I'm not sure this is actually as secure as you think it is. You have no guarantee that your filesystem will use the same blocks for your new (encrypted) data as for the old, and even less guarantee that the device driver/device will map those blocks to the same physical sectors. Flash devices, for example, will try hard to use new, unallocated space, because the flash media has a very limited number of write cycles within its lifespan. So the information in the original file may no longer be accessible to the filesystem but it can still be read directly from the disk.
At the very least, you need to make sure that your encrypted/zeroed file is the same size as or larger than your original, otherwise some of your original data can remain in the slack space between file and block size.
Secure file deletion depends on several variables, including the file system and the physical device used. The only general way to do this semi-securely is GrandFather's suggestion of deleting the file and filling the then empty space on the partition with data multiple times (making sure you flush your page cache between passes). Even then there can be problems, like for example NTFS's alternate streams.
Personally I'd probably go a different way and rather transparently encrypt the file while using it. If all you're guarding against is later recoverability you just need to make sure the encryption key cannot be recovered, and even if you fail that it is very probable that simple corruption of your encrypted file (e.g. by managing to wipe it partially) will render the file completely unrecoverable.
There are ten types of people: those that understand binary and those that don't.
|