crwdns2936637:0crwdne2936637:0 crwdns2853008:0crwdne2853008:0 crwdns2861143:0crwdne2861143:0

Model A2159, EMC 3301. A refresh of the entry-level 13" MacBook Pro. Available in Silver and Space Gray. Released July 2019.

crwdns2934591:0111crwdne2934591:0 crwdns2934593:0crwdne2934593:0

crwdns2933897:0crwdne2933897:0

SSD And Encryption Questions

Hey, I’ve been commenting on a few threads and figured that rather than distract from other people’s questions, I should just ask my own.

My questions regard the new encryption that’s being used in new MacBooks with the T2 chip enabled.

  1. I’ve read online that once data is marked as unused by the SSD controller, it is no longer encrypted. Does this mean that private files that I have deleted are unprotected by the encryption and easily retrieved via recovery software?
  2. This next question might be redundant, but how does the SSD trim command fit into this and on Macs is just a simple empty of the trash enough to securely delete data.
  3. Apple no longer allows for secure erase to be done in recovery mode, would that make selling my device dangerous if my buyer decided to run recovery software.
  4. There are a lot of web sites that advertise being able to undelete data off Mac SSD’s. Since all Mac SSD’s come Trim enabled, are they all scams or are they somewhat successful, with regards to data recovery from the drive?

Thanks for all answers, I stupidly thought the 128 GB SSD would be enough to get me through college.

crwdns2934089:0crwdne2934089:0 crwdns2934093:0crwdne2934093:0

crwdns2934109:0crwdne2934109:0

crwdns2853045:0crwdne2853045:0 crwdns2853046:0crwdne2853046:0
crwdns2889612:0crwdne2889612:0 0
crwdns2934285:0crwdne2934285:0

crwdns2933315:02crwdne2933315:0

crwdns2934221:0crwdne2934221:0
crwdns2931211:0crwdne2931211:0 crwdns2931215:0crwdne2931215:0 crwdns2934225:0crwdne2934225:0
crwdns2934057:0crwdne2934057:0

crwdns2933897:0crwdne2933897:0

1: “First, I’ve read online that once data is marked as unused by the SSD controller, it is no longer encrypted. “

read online where? it’s nonsense.

2: Trim marks blocks no longer used by the file system ready for recycling, it doesn’t care about what data is in them and made no changes.

3: If all data is encrypted, recovery software is useless unless the software can recover encryption keys, which contradicts the “is encrypted” part, thus logically nonsense.

4: Data recovery software only works at file system level, it analyzes all blocks addressable and readable, to figure out previous data marked out by the file system. It doesn’t care about anything lower level. Even if the data blocks are still there, the metadata containing the keys are removed, therefore recovery is difficult and if the master key is securely removed, data recovery is impossible.

What CAN be undone by Trim is the deletion of certain master keys if the deletion was not properly handled at physical level. Apple made this kind of mistake back in iPhone 3Gs era, now there is reason to believe that they handle volume or device keys securely and make sure the keys are stored on non-mappable areas or deletion actually goes to the physical blocks instead of being wear-leveling out.

5: Please use carriage return, don’t type all your questions in one block of mess.

crwdns2934105:0crwdne2934105:0

crwdns2853045:0crwdne2853045:0 crwdns2853046:0crwdne2853046:0
crwdns2889612:0crwdne2889612:0 4

crwdns2944067:04crwdne2944067:0:

Thanks so much for the well researched answers? Trim still confuses me though (probably more due to my lack of knowledge than anything else) it was my understanding that trim took all blocks marked as unused and zeroed them out. How does reality compare to this view of how they operate?

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

Also, do I have reason to believe that wiping the disk in disk utility out of recovery mode wipes the master key thus making recovery impossible, Or would it be unsafe to sell it with just a simple erase. And does deletion ever happen on a physical level on an ssd, or do you just rely on encryption to stop unauthorized people from trying to acces your data?

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

@tmesd Actually there are several layers of abstractions from data encryption, file system structure, SSD performance and longevity optimization, each designed with the target of being transparent to anything else accessing it for compatibility, making them highly confusing and couldn't be easily understood.

But one thing is clear: If the encryption key wasn't stored on it, or no unencrypted data gets stored on it directly, then it doesn't matter whether the data can be recovered or not after deleting, because you won't be able to understand them anyway.

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

@tmesd - To add to Tom's answer the encryption key is not even held on the drive as what the iPhone had back in the day. Today part of it is held within the physical Touch ID button or Face ID sub system and linked to your finger or face print!

I think you need to take a few deep breaths and not panic! You are over analyzing things here. Is your taxes something the Fed's would spend days on the best super computer to try to break the encryption? We are talking about at least a million dollars worth of computer time!

Now if you had the formula to make gold out of paper then I could see them spending the effort ;-}

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

crwdns2934285:0crwdne2934285:0

crwdns2933897:0crwdne2933897:0

I carried over my answer from your other post here:

Lets think this with something more tangible!

Hopefully you have a paper shredder to destroy your papers. So, if we go back in time the first generation of shredders merely made strips of the page so if I only did one page I could easily take the strips side by side and arrange them back together quite quickly and with some tape reconstitute the page! Now that's easy! The only way this gets harder is when many pages are shredded and they are uniform if you have a few yellow or red pages they could be pulled away and bingo! They could be put back together!

The next is when the cross-cut design came out as now instead of strips we now have smaller pieces! So if we do that one page again while much harder it too can be reconstituted! In fact a person only needs an OCR program and a bed scanner to let the computer do the grunt work!

For most, this is all one needs as the needed gear and skills are beyond what one would apply if you where not a government agency trying to get dirt on you.

This is what I use for my bills and I make sure I bag up a good mix of stuff and as big a bag as I can. This makes it so hard no one will do it!

Still not the ultimate in safety! So let's get to the most secure way. If the paper is dyed so you can't see the writing then you've made the task so hard its just not doable or lets just burn the paper! So all you have is ashes!

So as we can see we have three levels of effort Now lets apply the three with the drives:

● Level 1 - HDD

● Level 2 - Plain SSD

● Level 3 - SSD with full encryption via T2

So clearly if you want full destruction you want ashes Level 3 is the answer. Nothing but NOTHING will be scrap able from your drive.

I have not heard of anything about APFS file system being breakable. Besides its not the file system its self, it's how the data held within it is dealt with.

Think of it this way an envelope that holds the piece of paper is not the risk its the exposure of the piece of paper held within it. So having a bucket which is holding that page I metaphorically shredded above, which is safe? A pile of ashes!

crwdns2934105:0crwdne2934105:0

crwdns2853045:0crwdne2853045:0 crwdns2853046:0crwdne2853046:0
crwdns2889612:0crwdne2889612:0 1

crwdns2944067:05crwdne2944067:0:

https://arstechnica.com/gadgets/2017/09/....

Thanks for the answer, I feel a lot better now. In this Ars Technica review of High Sierra, it made the claim that APFS only encrypts actively used parts of the disk, how exactly is my interpretation of this article incorrect? I assume since all data is initially encrypted it wouldn’t be decrypted once it’s marked as free.

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

Again I think you're going into this too deeply!

How about reading up on all of this from the source! Apple Platform Security

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

Great so in short, doing an erase in disk utility out of recovery mode will be almost surefire for protecting my data before selling my computer because it removes the encryption keys.

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

But before you do that you'll need to remove your system from Find my Mac unless you have an iPhone or iPad which you can do it from there.

Don't forget to score the answer and accept the one that answered your question.

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

Done! And thanks again, with so much seemingly contradictory info out on the internet it’s easy to get totally lost. Thanks for your expertise.

crwdns2934271:0crwdnd2934271:0crwdne2934271:0

crwdns2934285:0crwdne2934285:0

crwdns2934229:0crwdne2934229:0

M H crwdns2934231:0crwdne2934231:0
crwdns2936625:0crwdne2936625:0:

crwdns2936751:024crwdne2936751:0 0

crwdns2936753:07crwdne2936753:0 0

crwdns2936753:030crwdne2936753:0 1

crwdns2942667:0crwdne2942667:0 185