Securely erasing files

[mac_in_tosh]

A couple of OS versions ago, Apple stopped including a Secure Empty Trash option, I believe because of the adoption of SSD drives. On my older MB Pro with magnetic hard drive, I used File Shredder to accomplish this. I recently upgraded to a new MB Pro with SSD drive and have done some reading about this but it's all a bit over my head - it may not be possible to overwrite all of a file due to location ambiguity, there's a life cycle issue with too many overwrites, etc. So I just wanted to ask whether there is an app to use on the new MB Pro that could be used sparingly to securely erase a file or at least most of the file in the case of highly sensitive content. I only keep such content temporarily on the laptop, so wasn't considering File Vault.

 

[cmaier]

A couple of OS versions ago, Apple stopped including a Secure Empty Trash option, I believe because of the adoption of SSD drives. On my older MB Pro with magnetic hard drive, I used File Shredder to accomplish this. I recently upgraded to a new MB Pro with SSD drive and have done some reading about this but it's all a bit over my head - it may not be possible to overwrite all of a file due to location ambiguity, there's a life cycle issue with too many overwrites, etc. So I just wanted to ask whether there is an app to use on the new MB Pro that could be used sparingly to securely erase a file or at least most of the file in the case of highly sensitive content. I only keep such content temporarily on the laptop, so wasn't considering File Vault.

are you using FileVault? If so, should be moot. But in any case, see if this helps:

How to Securely Delete Files on Your Mac

Are you worried about deleting sensitive files on an older Mac? If your Mac has a regular HDD, learn how to securely erase files so they're unrecoverable.

www.groovypost.com

 

[mac_in_tosh]

are you using FileVault? If so, should be moot. But in any case, see if this helps:

How to Securely Delete Files on Your Mac

Are you worried about deleting sensitive files on an older Mac? If your Mac has a regular HDD, learn how to securely erase files so they're unrecoverable.

www.groovypost.com

As I mentioned, I only have sensitive files on the MB Pro temporarily so I don't use File Vault.

The section Securely Delete Files Using an Encrypted Disk Image in your linked article should do the trick. So I would use an encrypted disk image, move the sensitive files to it, eject the disk image and then delete the dmg file. Thanks.

 

[Infinite Vortex]

If your MBP comes with a T2 chip in it then this really doesn't matter a lot. What's written to your SSD is encrypted which ever way. Also, you could just enable FileVault and that will for sure obviate the need to securely erase.

 

[cmaier]

As I mentioned, I only have sensitive files on the MB Pro temporarily so I don't use File Vault.

The section Securely Delete Files Using an Encrypted Disk Image in your linked article should do the trick. So I would use an encrypted disk image, move the sensitive files to it, eject the disk image and then delete the dmg file. Thanks.

Yeah, I have my wife’s mac setup with an encrypted disk image that she uses as a folder for sensitive scratch data for her work, for that purpose.

Of course, FileVault works too, and the T2 chip protects the boot drive as well, so there are lots of options.

 

[mac_in_tosh]

If your MBP comes with a T2 chip in it then this really doesn't matter a lot. What's written to your SSD is encrypted which ever way. Also, you could just enable FileVault and that will for sure obviate the need to securely erase.

Please clarify. The T2 chip encrypts by default? Then what is the File Vault option?

 

[cmaier]

Please clarify. The T2 chip encrypts by default? Then what is the File Vault option?

the t2encrypts so that if someone removes the built in ssd it can’t be read by another computer. It doesn’t encrypt other drives, and the encryption doesn’t require a password so long as someone is using your own computer and hasn’t removed the ssd.

see https://support.apple.com/en-us/HT208344

 

[revmacian]

I'm not sure why you're not using FileVault, but it could be a very good option for you. I didn't use it at first because I thought it would be slow, but those fears dissolved when I started using it and found out there is no performance hit whatsoever on a modern Apple computer.

 

[Bandaman]

Use FileVault. The speed difference these days is negligible.

 

[mac_in_tosh]

Still trying to understand all this. With the T2 chip, if you copy a file to your computer, I assume it gets encrypted. When you open the file, it is decrypted. After you close the file, I assume it is again encrypted. So if you delete the file, you're deleting the encrypted version?

 

[cmaier]

Still trying to understand all this. With the T2 chip, if you copy a file to your computer, I assume it gets encrypted. When you open the file, it is decrypted. After you close the file, I assume it is again encrypted. So if you delete the file, you're deleting the encrypted version?

Deleting the file presumably just removes the key for that file, essentially rendering it random.

 

[mac_in_tosh]

Deleting the file presumably just removes the key for that file, essentially rendering it random.

So then I wouldn't have to go through the encrypted disk image process outlined in post #3?

 

[cmaier]

So then I wouldn't have to go through the encrypted disk image process outlined in post #3?

If you just want to make sure that nobody can remove your SSD and forensically access the data, then, yes, you should be fine without that method. Of course, it’s always possible that some nation state has a method to recreate the deleted file key or whatnot, in which case an additional layer of encryption is fine, too. And using filevault or the disk image technique means that someone with access to your machine can’t view the file without a password (before you delete the file).