Add secure deletion

[keneos-dev]

Why not add SDelete and integrate it into the context menu (and maybe recycle bin management)? Just a suggestion, as secure deletion is part of security. The updated DoD 5220.22-M ECE method requires seven passes, the command to reach this standard is: sdelete -p 7 -r -s C:\SensitiveData. I'm not sure about SDelete's compatibility with SSDs though.

[HotCakeX]

Thank you for this, To protect data at rest, the script uses Bitlocker to encrypt both used and free space of OS drive and [optionally] any other drive. That makes existing and deleted data inaccessible to unauthorized individuals.

However, your suggestion is great and i'd like to implement it in addition to the Bitlocker protection. I do need help with implementing it in the new Windows 11's context menu, it's different than the simple registry key modifications required for the regular context menu, AFAIK new context menu style requires an app to be installed before it can add context menu entries. If it's too much work I guess the old context menu is enough for now.

I'm thinking we can add a new optional step to the Bitlocker category where the script downloads SDelete from Microsoft website, puts it in a location that is inside the PATH env variable for the System and then add it to the context menu for file deletion.

Something else that'd be cool to have is automating the process so when user empties the recycle bin, files will be actually deleted using the highly secure unrecoverable methods.

[pathei-kosmos]

I'm not sure about SDelete's compatibility with SSDs though.

I read conflicting information on the subject, people saying it's useless/doesn't work on an SSD, and people saying the opposite. If it's useless, maybe it's better to avoid shortening the SSD's lifespan with rewrites.

Something else that'd be cool to have is automating the process so when user empties the recycle bin, files will be actually deleted using the highly secure unrecoverable methods.

Perhaps by changing the "Empty Recycle Bin" menu entry so that it uses SDelete?

[HotCakeX]

I'm not sure about SDelete's compatibility with SSDs though.

I read conflicting information on the subject, people saying it's useless/doesn't work on an SSD, and people saying the opposite. If it's useless, maybe it's better to avoid shortening the SSD's lifespan with rewrites.

Something else that'd be cool to have is automating the process so when user empties the recycle bin, files will be actually deleted using the highly secure unrecoverable methods.

Perhaps by changing the "Empty Recycle Bin" menu entry so that it uses SDelete?

Thanks! Those are good points for sure. Looks like full disk encryption is the best proactive solution. Those rewrites will definitely shorten SSD's lifespan gradually, possibly 7 times quicker than normal deletion operations.

I've never personally sold storage devices before, either destroyed them or kept using them till they stop working and then destroy them.

Maybe we can still provide SDelete optionally for people willing to sacrifice SSD lifespan for greater security/peace of mind/etc.

Btw I checked out the MS answers post, they are changing the name of the context menu entry, i'd need to be able to change the action assigned to it as well.

[pathei-kosmos]

Btw I checked out the MS answers post, they are changing the name of the context menu entry, i'd need to be able to change the action assigned to it as well.

Yes, normally there is an entry for the command in the same registry folder. I was just able to find HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\empty\command which has a DelegateExecute entry with GUID {48527bb3-e8de-450b-8910-8c4099cb8624}, so if I understand correctly you'd have to find and modify the associated shell extension (shell32.dll)? The registry is a real maze and I'm not sure what I'm doing. 😅 There may be a simpler entry somewhere, but I haven't been able to find it.

[HotCakeX]

Btw I checked out the MS answers post, they are changing the name of the context menu entry, i'd need to be able to change the action assigned to it as well.

Yes, normally there is an entry for the command in the same registry folder. I was just able to find HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\empty\command which has a DelegateExecute entry with GUID {48527bb3-e8de-450b-8910-8c4099cb8624}, so if I understand correctly you'd have to find and modify the associated shell extension (shell32.dll)? The registry is a real maze and I'm not sure what I'm doing. 😅 There may be a simpler entry somewhere, but I haven't been able to find it.

I'll ask BingChat see if it can assist in this 👀

[pathei-kosmos]

Modifying shell32.dll seems like a bad idea though. 👀

[pathei-kosmos]

I've looked into the matter further, and the usual secure deletion method, which I believe SDelete uses, is indeed quite unreliable on SSDs. Apparently you'd have to use ATA Secure Delete, which is rather complicated to set up on Windows. One other option is to use the SSD management software supplied by the manufacturer. So encryption seems to be the best option [1] [2] [3]. Bottom line is: nobody really knows [4] [5], but the BitLocker encryption that the script already provides should do the job [6] [7]... 🤞

[HotCakeX]

I've looked into the matter further, and the usual secure deletion method, which I believe SDelete uses, is indeed quite unreliable on SSDs. Apparently you'd have to use ATA Secure Delete, which is rather complicated to set up on Windows. One other option is to use the SSD management software supplied by the manufacturer. So encryption seems to be the best option [1] [2] [3]. Bottom line is: nobody really knows [4] [5], but the BitLocker encryption that the script already provides should do the job [6] [7]... 🤞

Thank u so much! 🙏

I think that's the best answer, going to close the issue as completed because the solution is already present in the script, and others mentioned in your post such as physical destruction are great for when you're done with the storage device.