It only takes a minute to sign up. I just woke up to the fact that it looks like user data can be leaked when using FileVault and Migration Assistant on an SSD on a new Mac when following the default prompts.
If that's the kind of security you're looking for, your best bet is encryption So by the time I'm allowed to enable FileVault, it's too late. Even worse, I can't securely wipe the drive before selling the computer later:.
I believe there is a final step in the process of turning on FileVault that is not being mentioned and that would preclude it being on by default. Not quite; iMacs use desktop components for chipset and CPU, but do in fact use mobile graphics processors. Hopefully, by now, you are scared out of your wits that someone is going to steal your MacBook. Sorry, your blog cannot share posts by email. Subscribe to know first Our delivery owl will bring you our best deals and news about MacPaw apps.
These options are not needed for an SSD drive because a standard erase makes it difficult to recover data from an SSD. I'm assuming that even though FileVault is still encrypting the disk before I run Migration Assistant my computer tells me it has 36 minutes of encryption time remaining that all new writes made by Migration Assistant will be encrypted and thus my data will never touch the NANDs in the clear. Your making a test user account with a short name different than the eventual user to be migrated is sound.
In practice, you will in time over write more and more of the data, but if you have the time to first establish a file vault key and have the drive completely encrypted before copying any sensitive data, you have a more secure system and can know that the data can be sanitized cryptographically as opposed to being over-written or actually erased. You'll want to look for these lines in the diskutil cs list output to know it's ready for the start of data migration:.
While you run the Migration Assistant, there is no additional security risk imposed by the encryption beginning after data transfer commences. In fact, this reduces the physical security risk through the following mechanism:. Secure Erase provides no benefit when used on an SSD with full-disk encryption, because of how data is stored. But any potential benefit from using Secure Erase on any disk with full-disk encryption, could never be very large because no data would be retrievable without the encryption secrets. If the secrets are obtained by a threat agent, then the whole disk has been compromised.
Without full-disk encryption, files can be recovered from an SSD, sometimes, by a sophisticated theat agent, and not a script kiddie, at least not today. This is different from HDDs where for the past decade script kiddies and five year olds have had the tools readily at their disposal to easily recover deleted data from unencrypted HDDs. Here's a secure way to prevent unencrypted data from being written to the SSD: install your system and migrate onto a separate drive, being a USB hard drive, second SSD, etc.
Now wipe the original drive. A less secure but easy way is to manually trim the SSD using fsck. This will make the unused space appear to be all zeros to anybody reading the data out from the OS. They would have to either tamper with the drive firmware or remove the flash from the drive to get around this. Eventually, with use all the data on the drive will be overwritten.
follow url Some of the information contained in this post requires additional references. Please edit to add citations to reliable sources that support the assertions made here.
Unsourced material may be disputed or deleted. Sign up to join this community. The best answers are voted up and rise to the top. Home Questions Tags Users Unanswered. Asked 5 years, 5 months ago. Active 3 years, 5 months ago. Viewed 4k times. On an SSD, however, it's impossible to overwrite data securely Create a new user account. Enable FileVault. Run the Migration Assistant. Do you agree with the problem and my solution? David Braun.
Mac computers that have the Apple T2 Security Chip integrate security into security, because without FileVault enabled, your encrypted SSDs. FileVault 2 is available in OS X Lion or later. When FileVault is turned on, your Mac always requires that you log in with your account password.
You can encrypt individual files by creating an encrypted file container, or disk image. Whenever you want to work with your encrypted files just mount the disk image and enter your password.
The files will be available to use and any files you save to the disk image will be encrypted. When you unmount the disk image, the files will be locked and no one will be able to access them unless they have your encryption password. This is a simple method for encrypting files. Better yet, the encrypted disk image you create can be synchronized online using a service like Dropbox or Google Drive.
Follow our guide to creating and using an encrypted disk image for more information. The above encryption tools are integrated into macOS. The Best Tech Newsletter Anywhere. Join , subscribers and get a daily digest of news, comics, trivia, reviews, and more. Windows Mac iPhone Android. Smarthome Office Security Linux.
The Best Tech Newsletter Anywhere Join , subscribers and get a daily digest of news, geek trivia, and our feature articles.
Skip to content. How-To Geek is where you turn when you want experts to explain technology.