Secure Empty Trash: We lost that option with El Capitan; how could we get it back?
I’ve seen this question come up a number of times since late in the El Capitan public beta cycle, and you can find hundreds of postings about it on Apple’s forums and elsewhere. People have a concern about this option having gone missing, even if they used it as an extra measure of security, rather than ever having had a breach due to not using it.
Secure Empty Trash was originally designed around hard disk drives (HDDs). When you perform a normal Empty Trash operation, the file isn’t immediately overwritten on your HDD; rather, the disk’s index, created as part of the formatting operation, has its entry for that file removed. The space is available for other files, but someone could still recover the data from magnetic spinning media, or at least read some of the deleted files using basic disk repair or disk analysis software.
Secure Empty Trash wouldn’t just delete the file’s index, but also would overwrite it a single time with zeroes. While it’s well-known and proven by academic and private researchers that overwriting a magnetically-stored 0 or 1 once doesn’t mean it can’t be read as an electromagnetic ghost later, someone casually interested in your files can’t recover them. You’d need to fall afoul of a government agency or be the target of a high-end criminal enterprise.
However, Solid-State Drives (SSDs) don’t store data in the same fashion as HDDs. Because each erasable area of memory suffers from wear-and-tear with each write (which includes erasure), SSD management software tracks usage unit by unit, rotating through available storage to distribute wear across an entire drive, dramatically improving its life expectancy.
Depending on the SSD controller and other factors, it can be impossible to assure that the specific memory locations were erased, which provides
a slight but reasonable chance of recovery parts of deleted files. Apple opted to remove Secure Empty Trash because it couldn’t assure users that deleted files were, in fact, securely overwritten. In
its El Capitan security release notes, it said:
Description: An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the “Secure Empty Trash” option.
Yes, I know that sounds hilarious on its face: “We can’t make it work, so we fixed the problem by removing it.” And Apple could have left the option in place for HDDs, although there are known conditions in which bad HDDs sections—as little as the smallest unit of HDD storage—could be noted as “bad” without the data being deleted from them.
Further, in updating Disk Utility, Apple removed separate options for a similar reason: Zero Out Deleted Files, 7-Pass Erase of Deleted Files, and 35-Pass Erase of Deleted Files. These are unreliable on SSDs and have a deleterious effect on their lifespans as well.
Apple was justified in disabling Secure Empty Trash (at least for SSDs). But you’ve got options.
FileVault 2 to secure a whole drive
For SSD-based Mac owners, the best course if you want to be sure files are unavailable to anyone else is to
enable FileVault 2. FileVault 2 uses whole-disk encryption to read and write every chunk of data securely. With an HDD, especially a 5400-rpm disk, it might slow you way down. But with an SSD, you won’t notice it.
As long as you’re powered up, the files are available to someone who gets ahold of your computer and thus deleted files on an SSD have the same remote potential to be recovered. But whenever the computer is shut down, all files and former file traces are strongly encrypted.
Using screen lock or logging out makes it harder for files to be accessed, but without shutting down, the filesystem is decrypted, and lesser protections prevent access.
Command-line secure erasure
If you still have an HDD or a Fusion drive—which uses a small amount of SSD alongside an HDD to speed up overall performance—you can resort to the Terminal to use the now-removed commands. (If you have backup archives of files, mind that those are secured in some other fashion, too, or securely deleted!)
Warning: You can really mess things up forever by using these commands. Be very, very careful what you type, and make sure this is within your comfort level.
Launch the Terminal from Applications > Utilities. The srm command is “secure remove” (normal remove in Unix is rm). It will attempt to overwrite a deleted file with other data, either 1, 7, or 35 times. By default, the command uses 35 passes of a variety of different bytes, including some random. You can control via command-line flags whether to use 1 or 7 passes and whether to overwrite with just zeroes instead of these more complicated patterns. You can delete individual files or entire directories. (I suggest using the -v or verbose flag so you’re better informed about what’s happening, too.)
You need the entire path to a file to perform this correctly. These Unix paths can be inserted by OS X by dragging a file or folder into Terminal after entering a command.
Erase one file securely with zeroes in one-pass by typing the following and pressing Return:
Erasing a folder requires a recursive erase, which starts at the bottom of the folder, its lowest-nested files and folders, and erases all the way to the top—the folder you specify. Get this wrong, and, wow, you can delete a lot of material. So be even more careful.
Erase a folder of files with seven random passes:
srm -rmv /path/to/folder/
If you’ve gotten this far, you can use man srm to find more options available. I’d suggest testing on an external drive or even a flash drive (yes, it uses SSD, but you’re only doing a little bit of testing) if you’re uncomfortable in the least.
Zero out empty space occasionally
There’s one more plan you could carry out, which is to set yourself a reminder and occasionally delete unused space. The Disk Utility option removed in El Capitan can be triggered from the command line. It looks like this:
The 0 location is where you enter the level of erasure. With 0, diskutil uses the fastest and easiest method: all empty space is overwritten with zeroes in a single pass. You can pick 1 for a random overwrite, 2 for a Department of Defense compliant 7-pass erasure, 3 for a complicated 35-pass wipe, and 4 for the Department of Energy’s 3-pass spec.
For most of us, seven passes should be seven times too many, but enough to prevent all but the information you’re deleting that a national-security agency would want from being recovered—and even then, you’re probably safe. (If that’s what you’re deleting, what files are not deleted on your computer that put you at risk?)
The path to a drive is specified either as / for your boot drive or /Volumes/ plus the drive’s name, including backslashes for spaces. You can drag your drive into Terminal to have it drop in the right encoding, as with files and folders. My drive Four Terabytes appears as /Volumes/Four Terabytes, for instance.
Ask Mac 911
We’re always looking for problems to solve! Email yours to
firstname.lastname@example.org including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.