OSX - Secure Wipe Disk

osx-wipe_disk.md

Securely erase a disk using onboard tools on OSX

1. Plug in your external storage and use the following command to see which /dev/diskN node it's located on:

diskutil list

2. Unmount the disk where Nis the number of the disk

diskutil unmountDisk /dev/diskN

If the above command was successful, you will see:

Unmount of all volumes on diskN was successful

3. Secure erase the disk where Nis the number of the disk

sudo diskutil secureErase <security level> /dev/rdiskN

Security levels:

0 - Single-pass zeros.
1 - Single-pass random numbers.
2 - US DoD 7-pass secure erase.
3 - Gutmann algorithm 35-pass secure erase.
4 - US DoE 3-pass secure erase.

4. Eject the disk where Nis the number of the disk

diskutil eject /dev/diskN

wipe_disk.sh

#!/usr/bin/env bash

# Exit on error. Append "|| true" if you expect an error.
set -o errexit

# Exit on error inside any functions or subshells.
set -o errtrace

# Do not allow use of undefined vars. Use ${VAR:-} to use an undefined VAR
set -o nounset

# Catch the error in case mysqldump fails (but gzip succeeds) in `mysqldump |gzip`
set -o pipefail

# Turn on traces, useful while debugging but commented out by default
# set -o xtrace

DISK_NUMBER=${1:-}
SECURITY_LEVEL=${2:-}

if [[ -z "${DISK_NUMBER}" ]]; then
    echo "DISK_NUMBER is unset or set to the empty string"
    exit 1
fi

if [[ -z "${SECURITY_LEVEL}" ]]; then
    echo "SECURITY_LEVEL is unset or set to the empty string"
    exit 1
fi

SECURITY_LEVELS=(0 1 2 3 4)

if [[ ! " ${SECURITY_LEVELS[@]} " =~ " ${SECURITY_LEVEL} " ]]; then
    echo "SECURITY_LEVEL needs to be one of ${SECURITY_LEVELS[@]}"
    exit 1
fi

DISK_PATH="/dev/rdisk${DISK_NUMBER}"

diskutil info "${DISK_PATH}"

read -p "Are you sure? " -n 1 -r
echo    # (optional) move to a new line
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
    exit 1
fi

diskutil unmountDisk "${DISK_PATH}"
sudo diskutil secureErase "${SECURITY_LEVEL}" "${DISK_PATH}"
diskutil eject "${DISK_PATH}"