Privacy Tools #secure deletion#Eraser#BleachBit

Secure File Deletion: Eraser, BleachBit, and shred Guide

Permanently delete sensitive files on Windows and Linux using Eraser, BleachBit, and shred to prevent data recovery.

6 min read

When you delete a file normally, only the reference to it is removed — the actual data remains on disk until overwritten. Data recovery tools like Recuva or PhotoRec can restore “deleted” files within seconds. Secure deletion overwrites the file’s data with random bits before removing it, making recovery forensically impossible on HDDs and significantly more difficult on SSDs.

HDD vs. SSD: Important Distinction

On HDDs, secure overwriting works reliably — overwritten data cannot be recovered with consumer tools (and is extremely difficult even with lab equipment).

On SSDs and NVMe drives, secure deletion is more complex due to wear leveling, over-provisioning, and TRIM. The drive’s firmware may store data in sectors you can’t directly address. For SSDs, full-drive encryption (enabled before data is stored) is the most reliable approach — encrypted data without the key is unrecoverable regardless of where it’s stored.

Windows: Eraser

Eraser is the gold standard for secure file deletion on Windows. Free and open source.

Download: eraser.heidi.ie

Usage

Right-click deletion: After installation, right-click any file or folder → EraserErase for immediate secure deletion.

Scheduled erasure: Open Eraser → New Task → Add Data → choose targets (files, folders, unused disk space, recycle bin).

Erasing free space (overwrites previously deleted files): New Task → Add Data → Unused Disk Space → select drive → Run.

Overwrite method (settings): Preferences → Erasing → choose algorithm:

  • Pseudorandom Data (1 pass): Sufficient for modern drives — fast
  • DoD 5220.22-M (7 passes): Overkill for HDDs, unnecessary for SSDs, very slow
  • Gutmann (35 passes): Academic — unnecessary for any modern drive

1-3 passes of pseudorandom data is sufficient — multi-pass methods were designed for older MFM/RLL drives and provide no practical security advantage on modern HDDs.

Windows: SDelete (Sysinternals)

Microsoft’s SDelete from the Sysinternals Suite provides command-line secure deletion:

# Securely delete a single file
sdelete64.exe -p 1 "C:\path	o\sensitive_file.docx"

# Securely delete a folder and all contents
sdelete64.exe -p 1 -s -q "C:\path	oolder"

# Zero free space on C: drive
sdelete64.exe -z C:

-p 1 = 1 pass (sufficient), -s = recursive, -q = quiet mode, -z = zero free space.

Linux/macOS: shred

shred is built into GNU/Linux and available on macOS via Homebrew:

# Overwrite and delete a file (3 passes + zero + remove)
shred -vzun 3 sensitive_file.txt

# Options:
# -v = verbose (show progress)
# -z = add final overwrite with zeros (hides shredding)
# -u = remove file after overwriting
# -n 3 = number of passes (1 is usually sufficient)

# Shred all .txt files in directory
find /path/to/folder -name "*.txt" -exec shred -vu {} \;

Note: shred may not work as expected on log-structured filesystems (ext4 with journaling, btrfs, ZFS) or on SSDs. For these, full-disk encryption is the recommended approach.

Cross-Platform: BleachBit

BleachBit (free, open source) handles both system cleaning and secure deletion — available for Windows and Linux.

Download: bleachbit.org

Features

  • Secure file deletion: File menu → Shred Files → select files
  • System cleaning with secure deletion: Select items to clean + enable “Overwrite files to hide contents” in Preferences
  • Free space wipe: File → Wipe Free Space → select drive
  • Preset cleaning profiles: Browser caches, system logs, temp files — all cleanable with secure overwrite

Linux Usage (CLI)

# Securely delete a file
bleachbit --shred /path/to/file

# Clean browser cache and history securely
bleachbit --clean firefox.cache firefox.cookies

SSDs: Full Disk Encryption as the Solution

For SSDs and NVMe drives, enable BitLocker (Windows) or LUKS (Linux) before storing any sensitive data:

# Linux: Encrypt a new partition with LUKS
cryptsetup luksFormat /dev/sdX
cryptsetup luksOpen /dev/sdX my_encrypted_drive
mkfs.ext4 /dev/mapper/my_encrypted_drive

On an encrypted SSD, “deleting” files still leaves data on disk — but encrypted data without the key is worthless. When you want to permanently destroy access, simply destroy or discard the encryption key.

Secure Deletion of Specific Sensitive File Types

Browser history and cache: BleachBit or browser’s built-in clear option with shred/Eraser for the cache directory afterward.

Office documents with revision history: File → Info → Check for Issues → Remove Personal Information before deletion. Then securely delete.

Email: Thunderbird’s secure empty trash + BleachBit for the Thunderbird profile folder.

Secure deletion is particularly important before selling, recycling, or donating a computer. Run BleachBit to wipe free space, or better — perform a full drive wipe with nwipe (Linux) or DBAN before transferring ownership.

#data recovery #privacy #shred #BleachBit #Eraser #secure deletion

// related articles

privacy-tools DNSCrypt-Proxy: Set Up Encrypted DNS on Any System 7 min read privacy-tools Firejail Linux App Sandboxing: Complete Security Guide 7 min read privacy-tools I2P Anonymous Network: Complete Setup and Browsing Guide 7 min read