Securely erasing files

mac_in_tosh

macrumors 6502
Original poster
Nov 6, 2016
397
4,613
Earth
A couple of OS versions ago, Apple stopped including a Secure Empty Trash option, I believe because of the adoption of SSD drives. On my older MB Pro with magnetic hard drive, I used File Shredder to accomplish this. I recently upgraded to a new MB Pro with SSD drive and have done some reading about this but it's all a bit over my head - it may not be possible to overwrite all of a file due to location ambiguity, there's a life cycle issue with too many overwrites, etc. So I just wanted to ask whether there is an app to use on the new MB Pro that could be used sparingly to securely erase a file or at least most of the file in the case of highly sensitive content. I only keep such content temporarily on the laptop, so wasn't considering File Vault.
 

cmaier

macrumors P6
Jul 25, 2007
15,299
10,546
California
A couple of OS versions ago, Apple stopped including a Secure Empty Trash option, I believe because of the adoption of SSD drives. On my older MB Pro with magnetic hard drive, I used File Shredder to accomplish this. I recently upgraded to a new MB Pro with SSD drive and have done some reading about this but it's all a bit over my head - it may not be possible to overwrite all of a file due to location ambiguity, there's a life cycle issue with too many overwrites, etc. So I just wanted to ask whether there is an app to use on the new MB Pro that could be used sparingly to securely erase a file or at least most of the file in the case of highly sensitive content. I only keep such content temporarily on the laptop, so wasn't considering File Vault.
are you using FileVault? If so, should be moot. But in any case, see if this helps:

 
  • Like
Reactions: mac_in_tosh

mac_in_tosh

macrumors 6502
Original poster
Nov 6, 2016
397
4,613
Earth
are you using FileVault? If so, should be moot. But in any case, see if this helps:

As I mentioned, I only have sensitive files on the MB Pro temporarily so I don't use File Vault.

The section Securely Delete Files Using an Encrypted Disk Image in your linked article should do the trick. So I would use an encrypted disk image, move the sensitive files to it, eject the disk image and then delete the dmg file. Thanks.
 

Infinite Vortex

macrumors 6502
Mar 6, 2015
331
544
If your MBP comes with a T2 chip in it then this really doesn't matter a lot. What's written to your SSD is encrypted which ever way. Also, you could just enable FileVault and that will for sure obviate the need to securely erase.
 

cmaier

macrumors P6
Jul 25, 2007
15,299
10,546
California
As I mentioned, I only have sensitive files on the MB Pro temporarily so I don't use File Vault.

The section Securely Delete Files Using an Encrypted Disk Image in your linked article should do the trick. So I would use an encrypted disk image, move the sensitive files to it, eject the disk image and then delete the dmg file. Thanks.
Yeah, I have my wife’s mac setup with an encrypted disk image that she uses as a folder for sensitive scratch data for her work, for that purpose.

Of course, FileVault works too, and the T2 chip protects the boot drive as well, so there are lots of options.
 

mac_in_tosh

macrumors 6502
Original poster
Nov 6, 2016
397
4,613
Earth
If your MBP comes with a T2 chip in it then this really doesn't matter a lot. What's written to your SSD is encrypted which ever way. Also, you could just enable FileVault and that will for sure obviate the need to securely erase.
Please clarify. The T2 chip encrypts by default? Then what is the File Vault option?
 

cmaier

macrumors P6
Jul 25, 2007
15,299
10,546
California
Please clarify. The T2 chip encrypts by default? Then what is the File Vault option?
the t2encrypts so that if someone removes the built in ssd it can’t be read by another computer. It doesn’t encrypt other drives, and the encryption doesn’t require a password so long as someone is using your own computer and hasn’t removed the ssd.

see https://support.apple.com/en-us/HT208344
 
Last edited by a moderator:

revmacian

macrumors 68000
Oct 20, 2018
1,686
1,383
USA
I'm not sure why you're not using FileVault, but it could be a very good option for you. I didn't use it at first because I thought it would be slow, but those fears dissolved when I started using it and found out there is no performance hit whatsoever on a modern Apple computer.
 

mac_in_tosh

macrumors 6502
Original poster
Nov 6, 2016
397
4,613
Earth
Still trying to understand all this. With the T2 chip, if you copy a file to your computer, I assume it gets encrypted. When you open the file, it is decrypted. After you close the file, I assume it is again encrypted. So if you delete the file, you're deleting the encrypted version?
 

cmaier

macrumors P6
Jul 25, 2007
15,299
10,546
California
Still trying to understand all this. With the T2 chip, if you copy a file to your computer, I assume it gets encrypted. When you open the file, it is decrypted. After you close the file, I assume it is again encrypted. So if you delete the file, you're deleting the encrypted version?
Deleting the file presumably just removes the key for that file, essentially rendering it random.
 

cmaier

macrumors P6
Jul 25, 2007
15,299
10,546
California
So then I wouldn't have to go through the encrypted disk image process outlined in post #3?
If you just want to make sure that nobody can remove your SSD and forensically access the data, then, yes, you should be fine without that method. Of course, it’s always possible that some nation state has a method to recreate the deleted file key or whatnot, in which case an additional layer of encryption is fine, too. And using filevault or the disk image technique means that someone with access to your machine can’t view the file without a password (before you delete the file).
 
  • Like
Reactions: mac_in_tosh