Secure Delete in OSX (Ventura)
Recently, I was asked how to securely delete the free space of a file on OSX. Back in the OSX El Captain days finder had an option “Secure Erase” for the trash can. That option has been removed on all of the modern OSX versions due to how SSDs work. Most of the articles I read still point back to older versions.
How to securely delete files on a Mac System from the command line or finder.
After some research, I found the binary (srm) secure remove for all OSX/Linux systems. There is a binary for Windows in the repository.
Secure rm can be installed with MacPorts or possibly HomeBrew. It can also be installed via compiling with XCode tools in under a minute.
Step 1: Install XCode or XCode CLI.
XCode is apples native compiler (like GCC). If you are going to compile anything from source code at least the CLI tools need to be installed.
Either install the full application from the Apple App Store or use the following CLI commands.
xcode-select --install
sudo xcodebuild -license accept
Step 2: Download the SRM package
Download with wget
wget -O srm-1.2.15.tar.gz https://sourceforge.net/projects/srm/files/1.2.15/srm-1.2.15.tar.gz/download
Step 3: Compile
tar -zxvf srm-1.2.15.tar.gz
cd srm-1.2.15
./configure
make all
sudo make install
The binary will install to /usr/local/bin by default. Change this with ./configure if desired.
Examples of Secure Deletion
Type of Deletion explained
--simple
Overwrite the file with a single pass of 0x00 bytes. This is the default mode.
--openbsd
OpenBSD compatible rm. Files are overwritten three times, first with the byte 0xFF, then 0x00, and then
0xFF again, before they are deleted.
--dod
US Dod compliant 7-pass overwrite.
--doe
US DoE compliant 3-pass overwrite. Twice with a random pattern, finally with the bytes "DoE". See
http://cio.energy.gov/CS-11_Clearing_and_Media_Sanitization_Guidance.pdf for details.
--gutmann
Use the 35-pass Gutmann method. See http://en.wikipedia.org/wiki/Gutmann_method for details.
--rcmp
Royal Canadian Mounted Police compliant 3-pass overwrite. First pass writes 0x00 bytes. Second pass
writes 0xFF bytes. Third pass writes "RCMP". See https://www.cse-cst.gc.ca/en/node/270/html/10572 for
details.
Example 1: Delete a single file
srm --dod srm-1.2.15.tar.gz
Example 2: Delete a group of files
add “-vvv” for more information
srm -vvv --dod test?
Output
srm: removing test1
srm: file size: 2097152, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing test2
srm: file size: 2097152, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing test3
srm: file size: 2097152, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing test4
srm: file size: 2097152, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync
Example 3: Recursively delete a folder(directory)
srm -vvv -r --dod ./srm-1.2.15/
output (snip)
srm: removing ./srm-1.2.15/srm.sln
srm: file size: 1988, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing ./srm-1.2.15/srm.spec
srm: file size: 947, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing ./srm-1.2.15/install-sh
srm: file size: 13663, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing ./srm-1.2.15/configure.ac
srm: file size: 1763, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing ./srm-1.2.15/INSTALL
srm: file size: 371, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing ./srm-1.2.15/test/fill.o
srm: file size: 2240, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
pass 7 sync srm: removing ./srm-1.2.15/test/fill_test
srm: file size: 39638, buffer_size=4096
srm: buffer_size=1048576
srm: US DoD mode
Taking it one step further and adding to finder with “Automator”
This is a bit of a work in progress and will be tailored to individual needs
Step 1: Open Automator and select Quick Action
Step 2: Wire up the finder to Apple Script
Step 3: Add the following code (Apple Script)
on isDirectory(someItem) -- someItem is a string
set filePosixPath to quoted form of (POSIX path of someItem)
set fileType to (do shell script "file -b " & filePosixPath)
if fileType ends with "directory" then return true
return false
end isDirectory
on run {thePaths, parameters}
set the_results to {}
set srmLocation to "/opt/local/bin/srm"
-- Update the initial progress information
set thePathCount to length of thePaths
--get delete method
set DeleteMethods to {"simple", "openbsd", "dod", "doe", "gutmann", "rcmp"}
set theDeleteMethod to choose from list DeleteMethods with prompt "Select your secure delete method:" default items {"dod"}
theDeleteMethod
set theDeleteMethodSetting to "--" & theDeleteMethod
set beginning of the_results to "Delete Method " & theDeleteMethodSetting
repeat with a from 1 to length of thePaths
-- Update the progress detail
set progressNotify to (theDeleteMethod as text) & " deletion of Path " & a & " of " & thePathCount
set theCurrentListItem to item a of thePaths
-- Process the image
set theFilePath to POSIX path of theCurrentListItem
--display notification theFilePath & "has been secure erased." with title "Secure Erase" subtitle "Processing is complete."
set the_results to the_results & "\n processing \n" & theFilePath & "\n" as text
if isDirectory(theFilePath) then
set the_results to the_results & "Directory \n"
set theResult to do shell script srmLocation & " --verbose --verbose --recursive " & theDeleteMethodSetting & " " & quote & theFilePath & quote
else
set theResult to do shell script srmLocation & " --verbose --verbose --verbose " & theDeleteMethodSetting & " " & quote & theFilePath & quote
end if
set the_results to the_results & theResult & "\n" as text
display notification theResult with title theFilePath subtitle progressNotify
-- Increment the progress
-- Pause for demonstration purposes, so progress can be seen
delay 1
end repeat
set the_results to the_results & "Paths Processed " & thePathCount as text
display dialog the_results
return thePaths
end run