
man pages, you’ll find the explanation for how to securely erase a disk’s free space using
secureErase [freespace] level device
Securely erase a disk or freespace on a mounted volume. Ownership of the affected
disk is required. Level should be one of the following:
o 1 - Single pass randomly erase the disk.
o 2 - US DoD 7 pass secure erase.
o 3 - Gutmann algorithm 35 pass secure erase.
But how do you figure out what to list for
device, which is the disk (or partition) that has the free space you’re trying to securely erase?
diskutil can provide that information, too. Just use
diskutil list to see a list of all drives and partitions. On the far right, you’ll see an
IDENTIFIER column; that column contains the identifier that
diskutil needs. Here’s an example of the
list output on my machine:
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *931.5 Gi disk3
1: EFI 200.0 Mi disk3s1
2: Apple_HFS osxtest 125.0 Gi disk3s2
3: Apple_HFS apps 203.5 Gi disk3s3
4: Apple_HFS mwfiles 200.0 Gi disk3s4
5: Apple_HFS vmstore 402.2 Gi disk3s5
There’s just one last bit of information you need to know to erase the free space on a drive from the command line. In Unix, all devices appear as part of the file system tree, and in OS X, they’re all listed in the
/dev directory. So if I wanted to use
diskutil to erase the free space on my
mwfiles volume, using the single-pass method, the final command would look like this:
diskutil secureErase freespace 1 /dev/disk3s4
Warning! It’s critically important that you include the
freespace portion of that command. If you don’t,
diskutil will happily start securely erasing the entire disk, instead of just the free space! Yes, that’s a Really Bad Thing, especially because it will be securely erased, meaning there’s no chance you’ll be able to recover the data. “With great power comes great responsibility.”
Once you understand how this command works, you can then use a program like Lingon to set up a repeating task to regularly erase your drive’s free space.