Secure Empty Trash missing on El Capitan

It's impossible to securely delete files from flash storage. The only protection there is full disk encryption. However this doesn't explain why this option is disabled for users with hard drives.

Excellent point. The next time I see Tim, I will recommend that you be promoted to executive vice president in charge of strategic long-range planning. 😉

Moreover, there have been occasions where people have been forced to divulge passwords, so FileVault isn't a complete answer for people using 8TB HDDs.

The OS would still do all the operations it needs to secure delete, but it wouldn't really have the same effect on SSDs. Just because it was there in Yosemite, doesn't mean that Apple intended it to be and that's not a sign that it worked. Secure empty trash on SSDs is a misnomer and Apple fixed that in El Capitan. Not sure why they disabled it for HDDs, though, probably couldn't be bothered to support it when they're phasing them out, anyway.

habibmk wrote:

Just because it was there in Yosemite, doesn't mean that Apple intended it to be

Now that is some interesting reasoning.

Do you have some evidence that secure delete didn't work on SSDs under Yosemite?

I think it was disabled for HDD because there is no clean and simple way to deal with leaving it enabled (via the UI) for HDD and disabling it for SSD.

Consider the following use case:

A user has put files from both a SSD and a HDD in the trash. What should the "Secure Empty Trash" user experience be in that case?

Should OS X secure delete the HDD files and popup a error or warning message about the SSD files? That would be ugly and confusing for less technical users.

Should Secure Empty Trash only show up if all files in the Trash are able to be securely deleted? That would be a behavior that is not intuitive. The end user should not have to have such technical knowledge to be able to understand when and why that menu choice is active or not.

I think the compromise they achieved, by leaving 'srm' for power users, was the best option.

I think it was disabled for HDD because there is no clean and simple way to deal with leaving it enabled (via the UI) for HDD and disabling it for SSD.

Previously, the secure empty trash option was simply hidden from users with SSD-equipped systems. This isn't rocket science.

Consider the following use case:

A user has put files from both a SSD and a HDD in the trash. What should the "Secure Empty Trash" user experience be in that case?

Disable it and/or display a warning indicating that the option does not work with solid state memory. Include a "?" button for additional details on why secure deletion doesn't work on solid state memory, and explaining that security is available in the form of full disk encryption.

Secure delete on an SSD requires TRIM support. OS X did not support TRIM on 3rd party SSDs until 10.10.4. Additionally, when using TRIM the operating system is requesting the SSDs controller to delete the file. The actual physical delete takes place at some later time, know as garbage collecting. If I select "Secure Empty Trash" I hear the crinkling paper sound and the trash can is emptied. Behind the scenes OS X has made a TRIM request to delete the file but the file may not have actually been deleted physically by the time the trash can is emptied.

This article covers things nicely: http://www.makeuseof.com/tag/securely-erase-ssd-without-destroying/

Ziatron wrote:

Moreover, there have been occasions where people have been forced to divulge passwords, so FileVault isn't a complete answer for people using 8TB HDDs.

While there are varying levels of security available for various applications, nothing is going to stop an adversary with sufficient motivation, time, and resources. Even if you are using a hard drive and perform the highest level of secure deletion on a file, traces of the information you deleted may still be scattered across your computer within temp files, cache files, log files, virtual memory, and in RAM.

So when thinking of security, you need to decide how sensitive is the information and how sophisticated your adversary.

If you want to keep a family member from stumbling upon your web browsing history, that's relatively easy to do. If you want to protect personal and financial information on your hard drive or SSD when reselling a computer, that takes a bit more planning and effort. If you make a living in organized crime and the FBI is your adversary, that takes greater precautions still. And if your computer contains valuable military or industrial secrets and your adversary is a hostile foreign government, that's going to take a maximum amount of effort, which will come with a significant degree of complexity and inconvenience.

As Apple serves the consumer market, they only need to focus on the first and second scenarios, which they address with features like full disk encryption and private browsing mode on Safari. If you're conducting criminal activity or handling sensitive, high value data, then an off the shelf consumer product will not serve your needs out of the box.

Nicely put and the consumer focus is one reason I think adding a dialog and ? button is a bit too technical a solution for this but that's just me.

habibmk wrote:

The OS would still do all the operations it needs to secure delete, but it wouldn't really have the same effect on SSDs. Just because it was there in Yosemite, doesn't mean that Apple intended it to be and that's not a sign that it worked. Secure empty trash on SSDs is a misnomer and Apple fixed that in El Capitan. Not sure why they disabled it for HDDs, though, probably couldn't be bothered to support it when they're phasing them out, anyway.

Secure Empty Trash has been disabled for SSD-equipped Macs for a long time. I bought my Macbook in 2013 and the feature was already disabled then.

Satchmo wrote:

Do you have some evidence that secure delete didn't work on SSDs under Yosemite?

http://arstechnica.com/security/2011/03/ask-ars-how-can-i-safely-erase-the-data- from-my-ssd-drive/

Ask Ars: How can I securely erase the data from my SSD drive?

"Some SSDs get around to destroying things like old versions of files with garbage collection, and some can take care of deleted files with TRIM, but because an SSD's only immediate reaction to a deleted file is to forget where that file is rather than erasing it, files can sit scattered around an SSD for a while. Deleting files immediately would cause extra wear on an SSD, which is why they don't do it.

Likewise, it is almost impossible to securely delete an individual file on an SSD, because the way that SSDs write and delete files is scattered, and a user has no control over what an SSD is doing where. If that's the kind of security you're looking for, your best bet is encryption."

NBW wrote:

Secure delete on an SSD requires TRIM support. OS X did not support TRIM on 3rd party SSDs until 10.10.4. Additionally, when using TRIM the operating system is requesting the SSDs controller to delete the file. The actual physical delete takes place at some later time, know as garbage collecting. If I select "Secure Empty Trash" I hear the crinkling paper sound and the trash can is emptied. Behind the scenes OS X has made a TRIM request to delete the file but the file may not have actually been deleted physically by the time the trash can is emptied.

This article covers things nicely: http://www.makeuseof.com/tag/securely-erase-ssd-without-destroying/

Great link. And here's a relevant quote for those "demanding" that Apple provide a secure delete function for SSDs:

"It’s also worth remembering that these drives often use a small amount of unallocated space as a buffer for moving data around, which you’re very unlikely to be able to access. This would technically mean data remains on a drive even after it has been securely erased."

freediverx01 wrote:

"... If that's the kind of security you're looking for, your best bet is encryption."

As stated in the very first reply to the OP:

John Galt wrote:

If you are working with sensitive files whose content must be secure from unauthorized access, use FileVault.

That has not prevented others from providing irrelevant, misleading, incorrect, or just really bad advice in this Discussion.

NBW's concerns are absolutely correct. The problems are not limited to SSDs. There were other problems with "Secure Empty Trash" in addition to its inability to reliably erase flash memory.

John Galt wrote:

freediverx01 wrote:

"... If that's the kind of security you're looking for, your best bet is encryption."

As stated in the very first reply to the OP:

John Galt wrote:

If you are working with sensitive files whose content must be secure from unauthorized access, use FileVault.

That has not prevented others from providing irrelevant, misleading, incorrect, or just really bad advice in this Discussion.

NBW's concerns are absolutely correct. The problems are not limited to SSDs. There were other problems with "Secure Empty Trash" in addition to its inability to reliably erase flash memory.

One problem with Apple's implementation of FileVault is that the password you use to log in and repeatedly grant permissions is also used to encrypt the drive. This means that you have to choose between a reasonably strong password and one which is convenient enough to type in many times a day. There should be a way to set a strong encryption password that you only need to enter once, when starting up the computer, while allowing a more convenient password for routine login and permissions dialogs. The, of course, is a classic example of the struggle between security and convenience, but I think Apple has a tendency to sway too far in the direction of convenience, with insufficient options for those would would prefer more security.

Satchmo wrote:

habibmk wrote:

Just because it was there in Yosemite, doesn't mean that Apple intended it to be

Now that is some interesting reasoning.

Do you have some evidence that secure delete didn't work on SSDs under Yosemite?

The fact of how SSDs work?

What's interesting about that “reasoning”? And what do you think that's my “reasoning” for, exactly? That's not my reasoning for anything, it's just an argument against your claim that Yosemite must have been securely deleting files by virtue of a button existing with that label. You imply this when you say, “[t]hen what has been happening to trashed files on SSD drives when secure delete was selected under Yosemite?”

Thanks Gilles. Apple's explanation for removing secure erase should have been that performing this operation on flash drives is a bad idea due to the limited number of write cycles flash devices can tolerate, not the ridiculous reason they gave. Any advanced OS should be smart enough to distinguish between a flash drive and a hard drive and allow the user the option to override a secure erase if a user attempts it on a flash drive but allow the feature to continue running on machines with real hard drives.