How can one encrypt a file and be sure the original file can not be recovered on a SSD?

Question

Let's say that I have an unencrypted file and I'm trying to encrypt it and make sure the original file can not be recovered from my disk. If I, for example, create an archive, put the file into it and encrypt the archive it seems pretty obvious that even if I delete the original file it is still on the disk and can be recovered. From my understanding, if the file is on a hard disk, the original file can be overwritten and at that point data recovery should be practically impossible.

But as I understand with SSDs, this gets a bit more complicated. Since SSDs employ wear leveling, even if I were to overwrite the original file, it may not be written to the same physical location and therefore there is a significant enough chance it could be recovered.

So how can I securely encrypt files on a SSD?

By the way, the archive scenario I described earlier is just an example. From my understanding this problem should affect all encryption tools.

Answer 1

The best option is to use full-disk encryption that encrypts everything whether it's explicitly encrypted with file encryption or not.

In your situation, you could try and write a file so big that it fills the whole drive, making it more likely you overwrite the original file. However, there could be data from the file written in paging (swap). You might also be able to enable full-disk encryption on-the-fly; this depends on the capabilities of your operating system.

Answer 2

There are clever ways of doing that. I would create the file on a RAM drive (if you have enough of RAM to create the partition to store your file in RAM initially) encrypt it and then save it to the SSD this way the unencrypted copy of the file does not exist on the drive at any point of time (except for when you decrypt it to the drive, but you could again put it on a RAM drive instead. If you have a second SSD and the file already exists on one, you could copy it to the RAM drive encrypt and save on the other drive after which you encrypt the drive, dispose of the key and shred the old drive (a bit drastic, but maybe this is what you're looking for).