Skip to content
The Security Editor

Destruction & disposal

Retiring old laptops, phones, and drives without leaking your life

A checklist for selling, recycling, or handing down a device, so the next person gets the hardware and none of your history.

By Alex Trustwell 5 min read beginner
On this page
  1. A Mac (macOS)
  2. Apple silicon (M1 or later) or Intel Macs with T2 chip
  3. Older Intel Macs (pre-T2)
  4. A Windows PC
  5. An iPhone or iPad
  6. An Android phone or tablet
  7. An external drive
  8. A router or smart device
  9. Before it leaves the house: a final audit
  10. A simpler rule for the future

A retired device has three ways to leak your information: the data on its storage, the accounts it is still signed into, and the physical-world secrets it remembers (stored Wi-Fi passwords, cached document thumbnails, browser history, saved payment methods). Every year, someone buys a “factory reset” phone off a marketplace and discovers they have somebody else’s iCloud photos.

This article is the checklist to prevent that, device by device.

A Mac (macOS)

Apple silicon (M1 or later) or Intel Macs with T2 chip

  1. Sign out of iCloud. System Settings → Apple ID → Sign Out. Choose to keep a copy of data on the Mac or not (doesn’t really matter, since you’re about to erase).
  2. Sign out of iMessage. Messages → Preferences → iMessage → Sign Out.
  3. Unpair Bluetooth devices that will stay with you (so the new owner doesn’t get paired with your keyboard).
  4. Remove the Mac from Find My at icloud.com/find.
  5. Run Erase All Content and Settings (System Settings → General → Transfer or Reset → Erase All Content and Settings). This performs cryptographic erasure of the storage via the T2 / Apple silicon secure enclave, which is the NIST-endorsed method for flash media.
  6. Install a fresh macOS from recovery if you want to leave the new owner with a ready-to-go machine.

Older Intel Macs (pre-T2)

  1. Sign out of accounts as above.
  2. Turn FileVault off and then back on with a fresh key, or skip this and go straight to step 3 — the net effect is similar if you take step 3.
  3. Boot to Recovery. Use Disk Utility to erase the internal drive, choosing the “Security Options” slider (if present) to overwrite, because the drive may be an SSD without the modern hardware-encryption story.
  4. Reinstall macOS.

A Windows PC

  1. Sign out of Microsoft account (Settings → Accounts).
  2. Unlink Microsoft 365 / OneDrive sessions.
  3. Sign out of other apps (Slack, Zoom, browsers). If in doubt, right-click → Uninstall the apps.
  4. Remove the device from your Microsoft account at account.microsoft.com/devices.
  5. Confirm Device Encryption or BitLocker is on (you set this up when the device was first configured; see full-disk encryption). If it was on the whole time, the drive contains ciphertext, and a factory reset destroys the key.
  6. Run Reset this PC (Settings → System → Recovery), and when asked, choose “Remove everything” and “Clean the drive” (the longer option). This overwrites free space, which matters if the drive is a hard drive or was only encrypted part of the time.
  7. After reset, leave the setup screen for the new owner.

An iPhone or iPad

  1. Back up what you want to keep (iCloud or a local Finder / iTunes backup, encrypted).
  2. Sign out of iCloud and the App Store (Settings → [your name] → Sign Out).
  3. Once signed out, Settings → General → Transfer or Reset iPhone → Erase All Content and Settings.
  4. The device will wipe and reboot to the setup screen.
  5. Check Find My at icloud.com/find and confirm the device has been removed.

On modern iPhones and iPads, Erase All Content and Settings destroys the device’s encryption key; the storage is full of ciphertext that is no longer decryptable. Factory reset is the reliable method here.

An Android phone or tablet

  1. Back up via Google One / a local backup.
  2. Remove your Google account (Settings → Accounts → Google → Remove). Without this step, “Factory Reset Protection” will prevent the next owner from setting the device up.
  3. Sign out of Samsung / manufacturer accounts if present.
  4. Encrypt the device if it isn’t already. On all modern Android devices (Android 10+), file-based encryption is on by default.
  5. Settings → System → Reset → Erase all data (factory reset).

Factory Reset Protection is a useful feature but it also means that a device reset with a Google account still signed in will be unusable by the next person. The sign-out step matters.

An external drive

The most frequently forgotten category. External drives are almost always not encrypted unless the user specifically set that up.

  1. Take inventory of what was on the drive, in case you need to remember any credentials.
  2. If the drive was encrypted (VeraCrypt container, BitLocker To Go, encrypted APFS), wiping the encryption headers is usually sufficient. Practically, a quick format and overwrite goes further.
  3. If the drive was not encrypted:
    • HDD: full-drive overwrite with DBAN, dd, or your OS’s secure erase option.
    • SSD: ATA Secure Erase or NVMe Format with cryptographic erase; most manufacturer utilities expose this.
  4. After wiping, create a fresh, empty filesystem on it.

A router or smart device

  1. Factory reset — usually a pinhole button on the back, held for 10 seconds.
  2. On routers, change the admin password before reset to a random value (so that if the reset goes wrong, at least the stored settings aren’t trivially recoverable).
  3. Remove the device from your account in the vendor’s app.
  4. For devices that hold Wi-Fi passwords and stored camera footage, a factory reset is usually enough. For cameras that saved footage to an SD card, format the card separately.

Before it leaves the house: a final audit

Regardless of the device, before handing it over to the next person:

  • Search email@yours.com in the recipient’s account recovery paths, if you can. You should not find yourself listed.
  • Check the cloud services you use (Apple ID, Microsoft, Google, Dropbox, Slack, etc.) and confirm the device no longer appears in the “signed-in devices” or “trusted devices” list.
  • Look at any cellular plan — if the device has a SIM, remove it first.

A simpler rule for the future

The single thing that makes device retirement painless: encrypt the device the day you buy it. On modern Macs, iPhones, iPads, and most Androids, this happens automatically. On Windows, confirm Device Encryption / BitLocker is on. On external drives, encrypt with VeraCrypt or the OS-native option.

Then, when retirement day comes, “reset and sign out” is enough. The ciphertext left on the disk is harmless without the key you’ve already destroyed.

The companion article Why ‘empty the trash’ doesn’t really delete your files explains the mechanics underneath.

Sources

  1. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
  2. Apple — What to do before you sell, give away, or trade in your Mac
  3. Microsoft — Remove your files and settings with Reset this PC
  4. Google — Factory reset your Android device