How to Securely Erase Free Space on macOS When Disk Utility Falls Short

If you've recently tried to securely erase a drive using Disk Utility on your Mac, you might have noticed something missing: the "Security Options" button that used to let you choose how thoroughly to overwrite your data. This isn't a glitch. It's an intentional change by Apple that has left many security-conscious Mac users wondering how to properly sanitize their drives.

In this guide, we'll explore why Apple removed these options, what risks remain, and most importantly, how you can still securely erase free space on your drives using Terminal commands that Apple doesn't advertise in the GUI.

The Disappearing Security Options: What Happened?

Starting with macOS Catalina and continuing through Sonoma, Apple quietly removed the secure erase options from Disk Utility's graphical interface for SSDs. When erasing a drive, the familiar "Security Options" button that allowed you to choose between a simple erase and various levels of secure overwriting is now missing for many users.

One of our users, Adam, recently asked about this:

When I tried using Disk Utility, no security option button is displayed. The erase is so quick I am presuming it is the fastest, so least secure option. Is this a quirk in Sonoma I wonder?

This isn't a quirk or bug. It's by design. Apple removed these options because of how modern SSDs handle data differently from traditional hard drives.

Why Apple Removed Secure Erase Options for SSDs

Solid-state drives (SSDs) use a technology called TRIM, which works differently from traditional magnetic hard drives (HDDs). When you delete a file on an SSD:

1. The TRIM command marks the blocks containing the deleted data as available for use
2. Due to wear-leveling algorithms and over-provisioning, the actual data becomes difficult to access through normal means
3. The SSD controller may internally relocate and reorganize data blocks

Apple's reasoning is that a standard erase with TRIM enabled is sufficient for most security needs on SSDs, and additional secure erase passes could potentially reduce the lifespan of the drive without providing significant security benefits.

However, this explanation doesn't fully address the concerns of users with stringent security requirements or those dealing with highly sensitive data.

The Security Gap: Why Standard Erase Isn't Always Enough

Despite Apple's confidence in TRIM, security researchers have demonstrated that data can sometimes be recovered from SSDs after a standard erase. This is particularly concerning in several scenarios:

• When selling or donating a Mac or external drive
• When handling sensitive client information (especially for legal, healthcare, or financial professionals)
• When you're required to comply with data protection regulations like GDPR, HIPAA, or CCPA
• When dealing with personal information you absolutely don't want recovered

For these situations, you need a more thorough approach than what modern Disk Utility provides.

Terminal to the Rescue: Securely Erasing Free Space

Fortunately, macOS still includes powerful command-line tools that can securely overwrite free space on your drives. You just need to know how to use them. Here's a step-by-step guide to securely erasing free space using Terminal:

Step 1: Identify Your Drive

First, you need to identify the drive or volume you want to work with:

1. Open Terminal (Applications > Utilities > Terminal, or press CMD + Space and type "Terminal")
2. Type the following command and press Enter:

diskutil list

This will display a list of all connected drives and volumes. Look for your external disk in the list and note its volume name (like "ExternalDrive") or identifier (like /dev/disk2s1).

3. To confirm you've identified the correct volume, you can get more information by typing:

diskutil info /Volumes/VOLUMENAME

Replace VOLUMENAME with your actual volume name.

Step 2: Securely Erase Free Space

Now you can use the diskutil secureErase freespace command to overwrite all free space on the volume with your chosen security level:

diskutil secureErase freespace LEVEL /Volumes/VOLUMENAME

Replace VOLUMENAME with your actual volume name, and LEVEL with one of these security options:

• 0: Single-pass zeros (fastest, least secure)
• 1: Single-pass random data (more secure than zeros)
• 2: US DoD 7-pass secure erase (DOD 5220.22-M standard)
• 3: Gutmann algorithm 35-pass secure erase (most secure, very slow)

For example, if your disk is named "ExternalDrive" and you want DoD-standard security:

diskutil secureErase freespace 2 /Volumes/ExternalDrive

⚠️ Important: Be extremely careful when using disk commands in Terminal. Using incorrect disk identifiers can result in erasing the wrong drive. Always double-check before pressing Enter.

Note: If you want to completely erase an entire disk (not just the free space), that's a different process requiring additional steps including unmounting the disk. The process described here only erases free space, leaving your existing files intact.

What This Command Does

This command only overwrites the free space on the volume, leaving your existing files intact. It works by:

1. Creating a temporary file that grows to fill all available free space
2. Overwriting this file according to your chosen security level
3. Deleting the temporary file when complete

The process can take a significant amount of time depending on:

• The size of the drive
• The amount of free space
• The security level chosen
• The drive's speed

For large drives with lots of free space, expect this process to take hours, especially at higher security levels.

Real-World Usage Scenarios

Scenario 1: Preparing an External Drive for Sensitive Use

Let's say you've purchased a new external SSD for storing client documents. Before using it:

1. Use Disk Utility to perform a standard erase and format
2. Use Terminal to perform a secure erase of free space
3. Now the drive is ready for sensitive data with minimal risk of previous data recovery

Scenario 2: Sanitizing a Drive Before Selling

If you're selling your external drive:

1. Back up any data you want to keep
2. Use Disk Utility to erase the drive
3. Use Terminal to securely erase the free space (which is now the entire drive)
4. The drive is now much safer to transfer to a new owner

Scenario 3: Regular Maintenance for Sensitive Work

If you work with sensitive information regularly:

1. Delete files normally as needed
2. Periodically (perhaps monthly) run the secure free space erase command
3. This ensures deleted sensitive files are properly overwritten

SSD vs. HDD: Important Differences

It's worth noting that the effectiveness of secure erase techniques differs between drive types:

For HDDs (Traditional Hard Drives):

• Secure erase methods are highly effective
• Data is physically overwritten in its original location
• Multiple passes provide increasing security

For SSDs:

• Wear-leveling algorithms may preserve data in unmapped blocks
• TRIM helps but doesn't guarantee complete data removal
• Encryption before use provides better protection than after-the-fact secure erasure

For SSDs, the most effective security approach is to enable encryption before storing any sensitive data:

• For your Mac's internal drive, enable FileVault (System Settings > Privacy & Security)
• For external drives, encrypt them when formatting in Disk Utility by selecting the "Encrypted" format option

Beyond Free Space: Securing Individual Files

While securely erasing free space helps with overall drive security, it doesn't address the need to securely delete individual files during normal use. For day-to-day secure deletion needs, you need a solution that can:

• Securely delete specific files and folders
• Implement proper DOD-standard secure deletion
• Work with both SSDs and HDDs intelligently
• Provide verification that files are truly unrecoverable

This is where purpose-built secure deletion tools become valuable.

The Complete Security Approach

For comprehensive data security on macOS, we recommend a layered approach:

1. Enable FileVault encryption on your startup disk and any external drives with sensitive data
2. Use secure deletion tools for individual files and folders during normal use
3. Periodically secure erase free space using Terminal commands
4. Physically destroy highly sensitive drives when decommissioning them

This multi-layered strategy provides defense-in-depth for your sensitive information.

Conclusion: Taking Control of Your Data Security

Apple's removal of secure erase options from Disk Utility doesn't mean you have to compromise on security. By understanding the limitations of standard erasure and utilizing Terminal commands, you can maintain high security standards for your sensitive data.

Remember that true data security is an ongoing process, not a one-time action. Regular maintenance, proper tools, and good security practices all work together to keep your information safe.

If you value data security and want a simpler approach to secure deletion for your day-to-day file management, consider VaultSort – our Mac application that implements DOD-standard secure deletion for files and folders with an intuitive interface. While it can't erase entire drives (due to Mac App Store sandbox restrictions), it's perfect for securely wiping individual files and directories as part of your regular workflow.

Have you tried securely erasing free space on your Mac? Share your experiences or questions in the comments below!

---

Disclaimer: Always ensure you have proper backups before performing any disk operations. The techniques described in this article are provided for educational purposes and should be used responsibly and in compliance with applicable laws and regulations.