11 September 2011

Okay, this is weird… I used this page just a week or so ago and now I’m getting “Page not found”. Google has a cached version here but I don’t know how long that will last. Partly because this information is useful and partly because I don’t want to lose it myself, here are the basic instructions for securely erasing a Mac.

First you need a Linux boot disk. They key feature is that it needs to get a graphical interface and fully support suspend and resume. We need this to unfreeze the SSD. For me Ubuntu 10.04 works great on my Macbook Pro - but 10.10 does not. A similar issue for Fedora 14 and 15; although the graphical interface comes up, it doesn’t resume after suspend so is pretty much useless for this.

So, stick in your Linux CD, reboot the Mac and hold down the ‘C’ key. It should boot from the CD with no problems. It does take quite a while and depending on the version of Linux you’re using you might just get a blank screen for a few minutes. That’s unfortunately normal too. Some ask whether you want to install or use the LiveCD; you want the LiveCD.

One the machine has fully booted, open up a terminal and become root. Depending on your distribution, it will probably either be sudo -i or su -.Usually passwords aren’t set on LiveCDs but if it is, it will usually tell you in the terminal when you first open it.

Now, I’m not sure how you go about this with a big box Mac, but with a Macbook, simply close the lid and wait for the Apple logo to stop glowing. Once it goes out, open the lid and wait for Linux to come back. Again this can take quite some time so you will have to be patient.

The reason we do this is because when the Mac boots it sends the FREEZE command to the SSD. This prevents the SSD accepting any low-level commands and presumably is a safety feature. Unfortunately it also prevents you sending the ERASE command. However when the machine wakes up from sleep, the FREEZE command is not sent and so you can now erase the disk.

Before I go any further, I want to emphasize that these instructions are taken from the ATA wiki. I don’t claim credit for them, but I don’t want them to disappear in the sands of time either. The original URL is:

 https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Okay, so at the command prompt, run the following command. This assumes you have one disk so if you have more you will need to figure out which one you want to erase. You can do that with gparted. Anyway the command is:

hdparm -I /dev/sda

which will give you something like this:

Security:
       Master password revision code = 65534
               supported
       not     enabled
       not     locked
       <strong>not frozen</strong>
       not     expired: security count
               supported: enhanced <strong>erase</strong>
       2min for SECURITY <strong>ERASE</strong> UNIT. 2min for ENHANCED SECURITY <strong>ERASE</strong> UNIT.

Note, it must say “not frozen”. The drive will not accept any commands until you’ve unfrozen the drive. If the sleep technique didn’t work for you, Google around because people have listed many different hints and tips for this particular challenge.

To enable the disk to accept privileged commands we need to set a password on it. Whatever you do, do NOT reboot after running this command! The disk will be password protected and will cause you a world of pain. The Mac wouldn’t boot Linux any more and it was impossible to partition the disk. In my case I had to remove the disk from the brand new laptop, hook it up in a desktop and fart about with various Linux distributions until one got me far enough where I could remove the password. Be very careful!

hdparm –user-master u –security-set-pass Eins /dev/sda

As a force of habit I always use ‘Eins’ as the password because that is what is used in the Wiki example. It makes sure that I can use any of their commands without confusion. You can of course set the password to anything you wish but it will be wiped after erasing the disk anyway so it really doesn’t matter what you use here. Once you’ve run this command your disk should be enabled (run the hdparm -I command again):

Security:
       Master password revision code = 65534
               supported
               <strong>enabled</strong>
       not     locked
       not     frozen
       not     expired: security count
               supported: enhanced <strong>erase</strong>
       Security level high
       2min for SECURITY <strong>ERASE</strong> UNIT. 2min for ENHANCED SECURITY <strong>ERASE</strong> UNIT.

Now we can finally erase the disk! There are two potential commands for this. One does a secure erase and the other does an enhanced erase. From what I’ve found the enhanced erase also erases all the hidden areas on the disk, the space used for wear leveling, that sort of thing. If you’re not sure which to use you can run both, but you will need to enable security again (use the last command) before you can do it. Here are the erase commands:

time hdparm –user-master u –security-erase Eins /dev/sda

time hdparm –user-master u –security-erase-enhanced Eins /dev/sda

If you do decide to run both, remember that you can probably only erase a disk 10,000 times before it starts to fail on you. A full erase flips every bit on the disk so is pretty intensive. Then again even if you ran it every day you’re still talking three years. Just something to keep in mind. On my disk it takes just under 2.5 minutes to complete. Enhanced takes exactly the same time as standard.

Once the erase is complete, just run hdparm -I again to make sure that everything is back to normal i.e. the disk is no longer enabled. All being well it should look like this:

Security:
       Master password revision code = 65534
               supported
       not     enabled
       not     locked
       not     frozen
       not     expired: security count
               supported: enhanced erase
       2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

That’s it, your disk is erased! Now you can safely reboot your Mac with your Apple install media. When it boots up, you will need to go into Disk Utility and create a new partition. I won’t go into details on this because there’s loads of information on the web, but because the secure erase removes the partition data, the OSX installer won’t be able to find any targets to install on until you’ve created the new partition.

Good luck and I hope you find this useful!



blog comments powered by Disqus