Security - how to overwrite//zero blocks used by deleted file?

Imagine that, for security, you have to delete a file and then overwrite all the blocks it previously used to make sure that there’s nothing at all left on disk (assuming the file was never inside a snapshot). How can this be achieved?

What about if the file also exists inside a snaphot?

(And bonus points if there’s any cache/log/arc blocks in memory or on disk you know how to delete!)

This is (one example of) what the redacted send feature is for. Use redacted send to replicate the dataset minus the offending data, then replace the production version with the “redacted sent” version.

https://openzfs.github.io/openzfs-docs/man/8/zfs-redact.8.html