If you’re selling an old Mac with a hard drive, a spare hard drive, or you’re just quite paranoid about your deleted data, you’re either familiar with—or should be familiar with—the Erase Free Space button on the Erase tab in Disk Utility (found in your Applications -> Utilities folder).
Editor’s note: This Terminal tip originally ran in March 2009 and is only useful for mechanical hard drives and not the SSDs found in newer Macs.
When you click this button, you’re presented with three options for securely erasing the free space on your hard drive: write over the free space with zeros (fast and relatively safe), write over the free space three times (more secure, very slow), or write over the free space seven times (extremely slow).
This feature cane used whenever selling an old machine with a hard drive. Format the drive and install a fresh copy of macOS, then use Disk Utility to erase the free space (typically the one-time write-with-zeros option). This gives me a good sense of security, as it would take a team of dedicated professionals, and possibly special hardware, to have some chance of recovering any of my deleted data.
Use Terminal to securely erase a drive
What if you want to do this from Terminal instead? In Terminal, a program named diskutil provides most of the features of macOS’s Disk Utility.
(Please note that, as with many Terminal commands, there’s a chance of Really Bad Things happening if you make a mistake with the following instructions. Proceed with caution, and make sure your backups are current before you try any of the following.)
To find out about diskutil in detail, type man diskutil at the Terminal prompt. Within the man pages, you’ll find the explanation for how to securely erase a disk’s free space using diskutil:
secureErase [freespace] level device
Erase, using a "secure" (but see the NOTE below) method, either a whole-disk (including all of its partitions if partitioned), or, only the free space (not in use for files) on a currently-mounted volume. Secure erasing makes it harder to recover data using "file recovery" software.
Erasing a whole-disk will leave it useless until it is partitioned again. Erasing freespace on a volume will leave your files intact, indeed, from an end-user perspective, it will appear unchanged, with the exception that it will have attempted to make it impossible to recover deleted files.
If you need to erase all contents of a partition but not its hosting whole-disk, use the zeroDisk or randomDisk verbs. Ownership of the affected disk is required.
Level should be one of the following:
o 0 - Single-pass zero fill erase.
o 1 - Single-pass random fill erase.
o 2 - Seven-pass erase, consisting of zero fills and all-ones fills plus a final random fill.
o 3 - Gutmann algorithm 35-pass erase.
o 4 - Three-pass erase, consisting of two random fills plus a final zero fill.
NOTE: This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly "erased" by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms. Consider using APFS encryption (FileVault).
But how do you figure out what to list for device, which is the disk (or partition) that has the free space you’re trying to securely erase? diskutil can provide that information, too. Just use diskutil list to see a list of all drives and partitions. On the far right, you’ll see an IDENTIFIER column; that column contains the identifier that diskutil needs. Here’s an example of the list output on my machine:
There’s just one last bit of information you need to know to erase the free space on a hard drive from the command line. In Unix, all devices appear as part of the file system tree, and in macOS, they’re all listed in the /dev directory. So if I want to use diskutil to erase the free space on my Apple_HFS Untitled volume on my external drive, using the single-pass method, the final command would look like this:
diskutil secureErase freespace 1 /dev/disk2s1
Warning! It’s critically important that you include the freespace portion of that command. If you don’t, diskutil will happily start securely erasing the entire disk, instead of just the free space! Yes, that’s a Really Bad Thing, especially because it will be securely erased, meaning there’s no chance you’ll be able to recover the data.