Secure Erase on Modern Mac OS

04 August 2025
blaugust,
data privacy

I'm currently on vacation and helping my mother out with some tech-related chores. One of her requests was to securely erase an old Mac backup volume on an external hard drive that at one time contained a good amount of personal and financial data. In years past, I would have gone to Disk Utility and chosen Erase on the volume and used the Security Options dropdown to have it write over the disk 3 or 7 times.

It appears that modern Mac OS has completely removed this option from the Disk Utility GUI. If you are still looking to do this it can still be accomplished via the diskutil CLI. From man diskutil on Mac OS Sequoia:

secureErase [freespace] level device
Erase, using a "secure" (but see the NOTE below) method, either a whole-disk (including all of its partitions if partitioned), or, only the free space (not in use for files) on a currently-mounted volume. Secure erasing makes it harder to recover data using "file recovery" software.
Erasing a whole-disk will leave it useless until it is partitioned again. Erasing freespace on a volume will leave your files intact, indeed, from an end-user perspective, it will appear unchanged, with the exception that it will have attempted to make it impossible to recover deleted files.
If you need to erase all contents of a partition but not its hosting whole-disk, use the zeroDisk or randomDisk verbs. Ownership of the affected disk is required.
Level should be one of the following:
• 0 - Single-pass zero fill erase.
• 1 - Single-pass random fill erase.
• 2 - Seven-pass erase, consisting of zero fills and all-ones fills plus a final random fill.
• 3 - Gutmann algorithm 35-pass erase.
• 4 - Three-pass erase, consisting of two random fills plus a final zero fill.
NOTE: This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly "erased" by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms. Consider using APFS encryption (FileVault).

The final note is a good warning about how modern SSD storage works. Nevertheless, I'm happy to be writing random data to an ancient USB-A hard drive in a Ghostty window as I work on other things.

$ sudo diskutil secureErase 4 /dev/disk4
Password:
Started erase on disk4
Pass: 1
[ | 0%................................................... ] 0.2

Previous: Default Apps, 2025 Edition