How to Clear Your MacBook’s Touch Bar and Secure Enclave Data

Are you planning to sell or give away your MacBook Pro with Touch Bar? Even if you erase your Mac and reinstall macOS from scratch, it won’t remove everything: information about your fingerprints and other security features is stored separately and can remain after you erase your hard drive.

warning: We have been told that on newer Macs with a T2 security chip, the encryption key is saved in the Secure Enclave of your Mac. If you delete it using the command below, all data on your Mac will be lost forever – even if you didn’t enable FileVault encryption. Proceed at your own risk. (This article was posted before the T2 security chip was released when it wasn’t an issue.)

This is especially the case if you used a third-party tool or target disk mode to wipe the hard drive.

It turns out that your MacBook Pro with Touch Bar actually has two processors: the Intel processor that runs your operating system and programs, and a T1 chip that powers the Touch Bar and Touch ID. This second processor contains the “Secure Enclave,” which is used to lock all kinds of information about you, including your fingerprints, in an area that the operating system itself and the software you run cannot directly tamper with. to Quote apple:

Your fingerprint data is encrypted, stored on the device and protected with a key that is only available to the Secure Enclave. Your fingerprint data is only used by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. It cannot be accessed by your device’s operating system or any applications running on it.

But don’t panic: according to Apple, you can remove this information with a single Terminal command.

This works best when run in recovery mode. So restart your Mac and hold down the “R” key when you hear the startup tone.

Once the macOS installer begins, open a terminal by going to the menu bar and clicking Utilities> Terminal.

In the terminal run this command:

xartutil --erase-all

warning: If your Mac has a T2 security chip, it will likely result in permanent loss of all files on your Mac, as well as the Touch ID data stored in the enclave.

As soon as you do this, your personal data will be deleted from the Secure Enclave.

It’s worth noting that it is extremely unlikely that the information remaining in the secure enclave could prove useful to a would-be hacker: your fingerprints are not stored there, just for verification. To quote Apple again:

For security reasons, Touch ID never saves an image of your fingerprint – just a mathematical representation of it that cannot be reverse engineered.

However, there is always the possibility that Apple is wrong. So make sure that all of your personal information is completely gone before handing in your laptop. If you run the above command you can do it.

Related Posts