Tradecraft · Data destruction

Secure file shredder: deleting isn't erasing.

By Helix · ~2,800 words · How overwrite-then-delete works — and why encryption is the real eraser

When you delete a file, you almost certainly don't erase it. The operating system just marks the space as free and forgets where the data was — but the bytes themselves sit on the disk, fully intact, until something happens to write over them. A trivial recovery tool can bring them straight back. A secure file shredder closes that gap by overwriting the file's contents before releasing it, so a casual recovery finds noise instead of your data. It's a genuinely useful tool — and it comes with a hard physical limit on modern storage that we're going to state plainly, because the marketing around "military-grade wipe" is mostly nonsense. Here's how shredding really works, and why, on the SSD in your phone, full-disk encryption is the tool that actually does the job.

1. What "delete" really does — and doesn't 2. How a secure shredder works 3. The threat it stops 4. Who this is for 5. How Helix implements it 6. The honest limits — read this part 7. The bottom line

1. What "delete" really does — and doesn't

Here's the uncomfortable truth behind the trash can icon: deleting a file does not remove its contents. A file system is essentially a catalogue — an index that says "this file lives in these locations on the disk." When you delete a file, the system mostly just strikes the entry from the catalogue and marks those locations as available for reuse. The actual data — your document, your photo, your private key — remains physically present, byte-for-byte, in those locations. It stays there until, at some unpredictable future moment, the system happens to write something else on top of it. That might be in seconds; it might be in months; for a large or rarely-touched volume, it might be effectively never.

This is exactly why data-recovery tools exist and why they work so well. "Undelete" software simply scans the disk for those orphaned-but-intact regions and reconstructs the files whose catalogue entries were removed. The same mechanism is the bread and butter of forensic examiners: hand them a phone or drive and the first thing they do is image it and recover everything that was "deleted" but never overwritten. To anyone with that capability, an ordinary delete is barely a speed bump. The file is gone from your view and still entirely present on the medium.

A secure file shredder exists to fix that specific, well-understood gap: the gap between "the catalogue forgot it" and "the bytes are actually gone."

2. How a secure shredder works

The core idea is simple and old: don't just forget where the data was — destroy the data first, then forget it.

Overwrite, then delete

A secure shredder takes the file's actual storage locations and writes over them with new data — typically zeros, ones, or random bytes — replacing the original contents in place. Only after the contents have been overwritten does it then perform the normal delete to release the space. The order is the whole point: by the time the catalogue entry is removed, there's nothing meaningful left at those locations for a recovery tool to find. An undelete scan turns up the overwritten pattern, not your file.

Single pass versus multiple passes

You'll see products boasting about multiple overwrite passes — three passes, seven passes, thirty-five-pass "Gutmann" wipes. This is largely a holdover from old magnetic hard drives and a real-world overstatement. On any modern drive, a single overwrite pass renders the original data unrecoverable by any practical means; the elaborate multi-pass rituals were designed for decades-old magnetic media and confer no meaningful benefit on today's storage. They mostly just take longer and wear the drive. The honest engineering position is: one good overwrite, applied to the actual physical location, is enough — if you can guarantee it lands on the actual physical location. Which, as we're about to see, is exactly the assumption that breaks on modern storage.

Why the physical location matters

Everything about overwrite-then-delete rests on one assumption: that writing to a file's location actually overwrites the same physical cells that held the original data. On a traditional spinning hard drive that's true — the drive writes where you tell it. The shredder overwrites the exact sectors, the original is physically gone, and recovery fails. That clean model is the one most people picture when they imagine "shredding" a file. It is also, on the device in your pocket, not how storage works anymore.

Normal delete removes the catalogue entry and leaves the data. A shredder overwrites the data first, then deletes — so recovery finds noise instead of your file. The catch is that "overwrite the data" only works if the write lands on the same physical cells that held the original. On modern flash, it often doesn't.

3. The threat it stops

A secure shredder is the right answer to a very common, very real threat: recovery of "deleted" data by anyone who later gets access to the medium. That covers a lot of ground. A device that's lost, stolen, sold, returned at end-of-lease, repaired by a third party, or seized at a checkpoint can have its storage imaged and its deleted files trivially reconstructed by off-the-shelf recovery software. Shredding the sensitive files before they leave your hands means that even a competent examiner running standard undelete tooling comes up with overwritten noise rather than your documents.

It also addresses the everyday accumulation of sensitive residue. Caches, drafts, downloaded attachments, exported keys, scratch copies — the detritus that piles up as you work — all of it lingers on the disk after an ordinary delete. A shredder lets you actually destroy a specific sensitive file when you're done with it, rather than leaving a recoverable copy behind for whoever inspects the device next. It complements device-loss defenses like remote wipe and the data-hiding of a deniable hidden volume — different tools for the related problem of keeping data out of an adversary's reach.

4. Who this is for

Anyone who handles sensitive material on a device that might one day fall into someone else's hands — which is everyone, eventually.

Crypto holders and whales. An exported seed phrase, a key backup, a transaction record left "deleted" but recoverable on a device that's later stolen or seized is a direct path to your funds. Shredding those artifacts the moment you're done with them removes the recoverable trail.
Lawyers. Privileged drafts, client files and case material that you've "deleted" remain reconstructable by anyone who images the device. A shredder turns disposal into actual destruction, protecting privilege at the storage layer.
Family offices and executives. Deal documents, valuations and negotiating notes downloaded to a device and later deleted are exactly what a forensic recovery would surface. Shredding sensitive working files keeps disposed material genuinely disposed.
Journalists and their sources. A recovered "deleted" file can identify a source. When a device is seized or compromised, the difference between an ordinary delete and a true shred can be the difference between protecting someone and exposing them.
The targeted. Anyone in a contested divorce, dispute or investigation where their device may be examined benefits from being able to actually destroy a specific file — not merely hide it from the file browser while leaving it intact on disk.

5. How Helix implements it

Helix provides secure shredding on the device you already carry — standard iOS and Android — and pairs it with the tool that actually solves the underlying problem, with a few deliberate choices.

Overwrite-then-delete, single competent pass. Helix overwrites a shredded file's contents before releasing the space, using one solid pass rather than theatrical multi-pass rituals that don't help on modern media.
Encryption is the real eraser. Because in-place overwrite is unreliable on the flash storage in phones, Helix's primary data-destruction strategy is built on full-disk encryption: sensitive data is encrypted at rest, so destroying the key destroys access to the data instantly and completely — no matter where the physical bits ended up. Shredding is the complement; key destruction is the guarantee.
It runs on-device. Shredding and key management happen locally. Helix never ships your files off the device to "securely delete" them — that would defeat the entire purpose by creating a new copy somewhere you don't control.
It's one layer in a posture. Shredding sits alongside remote wipe, hidden volumes, duress unlock and the rest of the Helix feature set. For true unrecoverability the answer is encrypt-everything-and-destroy-the-key; the shredder is the targeted tool for individual files within that posture.

6. The honest limits — read this part

This is the part most "secure delete" products lie about, so we're going to be blunt. On the storage in modern phones and laptops, overwrite-then-delete cannot guarantee unrecoverability.

On SSDs, flash and copy-on-write file systems, the OS may NOT overwrite the original data in place. Wear-leveling, over-provisioning and copy-on-write mean your "overwrite" frequently lands on a different physical cell, leaving the original bytes intact and recoverable in spare flash blocks the file system won't even let you address. A secure shredder REDUCES recoverability but cannot guarantee it on these media. The real tool for guaranteed unrecoverability is full-disk encryption: encrypt everything, and destroy the key.

Unpack why, because the mechanism is the whole reason the simple model breaks.

Flash doesn't let you overwrite in place

Flash memory cells wear out after a limited number of writes. To make a drive last, the controller uses wear-leveling: it deliberately spreads writes across all the physical cells, so no single cell wears out first. A critical consequence is that when you "overwrite" a file, the controller frequently writes the new data to a fresh physical cell and simply re-points the logical address there — leaving the original cell, with your original data, untouched. Your overwrite landed somewhere else. Worse, drives keep a hidden reserve of cells (over-provisioning) that the operating system can't even address, and orphaned copies of your data can sit in that reserve indefinitely, beyond the reach of any software running on the device. Copy-on-write file systems compound this by writing changes to new locations by design rather than modifying data in place.

What that means for your shredder

The result is that on the SSD in your phone or laptop, a software shredder's overwrite is a best-effort that often misses the physical cells it's trying to destroy. It genuinely reduces recoverability — it removes the easily-addressed copy and defeats casual undelete tools — but it cannot promise that no intact copy survives in a remapped or over-provisioned block. Anyone with chip-level forensic capability may still recover data the shredder believed it had overwritten. We will not tell you a software shred on flash is a guaranteed wipe, because it isn't, and any product that claims otherwise is selling you a comforting fiction.

The tool that actually works: encrypt, then destroy the key

So how do you get genuine, guaranteed unrecoverability on modern storage? You stop trying to scrub bits and instead make the bits meaningless. With full-disk encryption, every byte written to the drive is encrypted with a key. The ciphertext can be scattered across remapped cells and over-provisioned reserve all it likes — it's useless without the key. To destroy the data, you destroy the key. Wiping a single small encryption key is fast, reliable and complete, and the instant it's gone, every encrypted copy of your data anywhere on that medium — addressable or not — becomes permanent, unrecoverable noise. This is why full-disk encryption, not a file shredder, is the real eraser, and it's why Helix builds its data-destruction strategy on encryption first.

So why offer a shredder at all? Because it's the right targeted tool for the common, lower-stakes case: removing a specific sensitive file from easy recovery, right now, against the realistic threat of off-the-shelf undelete software run by someone who later gets the device. It defeats that threat well. For the high-stakes case — guaranteeing a file can never be recovered by a chip-level forensic lab — the honest answer is the encryption-and-key-destruction approach, and we say so rather than overselling the overwrite. Use the shredder for what it's good at, rely on encryption for the guarantee, and you're not fooling yourself about either. That clarity is the honest definition of winning.

7. The bottom line

Deleting a file doesn't erase it — it just forgets where it was, leaving the bytes recoverable by anyone who later gets the device. A secure shredder overwrites the contents before deleting, defeating the everyday recovery tools that make ordinary deletion meaningless. That's real and useful. But on the SSD and flash storage in modern phones and laptops, wear-leveling, over-provisioning and copy-on-write mean an overwrite often misses the physical cells it's aiming at, so a software shred reduces — but cannot guarantee — unrecoverability. The tool that actually guarantees it is full-disk encryption: encrypt everything, and when you need data gone, destroy the key. Helix gives you the shredder for the targeted job and builds the guarantee on encryption — and tells you the difference instead of pretending there isn't one.

Get Helix — from $199 Deniable hidden volume

$199/month Core · $499/month Operator · $999/month Sovereign — or 30% off paid annually. Buy it or don't — no negotiation, no surprises.