Planning on selling or giving away your MacBook Pro with a Touch Bar? Even if you wipe your Mac and reinstall macOS from scratch, it won’t remove everything: information about your fingerprints and other security features are stored separately, and may remain after your wipe your hard drive.
Warning: We have been informed that, on newer Macs with a T2 security chip, the encryption key is stored in your Mac’s Secure Enclave. Erasing it with the below command will result in all of the data on your Mac being lost forever—even if you don’t have FIleVault encryption enabled. Proceed at your own risk. (This article was published prior to the release of the T2 security chip, when this wasn’t a concern.)
This is especially if you used a third party tool, or Target Disk Mode, to wipe the hard drive.
It turns out, your MacBook Pro with Touch Bar actually has two processors: the Intel processor that runs your operating system and programs, and a T1 chip, which powers the Touch Bar and Touch ID. That second processor includes the “Secure Enclave”, which is used to lock down all kinds of information about you, including your fingerprints, in a space that the OS itself and any software you’re running can’t directly manipulate. To quote Apple:
Your fingerprint data is encrypted, stored on device, and protected with a key available only to the Secure Enclave. Your fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. It can’t be accessed by the OS on your device or by any applications running on it.
But don’t panic: according to Apple, you can remove this information with a single Terminal command.
This works best if run from Recovery Mode. So reboot your Mac and hold the “R” button when you hear the startup chime.
Once the macOS installer begins, open a Terminal by clicking Utilities > Terminal in the menu bar.
From the Terminal, run this command:
Warning: If your Mac has a T2 security chip, this will likely result in the permanent loss of all files on your Mac as well as the Touch ID data stored in the enclave.
Once you do so, your personal information will be wiped from the Secure Enclave.
It’s worth noting that it’s extremely unlikely any of the information left in the Secure Enclave could prove useful for a would-be hacker: your fingerprints aren’t stored there, only the means to verify them. To quote Apple again:
As a security safeguard, Touch ID never stores an image of your fingerprint — just a mathematical representation of it that is impossible to reverse engineer.
Still, there’s always a chance Apple is wrong, so it’s good to make sure all of your personal information is completely gone before handing off your laptop. Running the above command lets you do that.