Does Secure Empty Trash actually write random patterns of data?

tl;dr: I don’t know, but I have some interesting links.

An Apple security white paper from Oct 2012/Mountain Lion confirms that it’s only a single-pass erase:

Users can also initiate sanitization while deleting files using the Secure Empty Trash command in the Finder. This command overwrites files as they are deleted using a single-pass erase.

but doesn’t say whether it’s a lot of zeroes, or random data.

In Disk Utility on Mavericks, the single-pass erase tool only uses a pass of zeroes:

This option writes a single pass of zeros over the entire disk. It erases the information used to access your files and writes over the data 1 time.

It’s not clear if the two implementations are exactly the same.

It might be a little stronger than that. The tool underlying Secure Empty Trash is a command line tool called srm (Secure ReMove). According to the Wikipedia page:

Mac OS X interfaces to srm, such as the "Secure Empty Trash" menu item in the Finder, use the DOD-recommended 7-pass algorithm, although srm uses the 35-pass version by default.

7-passes includes four passes of random data, and then there passes of repeating data. You can see the full list on the Wikipedia page about the Gutmann method, which is what srm uses. Unfortunately, that doesn’t come with a reference.

I have an old Mac OS X book (Mac OS X Power Tools, iirc) which also says that 7-pass overwrite is used for Secure Empty Trash, but again no mention of whether it’s zeroes or random data. It’s possible that the Wikipedia page is out-of-date, and that Apple has toned it back over the years.

Certainly, the most secure erasure option available in Disk Utility has been scaled back in the last few releases. A few versions ago, the full 35-pass option was available there:

enter image description here

In Mavericks, the best option only uses 7-passes:

enter image description here

However, the srm man page in Mavericks still makes reference to the 35-pass algorithm

The -s option overrides the -m option, if both are present. If neither is specified, the 35-pass Gutmann algorithm is used.

Presumably the option still exists, but you need to go to the command line to do it. (There’s more good discussion of this on the Security Stack Exchange site.)


I find it odd because, as far as I'm concerned, writing a bunch of 0s is more than enough to make your data inaccessible.

It depends on how inaccessible you want your data to be. For a home user, that mine be fine. If you work for the military or the defence sector, perhaps less so. In theory, somebody with suitable equipment could read the original magnetic pattern from the disk if it’s not broken up properly. Using random data instead of zeroes makes it that much harder to read the original. (More information on the Wikipedia article on data remanence, or that Security.SE thread.)