Disadvantages of encrypting SSD disk at time of disposing of computer vs. at first use?
Solution 1:
No, it won't be as effective. Encrypting before writing anything (/anything important) is the best (most secure) option, but if you miss the opportunity to do that there are still methods better than retroactive encryption.
(Note: this is mostly inapplicable to the built-in SSD in newer Macs with the T2 chip or "Apple Silicon" CPUs, since they automatically encrypt the data volume, with an encryption key protected by the Secure Enclave. Turning on FileVault on these models doesn't encrypt the volume, since it already is encrypted -- it encrypts the encryption key. However, any data stored on other volumes or other SSDs is not protected by this, so the following discussion does apply.)
When you retroactively encrypt a drive, what you're basically doing is overwriting the old (unencrypted) data with an encrypted version. Overwriting the whole disk with zeros or random data is better for several reasons:
- Encrypted data might be decryptable if the key/password leaks, is guessable, accidentally gets stored somewhere else, etc. Zeroes and random data cannot be decrypted because they don't contain any (relevant) information. Encrypting sounds like it's providing some extra level of protection, but this is illusory.
- Depending on how the encrypt procedure works, it might not bother to encrypt "unused" portions of the disk -- but they might still contain leftover copies of old files (Ezekiel Elin mentioned this in a comment). I don't know exactly how macOS' current implementation works, but I know that overwriting the whole drive with zeroes/random data doesn't have this problem (well... with a caveat I'll get to).
- macOS' volume encryption works at the volume level, and doesn't encrypt parts of the disk outside of your data volume. And there are a few types of info that may be stored outside of that.
There's also a problem that even overwriting with zeroes or random data doesn't solve: the SSD itself doesn't expose all of its storage space to the computer, so if you erase/overwrite "everything" from the computer... you haven't actually erased/overwritten everything. Reading the hidden residual data generally involves disassembling the SSD and bypassing its controller to read from the raw chips, so it's not something people are likely to do unless they think there's something of serious value on your SSD, so you probably don't have to worry about this. See my answer here and the links in it for the gory technical details. Long story short, overwriting the entire exposed space twice is generally -- but not necessarily -- enough to overwrite all the actual data.
So, in summary: if there's something of really high value on the drive, either don't ever write it unencrypted in the first place, or physically destroy the drive before disposing of it. For reasonable-level sensitive data (e.g. your banking info), overwrite twice with zeroes and/or random data before selling/donating/whatever.