Securely erase free space from Terminal

Rob Griffiths
30 March, 2009
View more articles fromthe author

If you’re selling an old Mac, a spare hard drive, or you’re just quite paranoid about your deleted data, you’re either familiar with—or should be familiar with—the Erase Free Space button on the Erase tab in Disk Utility (found in your Applications -> Utilities folder).

When you click this button, you’re presented with three options for securely erasing the free space on your hard drive: write over the free space with zeros (fast and relatively safe), write over the free space seven times (more secure, very slow), or write over the free space 35 times (extremely slow!).

I use this feature whenever I sell an old machine. First I format the drive and install a fresh copy of OS X, then I use Disk Utility to erase the free space (typically the one-time write-with-zeros option). This gives me a good sense of security, as it would take a team of dedicated professionals, and possibly special hardware, to have some chance of recovering any of my deleted data—though I really only care about a few financial files, and those are kept on an encrypted disk image, so they’re probably safe anyway.

So that’s how you securely erase free space using a standard OS X application. But what if you need to do this from Terminal instead? For instance, say you’ve only got remote login (ssh) access to another Mac, and you’d like to wipe its free space. Or you’re really paranoid, and would like to schedule a task (using cron or launchd) that regularly erases the free space on your drive.

It turns out OS X has an answer for that challenge, too.

(Please note that, as with many Terminal commands, there’s a chance of Really Bad Things happening if you make a mistake with the following instructions. Proceed with caution, and make sure your backups are current before you try any of the following.)

In Terminal, a program named diskutil provides most of the features of OS X’s Disk Utility. To find out about it in detail, type man diskutil at the Terminal prompt. Within the man pages, you’ll find the explanation for how to securely erase a disk’s free space using diskutil:

secureErase [freespace] level device               Securely erase a disk or freespace on a mounted volume.  Ownership of the affected               disk is required.  Level should be one of the following:

                     o   1 - Single pass randomly erase the disk.                     o   2 - US DoD 7 pass secure erase.                     o   3 - Gutmann algorithm 35 pass secure erase.

But how do you figure out what to list for device, which is the disk (or partition) that has the free space you’re trying to securely erase? diskutil can provide that information, too. Just use diskutil list to see a list of all drives and partitions. On the far right, you’ll see an IDENTIFIER column; that column contains the identifier that diskutil needs. Here’s an example of the list output on my machine:

/dev/disk3   #:                       TYPE NAME                    SIZE       IDENTIFIER   0:      GUID_partition_scheme                        *931.5 Gi   disk3   1:                        EFI                         200.0 Mi   disk3s1   2:                  Apple_HFS osxtest                 125.0 Gi   disk3s2   3:                  Apple_HFS apps                    203.5 Gi   disk3s3   4:                  Apple_HFS mwfiles                 200.0 Gi   disk3s4   5:                  Apple_HFS vmstore                 402.2 Gi   disk3s5

There’s just one last bit of information you need to know to erase the free space on a drive from the command line. In Unix, all devices appear as part of the file system tree, and in OS X, they’re all listed in the /dev directory. So if I wanted to use diskutil to erase the free space on my mwfiles volume, using the single-pass method, the final command would look like this:

diskutil secureErase freespace 1 /dev/disk3s4

Warning! It’s critically important that you include the freespace portion of that command. If you don’t, diskutil will happily start securely erasing the entire disk, instead of just the free space! Yes, that’s a Really Bad Thing, especially because it will be securely erased, meaning there’s no chance you’ll be able to recover the data. “With great power comes great responsibility.”

Once you understand how this command works, you can then use a program like Lingon to set up a repeating task to regularly erase your drive’s free space.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us