With FileVault on, is rm secure?

Related terms here are secure overwrites, data remanence, and volume encryption.

SSDs and overwrites don't work the same as on HDDs. SSDs simply don't support overwriting as was common in some environments using HDDs, as the internal implementations of SSDs are vastly different from those of HDDs.

SSDs dynamically remap all storage on file deletion; this is centrally what TRIM and wear-leveling provide. If you try to do an overwrite on an SSD, you'll simply be acquiring newly-mapped storage and erasing and releasing that. The original storage will end up getting overwritten as it passes through the TRIM processing and gets rewritten by whatever is looking to write to the sector. The sectors are not the same physical sectors, and go through a free list and remapping as part of both TRIM and wear-leveling.

Devices with support for TRIM and wear-leveling and secure delete are the SSD analog of overwriting. Volume encryption adds another layer of protection, and works when (for instance) there's a bad sector that still contains some data.

The rm command deletes the file. It doesn't overwrite. Never has. It does avoid the file going into the GUI Trash folder, which is how it's probably gotten into this discussion. You're probably looking for the srm command and not the rm command, as the srm command does the overwrites and also doesn't relocate the file to the GUI Trash folder. But that overwrite sequence was intended for HDDs and not SSDs.

Modern HDDs don't do overwrites the same way as floppy disks and older HDDs, for that matter. Overwrites aren't entirely reliable even with HDDs, as the HDDs increasingly re-map (re-vector) storage in various cases, meaning there can be some data left in bad sectors, for instance, and these bad sectors are no longer accessible to the host file system for read or write or overwrite.

Volumes with File Vault 2 (whitepaper) (and an FV2 review) enabled and with good passwords selected avoid the exposure of the data, so long as the password is secure.

Some SSDs support a feature known as secure erase (SE), which can overwrite the contents of the device. That's how some tools can overwrite SSD volumes; they ask the SSD to overwrite itself.

It's also possible to overwrite freespace from the command line and that command is posted around the 'net, but that still doesn't do what you really want here as there are additional sectors not currently in the free space; SSDs are routinely over-provisioned to account for wear and errors, so there are extra sectors around and quite possibly some failed sectors that might still contain data.

What you're probably headed for here is two-factor authentication (2FA) and with File Vault 2 on all storage. There are 2FA options for macOS. That avoids exposing the data on system loss or on device repair and replacement, and requiring 2FA means both the token and the password are required for access. And it means that you're not dealing with overwrites and bad sectors in any form. And it means that the contents of any failed sectors and any in-transit TRIM'd sectors and any over-provisioned sectors are all either empty or are encrypted.

If you have PCI credit card data or other financial data, or have HIPAA data or other covered data, contact your organization's compliance folks for specific requirements. If you have military or other sensitive government data, check with the site security officer. Getting feedback from random folks (like me) in a discussion forum probably isn't the most defensible starting point if there's eventually some sort of a breach.

There are other discussions of secure erasure, of TRIM and wear leveling, and SSD overwrites and the Secure Erase command (where that's available) around the 'net. The local compliance folks will know which of those discussions they want you to pay attention to, too. If not, maybe start with this discussion....

Per Apple: "With an SSD drive, Secure Erase and Erasing Free Space are not available in Disk Utility. These options are not needed for an SSD drive because a standard erase makes it difficult to recover data from an SSD. For more security, consider turning on FileVault encryption when you start using your SSD drive." and "Impact: The "Secure Empty Trash" feature may not securely delete files placed in the Trash

Description: An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the "Secure Empty Trash" option."

I quite understood your underlying need for security. I'm afraid I do not know what you would need to do for a cryptographic guarantee of security. I think you need the help of a security expert rather than a user-only help forum.

I do have questions regarding the security of your data as it is. Why is the computer not secure when out of your possession? How does an adversary gain access to your passwords and keys? Why is the computer not locked in a safe when unused? Why are you using FileVault if it hasn't already been vetted for your company's use?

Thank you for a very informative essay.

Kappy

Encrypted data remains encrypted even when deleted from an encrypted drive. That is what should happen. I don't know if that is written down in a FileVault article, but you can test it for yourself by deleting a file then trying to recover it with recovery software. If the file can be recovered and decrypted then you know it isn't secure.

On the other hand, why would an adversary have your decryption key? If you are concerned about this it would be wise to change passwords and keys.

The "rm" Terminal command deletes a file directly, ie., the file does not go to the Trash and cannot be restored. That does not mean it cannot be recovered using recovery software unless it is overwritten.