Skip to content
The Security Editor

Destruction & disposal

Why 'empty the trash' doesn't really delete your files, and what actually does

On modern operating systems, deleting a file just unlinks it. The data usually stays on disk until something else happens to write over it. A practical tour of how deletion really works — and the one reliable way to make a file unrecoverable.

By Alex Trustwell 5 min read intermediate
On this page
  1. Step 1: what “delete” really does
  2. Step 2: hard drives vs SSDs — the crucial difference
  3. Hard drives
  4. SSDs
  5. Step 3: cryptographic erasure — the reliable method
  6. Step 4: recipes by scenario
  7. You want to delete a single file, permanently, right now
  8. You want to retire a drive that contained sensitive data
  9. You want to retire an entire device
  10. You are selling a device
  11. A useful habit

A file you drag to the trash isn’t deleted; it’s moved to a folder called “Trash” (or “Recycle Bin”). A file you “empty from trash” is also not quite deleted; the operating system marks its storage space as available for reuse, but the actual bytes are still on the disk until another file happens to need the same space. On a mostly-empty drive, deleted files can sit around for months or years, recoverable by anyone who runs the right forensic tool.

This is the gap between “delete” and “make unrecoverable”. Closing the gap requires understanding what your storage actually is.

Step 1: what “delete” really does

Every filesystem maintains a directory — a mapping of filenames to the physical locations where the file’s data lives on disk. When you delete a file, the filesystem removes the filename from that directory and marks the physical blocks as free.

The data itself is not touched. It remains on disk until something else needs the same physical location and writes over it. On a lightly used drive, “something else” may not happen for a long time; on a busy drive, it could be minutes.

Tools like PhotoRec, Recuva, and professional forensic suites are built around this fact: they scan unallocated space for file signatures and recover anything whose blocks haven’t been overwritten yet. They work.

Step 2: hard drives vs SSDs — the crucial difference

The advice that worked for hard drives (spinning platters, HDDs) does not work for SSDs (solid-state, flash). Understanding why changes what you should do.

Hard drives

On an HDD, when you write to “the same block”, the magnetic material at that physical location is overwritten. An overwrite pass replaces the old data with the new data at that physical address.

So: on an HDD, a tool that overwrites the file’s former location with zeros, random data, or a standard pattern reliably destroys the original data. A single pass of random data is sufficient for modern drives; the “seven passes” folklore (DOD 5220.22-M and similar) is from a different era of drive technology.

Tools:

  • BleachBit (cross-platform, open-source).
  • sdelete on Windows (Sysinternals).
  • shred on Linux.
  • srm on macOS (removed in Catalina; use an alternative).

These are useful and valid for HDDs.

SSDs

On an SSD, the situation is different. Flash memory cannot overwrite a cell; it has to erase (an expensive operation) before writing. To compensate, SSDs implement wear leveling: a translation layer between the logical addresses your operating system sees and the physical flash cells. When you “write to the same block”, the SSD almost always writes to a different physical cell and updates the mapping. The original cell still holds the old data until wear leveling gets around to erasing it.

This means classic overwrite tools do not reliably destroy data on an SSD. They overwrite a logical address; the old data on a physical cell remains, indefinitely, until internal maintenance touches it — which may never happen for a cell that has been retired from active use.

Step 3: cryptographic erasure — the reliable method

The SSD problem has a clean solution, and it’s been hiding in plain sight: if the disk is encrypted, destroying the encryption key makes the data unreadable. The ciphertext on disk becomes noise without the key, regardless of whether the physical flash cells are overwritten.

This is cryptographic erasure. NIST SP 800-88 describes it as a valid sanitization technique for media where physical overwriting is not reliable. It is the modern standard.

In practice, every modern OS has a form of built-in full-disk encryption: FileVault on macOS, BitLocker / Device Encryption on Windows, LUKS on Linux. If your disk is encrypted and you destroy the key, the data is effectively gone — no overwrite required.

Step 4: recipes by scenario

You want to delete a single file, permanently, right now

  • HDD. Use a tool like BleachBit or shred to overwrite and delete.
  • SSD. Not reliably possible at the file level. If confidentiality matters for a single file, the correct approach is either to overwrite the entire device (below) or — usually better — to have kept the file inside an encrypted container (a Cryptomator vault, a VeraCrypt container) and just delete the container.

You want to retire a drive that contained sensitive data

  • HDD. Overwrite the whole drive with zeros or random data, one pass, using dd, DBAN, or the drive manufacturer’s tool. Then physically destroy it if you’re paranoid.
  • SSD. Use the drive manufacturer’s tool to issue ATA Secure Erase or NVMe Format with cryptographic erase. On Samsung, SanDisk, Crucial, WD, the manufacturer’s app has a button for this. On Linux, hdparm --security-erase or nvme format do the same thing.
  • If the drive was encrypted all along (BitLocker, FileVault, LUKS), you can simply destroy the key. On BitLocker, deleting the volume and reformatting typically destroys the key. On FileVault Apple-silicon Macs, “Erase All Content and Settings” does it. On LUKS, cryptsetup erase destroys all key slots.

You want to retire an entire device

Phones and modern laptops: factory reset is reliably secure on Apple devices, on recent Android phones with encryption enabled by default, and on modern Windows laptops where Device Encryption has been on since setup. For older devices where encryption may have been off, treat the device like an unencrypted drive.

For external drives: encrypt them before putting data on them, and the retirement story becomes cryptographic erasure instead of a physical-overwrite scramble.

You are selling a device

Do all of the above, then sign out of every cloud account the device has been signed into, and remove the device from any “Find My” service. Otherwise, the new owner can end up locked out — or, if they manage to unlock, signed into your accounts.

A useful habit

Encrypt before you populate the drive, not after. A drive that has been encrypted since day one has only ever written ciphertext to its physical cells; cryptographic erasure is sufficient whenever you need it. A drive that was used unencrypted for a year and encrypted later still has the old plaintext in wear-leveling reserves; you’ll need the heavier options above to handle its retirement.

The companion article Retiring old laptops, phones, and drives without leaking your life walks through device-by-device checklists.

Sources

  1. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
  2. Microsoft — Create or modify a diskpart script: clean all
  3. ATA Secure Erase — Kingston Technology Overview