Maybe intercept the shutdown process in the guest (debian) and insert a script that tells the host:

"shutdown almost complete, now is the time to kill me and wipe my snapshot"

and the host then kills the VM and wipes the files?

Are you really talking about snapshots ?

Normally only the redologs of vmdks in nonpersistent mode are deleted when the VM shuts down.

If you are concerned about the vmem-files I would suggest that you configure your VMs so that the vmem files get allocated in physical RAM.

Then you dont get vmem files at all.

continuum  is right, it is better to do as he advises.

ARomeo

The vmx-parameter for a Linux host is:

mainmem.backing = "swap"

For Windows use

mainmem.useNamedFile = "false"

To set this per VM use the parameter in the vmx-file.

To use it for all VMs add the parameter to config.ini

Please note - this options is not for free - you will not be able to use as many VMs side by side as you can use without that setting.

For more on this read my blog:  VMware Continuum - Tuning guide - setup the host for expected usage ...

"Normally only the redologs of vmdks in nonpersistent mode are deleted when the VM shuts down."

Yes, and the use of nonpersistent mode is intentional so nothing sensitive is left in the vmdk. RAM is even more likely to contain sensitive information and using the host swap space means one would have to wipe the swap space too, all of it. Doable, but the redologs are still an issue because they are just deleted and not wiped.

Just curious - how would you find a deleted redo log to read the content ? They dont appear in trashbin and the file typically is heavily fragmented.

To abuse the content of a deleted redo log you would have to find its fragments on disk - thats quite advanced stuff.

What about using encryption for your vmdks  - like truecrypt for example.

Then the redologs should be unreadable.

Immediately after deletion every file is 100% recoverable with freeware tools no matter how fragmented or so I think. Thereafter if it gets written over, bits and pieces of the file can still be a privacy issue for certain kinds of data like short emails and documents, with a brute force search for known text like an email header in the entire disk. Full disk encryption for the guest is certainly an option.

Can you configure a VM to never allow its RAM to go to the host's swap space or the vmem backing file?

AFAIK the only option is NOT to use pagefile.sys or a swap-file/partition at all.