Secure deletion

Hi everybody
I have a question about app vms that get deleted. If I delete an app vm, in this case a standalone vm I am interested to know how I would securely delete this using something like bleachbit so that it is unrecoverable.

I imagine that I’d use bleachbit to 'wipe free space" (or whatever that option is). Would I do this from dom0?

I scoured the docs with no success, so any help is very welcome.

Generally speaking, “secure deletion” tools like that assume that the data is ultimately stored on a hard disk drive (HDD) where specific sectors can be overwritten (sometimes repeatedly) in order to make it difficult or impossible for the data to be forensically recovered. However, solid state drives (SSDs) don’t work the same way. You can’t be sure that you’re writing to the same physical sectors, so these old-fashioned “secure deletion” tools don’t have the same effect. Since we specifically recommend installing Qubes on an SSD, and since almost all recent computers use an SSD for the primary system drive, the old “secure deletion” tools have become less relevant. Generally speaking, the best solutions for SSDs are:

  1. Full-disk encryption (FDE), which Qubes uses by default. With FDE, you only have to destroy the encryption key in order to render the content of the drive unreadable. It doesn’t matter that you can’t securely delete individual files, since they’re unreadable anyway. (Of course, this was also – and still is – an option with HDDs.)
  2. TRIM, which is more complicated. When set up correctly, the idea is that issuing a normal file deletion command is passed down through all required layers until the physical data is actually erased from the SSD.

This is just a brief overview, but it should point you in the right general directions, should you wish to do some more research.

Thank you for that great reply,
So, what I am hearing is that, by default, I am well covered by Qubes anyway. I am using a ssd so I fall into your description.

Thank you for the info on the older deletion methods. I didn’t know that. I will investigate TRIM and see how I go.

I appreciate the considered response.

1 Like

Basically, yes, though it depends on what exactly you mean by “covered,” i.e., your threat model and which security properties you expect from the default FDE in Qubes. For example, a common concern is that, when it comes time to upgrade a drive (or an entire computer), we want to ensure that confidential data doesn’t fall into the wrong hands. The drive might be sold or donated or thrown away. In such cases, we have little control over who might come into possession of the drive in the future. FDE provides excellent protection for this use case, as long as the encryption passphrase is kept secret or the encryption header is wiped when you’re done with the drive.

@Brad: Maybe this is interesting.

PS: The final conclusion is what @adw already said.

Thanks very much for that info. My threat requirements are minuscule, I’m more of a privacy and security enthusiast but I like to just know things. Thank you for the secure delete link. That fills things in wonderfully.

I appreciate the replies guys. Good learning for me.