‘Delete Immediately…’ in OS X El Capitan

With OS X El Capitan (10.11) the Finder has gained a handy new feature, called Delete Immediately… .

To immediately delete one or more files or folders select them in the Finder, then hold down the Option and Command key and press Backspace. (⌥⌘⌫) 

Alternatively you can choose the command in the Finder’s File menu, while holding down the Option () key.


OS X El Capitan: Delete Immediately

Delete Immediately… does what it says: it deletes the item, rather than putting it into the Trash (⌘⌫). As such it accomplishes the same what formerly only was available through the Terminal command rm1

To find out if it really does the same as rm I tested both commands against various file protection methods:

File Security2Deletable with ⌥⌘⌫Deletable with rm
Flag: UF_IMMUTABLENo3Yes, as sudo
Flag: UF_APPENDNoYes, as sudo
Flag: SF_IMMUTABLENoNo
Flag: SF_APPENDNoNo
ACL: deny deleteYes, with passwordYes, as sudo
Parent folder’s flag: UF_IMMUTABLENoNo
Parent folder’s flag: UF_APPENDNoNo
Parent folder’s flag: SF_IMMUTABLENoNo
Parent folder’s flag: SF_APPENDNoNo
Parent folder’s permissions: 444 or 000NoNo
Parent folder’s owner:group: root:wheelYes, with passwordYes, as sudo
Parent folder’s ACL: deny delete_childYes, with passwordYes, as sudo

We see that rm and ⌥⌘⌫ indeed behave almost identical, with one exception: If any of the user flags UF_IMMUTABLE (user immutable) or UF_APPEND (user append-only) is set ⌥⌘⌫ refuses to delete the file whereas sudo rm still deletes it.

Selectively Emptying the Trash

With ⌥⌘⌫ you can also delete files that are already sitting in the Trash can. In practice this means that now you can selectively empty the Trash, something that was impossible in the Finder prior to El Capitan.

Secure Deleting?

You may have noticed that in El Capitan Apple has removed the Secure Empty Trash feature. This is because of flash storage drives becoming more and more widespread. (See CVE-2015-5901.) With flash drives it is virtually impossible to securely delete (i.e. overwrite) data.4

It is important to understand that Delete Immediately… is not a replacement for the disappeared Secure Empty Trash! It just erases the catalog entry of the file, the same what happens when you non-securely empty the Trash.

So what can you do if you really need to securely delete a file?

If the file is on an unencrypted flash drive, you just can’t enforce a secure deletion. However if the file is on an “old-fashioned” hard disk (that is, no SSD, flash drive or Fusion Drive) you can use either of these Terminal commands:

  • rm -P /path/to/the/file (will overwrite 3 times)
  • the srm command, which has various options. For example srm -m /path/to/the/file will overwrite 7 times.

If you don’t know how to use the Terminal, here’s a nice introduction. If you are a LaunchBar user you are lucky, because you can use my Delete Action which adds various secure-delete commands to the LaunchBar GUI.

Please keep in mind that these overwrite commands only make sense if the data is not on a flash or Fusion Drive!

If want to work with sensible data on a flash drive you have to make sure beforehand that the data never touches the drive in unencrypted form. You could for example activate File Vault (on the startup drive), or you could store and edit the files exclusively on an encrypted disk image (.dmg)5 or inside a secure application like 1Password.


Footnotes

  1. Or rm -R for folders.
  2. Flag: ‘BSD File Flag’; ACL: ‘POSIX Access Control List’; Permissions: ‘UNIX Permissions’. Complete reference (Apple).
  3. Can be unlocked in the Finder’s Info window.
  4. Flash drives try to distribute writes, in order to keep the wear level even. So it is almost guaranteed that each “overwrite” pass will write to a new location – and not to the one where the original data is located.
  5. An encrypted 7z archive or something similar won’t help, since upon expansion the unencrypted data will get stored on the drive.

12 thoughts on “‘Delete Immediately…’ in OS X El Capitan”

  1. Well lets say I,m on a new SSD and I transfer some files on to it (lets say a new Mac), then I decide to encrypt the whole SSD drive and then once its done i delete one of these file normally on this newly encrypted SSD, will it be deleted securely just if I was on an HDD using Secure delete (3 pass or more) ?

    1. With “encrypt the whole SSD drive” you mean FileVault 2, right?

      When you delete a file on FileVault this file is securely gone, for sure. But there is no need to delete the file since it is encrypted anyway. But it seems that you are assuming that the encrypted copy lives on exactly the same physical disk location as the original before. I don’t think this is the case.

      The point is, what will happen with your original (unencrypted) file at the time when you create the FileVault? The most likely is that the OS (or the HFS driver or whatever) reads the original file, writes the encrypted copy to disk and then unlinks (deletes) the old one.

      The problem with SSDs is that the disk controller (not the file system driver or the OS) decides at which (physical) location exactly the bytes get written to (in order to even out the wear level). So to me it seems more likely that the original, unencrypted file is still physically present (and not overwritten by the encrypted copy). Unless the – theoretical – case that your disk is 100% full when you create the FileVault (but then you won’t be able to create a FileVault).

      Of course, it may happen that the original file gets overwritten (immediately or later when other files are written), but this is not predictable. Even if the OS tried to securely erase the original file, it’s unlikely that the overwrite sequence “hits” the physical location of the original file. Thus I don’t think the OS will try to securely erase on a SSD.

      However it seems that generally on SSDs it’s not easy to recover an unlinked (deleted) file, probably because it gets destroyed (partially overwritten) sooner than on HDs, due to the SSD’s write behavior.

      Here’s an interesting read with a couple of good links.

  2. Hmm i think i understand but just to make sure.
    On my new mac i transfered from my old mac (old mac hdd being destroyed) some files on my new mac which is one ssd drive.
    Once that was done i then decided to encrypt (file vault2) the whole drive. Here is my question, since the file was transfered to an uncrypted ssd drive and then I activated the file vault2 on that whole drive, then once done i decide to delete trash a file on this ssd encrypt file i suppose its deleted securely right ? but because it was originally on my drive uncrypted before i encrypted the ssd drive would there be a copy left somewhere .

    1. Sorry for the late reply.

      Yes, I think you understood it correctly. So: If your documents just contain some banking and SIM PINs, I would leave it as it is. If you are using the disk regularly, chances are good that (at latest) after some time there won’t be much to recover easily. But if the contents of your documents are worth 2 years of prison, and you already see the detectives in their car near your house, I would definitively get rid of that disk 😉

      And next time follow the steps as described in the link of my previous post. (Install the system, update and set up the system, set up FileVault and then copy over your documents.)

      1. lol, more like business oriented docs, Financial and truly understand all this file vault thing which we did not understand and was it worth using it.

          1. That’s not quite the place for anti virus questions, but if I can help you, post it here.

            Thanks for asking and not just posting.

            1. Should we have an antivirus on Mac, many says its not really needed.
              if we stay clear of Software downloaded from the web and just use the app store, would it still be necessary. We all know that antivirus slows down a pc y what 15% give or take. Anyway its no big of a deal to install one. On the mac App Store there seems to be some available with good comments. Just wanted your perspective on it, no rush. thanks

              1. You should use punctuation, for example “?”, if it’s a question. This way I know what is actually a question; or a note. If you don’t use punctuation, I have to guess.

              2. No, I don’t use any anti-virus on my Mac. I’m fine with this since decades. From time to time I also examined various “anti-virus” solutions, but, forget it. The point is, of course there are viruses on Mac, but you won’t catch them, because Apple will be first (Usually ;). So – in my humble opinion – any, no, sorry, many of the antivirus on the Mac are quite fake. One exception ClamAV. This is a longstanding Unix Antivirus, it’s considered to be quite OK, it’s not the best in discovering new viruses, but it won’t bother you with false positives either.

                1. No everything seems ok , everything works fine. We will leave it at this then, down with fake antivirus 🙂
                  Well let me thank you for your help, its appreciated
                  Sorry for the punctuation

Leave a Reply

Your email address will not be published.