The Apple T2 chip is a 64-bit ARMv8 sub-processor that runs on a separate OS called bridgeOS v2 to enhance the security for Mac users. Introduced in iMac Pro® in 2017, the T2 chip now resides in almost all Mac devices, including Mac mini®, MacBook®, MacBook Pro®, MacBook Air®, and Mac Pro®. It encrypts the data stored on Mac SSD, controls macOS booting, and secures the FaceTime camera and microphone.
Given the formidable security the T2 chip enables at the software and firmware levels, a few questions often arise in the Mac users’ community, interestingly about another facet of data security; these are, “can I wipe a Mac with T2 Chip?” and, “how to wipe a Mac with T2 chip?”
The above queries are focused on knowing how to boot a Mac device with T2 chip to wipe or erase it for meeting the data privacy needs & goals, for example, when the Mac device needs to be disposed of, sold, exchanged, or returned. Understanding the T2 chip functioning is vital to realize what makes these questions so special and find their answers.
The T2 chip takes total control over the macOS boot process, including verifying a legitimate cryptographically signed bootloader before transferring the boot process to the rest of the Mac hardware. A Mac device with T2 chip manages the boot process through the Startup Security Utility with Firmware Password, Secure Boot, and External Boot as the features to authorize access.
Fig 1 shows the Startup Security Utility screen that appears after pressing Command (⌘)-R. [Courtesy: support.apple.com]
The Secure Boot feature, by default, is set to Full Security mode requiring a network connection to verify the operating system before installation. The Full Security mode allows only a trusted operating system to load into Mac, including booting Windows 10 through Boot Camp.
The External Boot feature also, by default, disallows booting the Mac from any external media such as a USB or Thunderbolt drive.
The Firmware Password feature, if enabled, further reinforces the boot security through a password prompt every time a user attempts to boot into the Mac. Firmware password also restricts booting from external media, thereby securing the Mac even if External Booting is enabled.
So we see the T2 chip enables an awe-inspiring level of security on Mac devices.
Considering the comprehensive security features, the answer to whether you can wipe a Mac with T2 chip depends upon your level of access & rights on the device. If you have Administrative rights on the Mac, you can wipe it after adjusting the settings through the Startup Security Utility, such that you can —
Before moving on to the steps for wiping a Mac T2 devices, it is essential to choose the Mac drive erasure software from the effectiveness and compliance standpoints. The tool should erase the Macintosh HD in a way that guarantees permanent wiping of the data in line with global standards. And, it should generate systematic and valid documentation to sufficiently serve as the proof of erasure for corporate users and also the individuals seeking total peace of mind.
For example, BitRaser Drive Eraser is a professional data erasure software that can wipe any Mac device, including the T2 chip variants, using standards such as NIST 800-88, DoD 5220.22-M, etc. The software wipes the Mac using a secure and efficient “USB booting” technology, allowing complete erasure of the Mac hard drive. Unlike any other Mac data erasure tool, the software allows direct plug-n-play wiping without the need to perform any technical steps to boot the mac. Further, the software generates tamper-proof certificates and reports of erasure guaranteeing compliance with the prevalent data protection regulations.
Note: BitRaser Drive Eraser can start wiping a Mac in less than 15 minutes. The following is a broad outline of the instructions to wipe a Mac with T2 chip using the software.
Step 1: Wipe the Mac using the physically shipped BitRaser bootable USB
In this step, you will wipe the Mac with T2 chip using the BitRaser Drive Eraser bootable USB you had received as a physical shipment. Start the Mac and plug in the BitRaser bootable USB drive and the license key you received.
Step 2: Hold the ‘Option Key’
Next, press and hold the Option key immediately upon hearing the startup chime, and then release it after the Startup Menu appears.
Step 3: Select the ‘USB Option to Boot Mac’
Select the USB option to boot the Mac, be it MacBook, MacBook Air, iMac, MacBook Pro, etc. BitRaser Drive Eraser will initialize and prompt to select the drive to erase. Next, follow the on-screen instructions to start erasing the Mac with T2 chip through the subsequent steps.
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|