Erasing SSDs securely has been a longstanding problem that has been solved in Macs with T2 or Apple silicon chips, with the introduction of Erase All Content and Settings (EACAS) four years ago in macOS Monterey. This article explains how it works, what it does, and when you should use it.

Boot disk

While Intel Macs are simpler, the internal SSD of an Apple silicon Mac is divided into three APFS containers/partitions.

Intel Macs have the same Apple APFS container with the Boot Volume Group in it, but the other two containers are replaced by a single small EFI partition.

macOS manages and uses the first two containers, ISC and Recovery, and that containing the Boot Volume Group is the one we’re concerned with. That includes the System and Data volumes, the former being made into a read-only snapshot that’s mounted as the Signed System Volume and contains macOS. Everything you install as a user, including apps and your Home folder, is in the Data volume, which is encrypted automatically even if you don’t have FileVault turned on.

Data volume

As the Data volume is invariably encrypted, the best way to securely erase its entire contents is to destroy its encryption key. Provided that can be performed robustly, so the key can never be recovered, no one will be able to decrypt its contents. (There is an expectation that one day it might be possible to break the encryption using quantum computing, but that’s not something you should be concerned with at present.)

The encryption key used to encrypt the Data volume is itself encrypted, and forms part of the mechanism used by FileVault when that’s enabled. To ensure that those encryption keys don’t leave the Secure Enclave, they’re encrypted again, and the key that’s destroyed by EACAS is one of those. macOS also employs anti-replay techniques to ensure that previous keys can’t be reused.

Additional features

In addition to destroying the encryption key for the Data volume, EACAS performs other useful tasks. These include signing out of your Apple Account, including iCloud and iCloud Drive, destroying all fingerprints used for Touch ID, and turning off Location Sharing to disable Find My and Activation Lock.

Although I can’t find any official account of additional data being erased by EACAS, I believe that all LocalPolicy records stored in Apple silicon Macs are also destroyed. LocalPolicy authorises access to external bootable disks, so those who have configured an external disk to boot their Mac are likely to be required to re-authorise it before it will boot that Mac again.

What EACAS doesn’t do, though, is sign you out of third-party cloud or other services such as Adobe’s Creative Cloud, or deauthorise that Mac for Apple media such as Music. Neither will it do anything to your Mac’s SSV: that’s left intact, still running the same version of macOS.

How to use EACAS

Start EACAS from System Settings > General > Transfer or Reset > Erase All Content and Settings…. In older versions of macOS still using System Preferences, open them and it’s offered as a command in the app menu.

If you continue, you should see one final warning before the contents of the Data volume are blown away into the great bit-bucket in the sky.

What’s left of your Data volume, shown here in Recovery mode, is a mere 300 MB or so.

When to use EACAS

If you want to wipe your Mac’s Data volume so you can reinstall its user(s), EACAS is the simplest and quickest way to do that, and doesn’t require starting up in Recovery. Its additional features ensure that, when you install its new primary user, everything should work properly and you don’t end up with ghost Macs left over from the past.

It’s the method of choice when preparing your Mac for disposal, particularly if you’re passing it on to someone else, as it ensures that no one can recover any of the data stored in your Home folder, or anywhere else on its Data volume. Performing that manually requires you to work through a list of additional procedures, almost all of which are automatic in EACAS.

The only time when you’re likely to prefer a different method is when you want to erase both the Data and System volumes, perhaps to return to an older version of macOS. Although you can do that using Disk Utility in Recovery mode, that doesn’t install the matching firmware. If you really want to return to factory-fresh conditions, the best way is to put that Mac into DFU mode, then restore it from the IPSW image file for that version of macOS. Although that does require a second Mac, it’s quick and comprehensive.

One other caution: never use EACAS on a macOS VM, as it’s unlikely to recover. It makes more sense just to delete the whole VM and be done with it.

Summary

• EACAS performs a secure erase of the Data volume, as well as some useful extras.
• It’s the method of choice for preparing your Mac for disposal.
• It’s also suitable for wiping user data before setting your Mac up afresh, using its existing macOS.
• If you want to wipe the System volume as well, to reinstall macOS, restore from an IPSW in DFU mode.

All of us at some time or other find our mind has gone blank and we can’t remember the password we’ve typed in so often before. Or the person who did know that password may no longer be there to recall it for us. At times like these we may need to gain access to a locked Mac. This article looks at how you can do that in an Intel Mac with a T2 chip, or an Apple silicon Mac, running Big Sur or later, in particular macOS Tahoe. If you want information for an older Mac or macOS, this article should be more helpful.

Keyboard

If you’re certain you entered the correct password but it was refused, check the Caps Lock key isn’t on, and check the Mac is using the correct language keyboard in the menu at the top right.

Firmware password (Intel only)

Intel Macs can be protected using a firmware password set and removed in Recovery, and that can normally only be removed if you know the password. If you don’t, the most reliable way to achieve this is to take the Mac to an Apple store, together with proof of purchase or ownership, and ask them to remove the firmware password.

Further information is in this support note, and in Mr. Macintosh’s article.

Don’t just guess

Trying to guess a Mac’s password is doomed to failure: you only have ten attempts before you have to try in Recovery, and an absolute maximum of fifty attempts in total before access to its Data volume is permanently barred, and that Mac has to be restored in DFU mode. Time intervals are also added between attempts, starting at a minute after the third attempt, and rising to eight hours with the ninth.

Once you realise you don’t know the password, click on the ? to the right of the password entry box. If you keep trying to guess, your attempts will soon be delayed by lock periods that grow up to eight hours.

The Mac will then offer you the best option for resetting the password. If the Mac was opted into iCloud Recovery, you’ll then be asked for details of the Apple Account.

This is now handled by the Recovery Assistant, which also helps you use the Recovery Key if iCloud Recovery wasn’t chosen.

If you don’t have Apple Account details or the Recovery Key, the remaining option is to wipe the Mac. That’s offered in the Erase Mac command in Recovery Assistant’s menu.

For these the Mac needs an internet connection. Further details are in this support article. If you’ve forgotten your Apple Account password, Apple’s support article here should help.

Missing owner

Those methods all assume that you’re the owner/user, have simply forgotten your login password, and can recall your Apple Account details or Recovery Key. If the Mac belonged to someone who’s no longer there, and you don’t have access to their Apple Account, you won’t be able to use those options.

There are two further steps now available that you may find helpful. Provided your Apple Account has two-factor authentication enabled, if you’re unable to sign in or reset your password, you can ask Apple to perform account recovery. This isn’t immediate, but provided you can satisfy Apple that your request is genuine, it should prove possible.

As of macOS 12.1 and iOS/iPadOS 15.2, Apple has supported Legacy Contacts, but those must be set up before you need to use them. The Legacy Contact is then provided with an access key they can use in the event that you can’t because you’re dead. Apple also needs to see a copy of the death certificate before giving full access to the account for a period of three years. Full details are here.

Still no solution

If you want to access the Mac but not its contents, it’s straightforward to return Apple silicon and T2 models to factory condition by putting them into DFU mode and restoring them, as explained here. That may not always be a good step, though: when you try to set that Mac up again, it checks in with Apple. If it has been registered as stolen, you could find it becomes unusable.

If all else fails, get expert advice and help from Apple stores, authorised service providers, and from the many independent Mac technicians around the world who are often only too familiar with these problems.

Virtual machines

Depending on how they’re set up, macOS VMs can now support either iCloud Recovery, or a Recovery Key, provided the guest macOS can.

It has been 22 years since Apple’s first version of FileVault was introduced in Mac OS X 10.3 Panther. Since then it has changed beyond all recognition, and has been transformed from a questionable option to an essential feature of Apple silicon Macs. This article explains those changes, and how enabling FileVault is now a no-brainer.

The past

FileVault 1 was very different. For a start, it didn’t attempt to encrypt whole volumes, as that still isn’t built into HFS+ and only became possible in Mac OS X 10.7 Lion, when Apple added a logical volume manager, Core Storage. So this first effort stored your Home folder in an encrypted disk image, something that also proved easy to crack.

Apple’s second attempt at FileVault proved more successful, with Core Storage handling the encryption of whole HFS+ volumes. This required encryption and decryption to be performed in software, in the days when most CPUs didn’t have instructions to accelerate that. When you first enabled FileVault, macOS had to encrypt the entire contents of the boot volume, which before Catalina included the whole of the system as well as user data. Fortunately, Apple engineered this initial encryption to run in the background while you were still using your Mac. Even so, it could take several days before it was complete and FileVault became active.

This improved with time. Intel CPUs gained instructions to accelerate encryption and decryption, storage and processors got faster, and Apple’s new file system APFS has encryption designed into it from the start. What transformed FileVault, though, was the introduction of the T2 chip in 2017.

The T2 chip was designed for FileVault, among its other accomplishments. It contains a Secure Enclave to isolate and protect encryption keys, and a hardware AES encryption/decryption engine that sits between the internal SSD controller and memory. Those ensure that the contents of the internal SSD can be encrypted for FileVault without any detectable overhead. From Big Sur onwards, these are used to encrypt the whole contents of the Data volume when it’s in internal storage, but not the System volume or the SSV from which the Mac boots.

FileVault base encryption

In Macs with T2 or Apple silicon chips when FileVault is disabled, everything in the Data volume stored on their internal SSD is still encrypted, but without any user password.

Generating the key used to encrypt the volume, the Volume Encryption Key or VEK, requires two huge numbers, a hardware key unique to that Mac, and the xART key generated by the Secure Enclave as a random number. The former ties the encryption to that Mac, and the latter ensures that an intruder can’t repeat generation of the same VEK even if it does know the hardware key. When you use Erase All Content and Settings (EACAS), the VEK is securely erased, rendering the encrypted data inaccessible, and there’s no means to either recover or recreate it.

This scheme lets the Mac automatically unlock decryption, but doesn’t put that in the control of the user, who therefore needs to enable FileVault to get full protection.

FileVault full encryption

Rather than trying to incorporate a user password or other key into the VEK, like many other encryption systems FileVault does this by encrypting the VEK using a Key Encryption Key or KEK, a process known as wrapping.

When you enter your FileVault password, that’s passed to the Secure Enclave, where it’s combined with the hardware key to generate the KEK, and that’s then used together with hardware and xART keys to decrypt or unwrap the VEK used for decryption/encryption. This means that the primary user’s FileVault password is the same as their regular login password. It doesn’t have to be long and complicated either, as it’s combined with the hardware key to create the KEK.

This has several important benefits. When you first turn FileVault on, no data encryption is needed, as the VEK remains the same, so FileVault’s protection is effective immediately. Because the KEK can be changed without producing a new VEK, the user password can be changed without the contents of the protected volume having to be fully decrypted and encrypted again.

Recovery keys

It’s also possible to generate multiple KEKs to support the use of recovery keys that can be used to unlock the VEK when the user’s password is lost or forgotten. Institutional keys can be created to unlock multiple KEKs and VEKs where an organisation might need access to protected storage in multiple Macs.

When you enable FileVault, you’re given the option of being provided with a recovery key, which you should keep a copy of in a safe place, or using iCloud recovery if you prefer.

In the recent past, some macOS updates have played games with recovery keys, issuing new ones when they weren’t expected. When you first get your recovery key, and any time it changes, you should check to see if it will work correctly. Once your Mac is running fully, open Terminal and type in the command
sudo fdesetup validaterecovery
After entering your admin password, you’ll then be prompted to enter the recovery key to be checked. Type or paste that in carefully, and you’ll be told whether it’s correct or not. Note that Terminal doesn’t display the key when you type or paste it in, and you’ll have to press Return without being able to see or check what you’ve entered. If that new key fails, repeat the command using your previous recovery key instead.

FileVault on other disks

The Secure Enclave and AES engine are only wired up to protect volumes on your Mac’s internal SSD. You can still enable FileVault on bootable external disks, and even in macOS virtual machines. But in those cases, volumes that are protected use Encrypted APFS in software, which does impose a small overhead. In the case of VMs, FileVault is the only effective way to safeguard data in that VM, and is recommended. For external disks you’ll need to weigh up the pros and cons.

Summary

• FileVault in modern T2 and Apple silicon Macs is very different from in the past.
• It now provides excellent cost-free protection to your data when stored on the internal SSD.
• If you opt for a recovery key, check it then and whenever it has changed.
• If your T2 or Apple silicon Mac doesn’t have FileVault enabled, why not?

This article lists the firmware versions of Macs that have been successfully upgraded to run macOS 26.0 Tahoe.

Apple doesn’t provide an official list of the current firmware versions which should be installed on each model of Mac. Intel models with T2 chips consist of two parts, the second covering iBridge in the T2. Apple silicon Macs just give an iBoot version.

Macs still running older versions of macOS are covered by information at:

• this page for Sequoia,
• this page for Sonoma,
• this page for Ventura,
• this page for Monterey,
• this page for Big Sur,
• this page Catalina,
• this page for High Sierra,
• this page for El Capitan and earlier.

Apple silicon Macs

The current iBoot version is 13822.1.2.

Intel Macs with T2 chips

The current EFI version is 2092.0.0.0.0 and iBridge is 23.16.10350.0.0,0.

Apple Studio Display

The current version remains 17.0 (build 21A329).

How to check your Mac’s firmware version

The simplest way is to run my free tool SilentKnight, available from its product page.

Alternatively, use the About This Mac command at the top of the Apple menu; hold the Option key and click on the System Information command. In the Hardware Overview listing, this is given as the Boot ROM Version or System Firmware Version.

What to do if your Mac’s firmware is different from that shown

If the version is higher than that given here, it indicates that Mac has installed a more recent version of macOS, which has installed a later version of the firmware. This is almost invariably the result of installing a beta-release of the next version of macOS. This occurs even when the newer macOS is installed to an external disk.

If the installed version of firmware has a version lower than that shown, you can try installing macOS again to see if that updates the firmware correctly. If it still fails to update, you should contact Apple Support.

Firmware updaters are now only distributed as part of macOS updates and upgrades: Apple doesn’t provide them separately.

All T2 and Apple silicon models automatically check the integrity of their firmware in the early part of the boot process anyway. If any errors are found then, the Mac should be put into DFU mode and firmware restored from the current IPSW image file. In Sonoma and later this can be performed in the Finder, and no longer requires Apple Configurator 2. Full instructions are provided in this article. If you don’t have a second Mac or don’t feel that you can perform this yourself, it should be easy to arrange with an Apple store or authorised service provider.

(Last updated 19 September 2025)