What's your checklist for when you hand your laptop in for repair?

First off, if you have work/proprietary code on the laptop you should be asking the company to fix it and follow their procedure.

Second, if we're talking about my laptop.. I use Linux and a fairly open hardware device so I simply order replacement parts online and fix it myself. I can't imagine sending my laptop away to get it fixed.

If I can't fix it.. I remove all working parts and toss in a supply box. I toss the device carcass in a pile in my garage in hopes of finding a use some day, and order a new laptop.

You'll never get all of the sensitive data off of it by deleting it piecemeal. There's just too much private data generated from normal usage.

You can get an impression of how much by searching for "forensic artifacts." Here's a taste: https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWI...

That's not even a complete list. For example, I think it's missing the QuickLook cache that contains thumbnails of all the things you've previewed recently.

So the checklist is simple:

1. Backup your drive.

2. If FileVault wasn't turned on, turn it on and wait for it to finish encrypting the disk.

3. Erase the disk and reinstall the operating system.

EDIT: Forgot that not everyone has FileVault turned on. Turn on FileVault, everyone!

I wanted to say "remove the hard disk" but with Macs that's not an option anymore, so if there's sensitive data on it I'd personally do a full backup and then wipe the disk using a factory reset before sending the device in. Who knows where it might end up? Even if the disk is encrypted there might be a way to decrypt it in the future (e.g. firmware issue, weak password etc.), so the only way to be sure is to completely purge all data. And selectively deleting stuff is a bad idea, even if the disk is encrypted the file system will usually not overwrite the files on deletion, i.e. if someone manages to bypasss the full-disk encryption the files might still be recoverable (unless you use "shred" to overwrite them, which has its pitfalls as well if used on single files).

Maybe I'm naive but shouldn't it be enough to encrypt your disk with FileVault? Of course assuming that you don't hand over your password to the technician. Also logging out of iCloud would remove the option to e.g. lock or wipe the device remotely.

First item on my checklist is to buy a laptop that I can repair myself. Knock Clevos all you want but System76 includes detailed instructions on how to replace almost any part going back several generations. Plenty of other vendors like Framework and Starlabs also support self-repair.

If we're talking Macs being serviced directly with Apple I don't see how doing anything is necessary. Anything more than backing up your system (in case Apple needs to wipe it) is a waste of your own time.

Whatever Apple employee is performing service on your machine doesn't have the time or possibly even the ability to do much of anything with your system. Apple's going to be using automated diagnostic tools and has a general interest in getting your repair done as quickly as possible.

That Apple employee is being watched by cameras and monitoring tools while they do their job and they're not going to sacrifice their performance metrics or potentially get fired/prosecuted over a desire to rummage through your system. Put yourself in their shoes: if you were repairing 20 laptops per day as your job, how much would you care about fucking around on any of those particular systems? File this one under "the cashier doesn't care that you're buying condoms."

If Apple did something with your stuff it could be very detectable, and Apple is a massive lawsuit target. They have every motivation to be extremely careful about how they handle data. They also handle repairs for business customers.

If you've really got some sensitive data, you still don't need to be talking about nuke scripts and other time-wasting complexities. Skip all that and just do a local Time Machine backup, wipe the system, then send it in for repair. Then when you get it back you restore the whole thing as a single piece. But honestly I've never bothered with that.

If I trust my disk encryption:

1. Power off computer.

If I don’t trust my disk encryption:

1. Fix it myself or buy a new computer.

Back up all data, especially my various nix configuration files (`configuration.nix`, `home.nix`, `flake.nix`es, etc.`).

Wipe the LUKS header (`cryptsetup erase && wipefs -a `).

Run the default NixOS setup.

When I get the machine back, reformat & re-install. Copy back the config, reboot to my working old system.

I've got an "erase your darlings" style setup, so everything outside /home and /persist gets erased every boot anyway, and I test my backups so "just wipe it and restore once it's back" is pretty low risk.

I usually remove the HDD if it isn't a problem related to it. Of course that has become more difficult as products got worse.

If that isn't possible, I usually make a backup and restore system to defaults. Easier for support to determine the issue if software is in any way involved.

I believe some manufacturers explicitly tell you that you cannot expect your data getting returned if you ship your device to them. You get it back in most cases, but not if you get the whole device replaced for example.

Personally I make an exact copy of the disk to an other, reset any OS (Windows/Mac/Linux) and hand over the laptop for repairs.

When I get the laptop back, I restore the disk.

If you want to be more secure, in case you worry that someone might do a file recovery to grab data, just overwrite all the data with 0x00 using a program. and your data will be secure and unrecoverable unless someone will try really hard to sniff your data.

All my work goes in Documents on linux and windows and I just rsync those files that I don't keep in the cloud over to a backup drive. Most of them I could get by without. Everything else is on github or cloud drives. It's been a long time since I trusted a piece of hardware with irreplaceable files. If it's a personal computer, I just take the hard drive out. They will have spares they can put in. If I couldn't take the HD out I would at least wipe it. All my drives have an encryption layer at all times.

1. power off (if needed)

2. unscrew all screws

3. replace everything non-functional

4. screw all screws, use blue fixator

5. power on

6. notice that one of bus ribbons was forgotten or misplaced

7. redo steps 1-5

8. get a final result, power on

Disk encryption should always be turned on, and I don't think your other tactics are going to provide a meaningful increase in security if that's done (although I still think they're all a good belt-and-suspenders approach).

Our company uses VMs for everything sensitive now, so hopefully no one needs this checklist!

If you use an authenticator app on your phone for 2FA codes make sure you have backup codes for all your accounts.

oh definitely remove the hard disk. even if you delete files, pros can recover it.

Back it up and wipe it clean.