February 11, 2011

Weekend Project: Scrub Files and Old Hard Drives Securely on Linux


Whether you are upgrading components for a system refresh, selling an old laptop on Craigslist, or recycling your desktop PC, there comes a time when you have to wipe a storage device in preparation for giving it to someone else. Chances are, you don't want whoever gets physical access to your old hard disk to have unfettered access to its contents: files, email, passwords, the embarrassingly-high frequency of Justin Beiber sites in your browsing history. You'll find several open source utilities for wiping away personal data — so this weekend, why not take stock of your options and put together a deep-clean routine?


Gone but Not Forgotten: When Delete is Not Delete

One thing most experienced Linux veterans know is that once you delete a file with rm, it's not just moved to hidden "recycle basket" folder, it's gone. That's because Linux and other Unix-like systems reuse filesystem blocks with regularity, and rm actually frees the blocks where the deleted file used to reside — so the odds are that they will get overwritten with temporary data pretty quickly.

But there is no guarantee that the blocks will be overwritten. As a result, just rm-ing the contents of your disk alone won't remove the files contents, especially if you unmount and unplug the now-empty disk, rather than reuse it elsewhere. In fact, that's how file-recovery tools like PhotoRec work: they scan the actual contents of the blocks, which can include data and pointers to other blocks of data.

You could always write over the original file contents with a tool like dd, but forensics experts claim to be able to recover files from magnetic media even after it has been overwritten with some predictable pattern, such as all ones or all zeroes.

The Gutmann method is an attempt to beat those forensic techniques by systematically overwriting the blocks with a series of binary patterns. It takes much longer, naturally, but the open source community has developed several tools to automate the process.

The full algorithm used by the Gutmann method uses 35 passes, including a mix of random data and structured patterns, but in many cases not all are actually necessary. That's because the Gutmann method was designed around older, 1990s-era hard disk encoding techniques that are no longer used, and newer disk standards include some helpful features to make secure scrubbing simpler.

One File at a Time: Shred or srm

In those instances when you only need to securely erase a few files — rather than an entire disk partition — take a look at GNU's shred utility and at the "secure rm replacement" srm. Both are command-line tools that overwrite the contents of a file before un-linking its blocks from the filesystem.

Other Weekend Projects on Linux.com

Shred is part of the GNU core utilities, so you will almost certainly already have it installed on any Linux system. The basic usage is shred [OPTIONS] filename1 filename2 .... Without any options specified, shred will overwrite the contents of the supplied files with 25 passes, but it will not automatically delete them. To delete a file after it is shredded, you must add the -u option. You can change the number of passes made through the file during shredding with the -n option. Other useful options include -v to turn on verbose reporting, -z to add an all-zeroes pass to the end of the shred process, and -f, which will change file permissions (if necessary) to enable write access.

The srm utility differs from shred in two key areas. First, shred uses a subset of the full Gutmann method for its passes, while srm employs the full 35-step algorithm by default. Second, because srm is intended to work as a drop-in replacement for rm, by default it does delete the file it is called on. The srm project is hosted at SourceForge.net, and although the project builds binary packages for Red Hat only, it is often packaged for other desktop distributions. Debian-based systems package it as "secure delete," so you may need to check around to find the proper package name. It should not rely on any significant dependencies, however.

Its options are designed to be compatible with rm's, so it includes the -r recursive delete switch and the -i interactive switch, which will prompt you for a yes or no for each file. It also features the -v verbose and -z all-zeroes-final-pass options found in shred. Because it deletes by default, however, there is a -n option (for "no unlink") you must include to overwrite but not delete a file. Finally, you cannot specify any arbitrary number of passes as you can with shred, but you can substitute one random pass for the full suite by adding the -s (simple) switch, or a probably-good-enough seven passes with -m (medium). Srm does not have an equivalent to the -f option to enable overwriting files where the user does not have write permission.

A critical facet to keep in mind about shred and srm's algorithms is that they depend on the underlying filesystem overwriting data in place — after all, the reason it works is that it writes bits onto the same disk blocks many times in a row. But this write behavior is only guaranteed for come filesystems. Notably, most journaled filesystems — including Ext3, XFS, JFS, and ReiserFS — do not overwrite data in place by default. If you use Ext3, you can alter this behavior at mount time; just append data=writeback to the mount command when mounting the filesystem.

Nuke it from Orbit: Wholesale Filesystem Eradication

Shred and srm will scrub a file out of existence on your hard drive, and may be good enough depending on your level of paranoia, but when you absolutely, positively have to bleach the data out of a drive, they just take too long. For these situations, you have at least three options.

The first is Berke Durak's wipe, which is packaged for most Linux distributions. Wipe is a command-line tool; the syntax is wipe [options] path1 path2 ..... Thus you can use it to erase large structures like directories or partitions. For example, wipe /dev/sda5. Note, though, that we are erasing the partition, not the entire device (which would be /dev/sda). If you were to write over the entire device, wipe would overwrite the disk's Master Boot Record (MBR), leaving it unbootable.

Like the others, wipe bases its default overwrite behavior on Gutmann's 35-pass system. Wipe's notable options include -z to end with an all-zero pass, -r to recurse, -c to set write permissions if necessary, and -k to overwrite but not delete any files. You can control the overwriting pattern with additional switches: -q (quick) will make four random passes, while -Q somenumber will do somenumber of random passes instead. You can even specify the pseudo-random number generator used with -M and the seeding method with -S. To get the skinny on those options, consult the wipe manpage.

Andrew Beverly's Nwipe (no relation) is an interactive, ncurses-based tool for wiping entire disk partitions. When fired up, it scans and locates partitions, presenting them to you in a table — and thus, in theory, making it more difficult for you to accidentally erase the wrong one. It also gives you a menu-driven choice of erasure methods. Nwipe supports the full Gutmann 35-pass algorithm, a quick erase that writes all-zeroes, and three intermediary wipes with three, seven, and eight passes, respectively.

Nwipe is a stand-alone tool, but Beverly adapted it from the dwipe utility provided by Darik's Boot And Nuke (DBAN), a minimalist live distro designed for the sole purpose of booting up from removable media, then finding and erasing the hard disk storage. The ncurses-based interface helps you keep track of the attached storage, and provides helpful progress meters during the erasing process, which on large drives can take many hours at a time. The three intermediary wiping options are based on North American governmental recommendations: the seven-pass option is US Department of Defense Standard 5220-22.M, the three-pass option is 5220-22.M in a "short" version, and the eight-pass option is the Media Sanitation recommendation from the Royal Canadian Mounted Police Technical Security Standards for Information Technology. Between the various black helicopter levels, DBAN can certainly do right.

The last option to consider is a freeware utility called HDDErase. It is designed to run from DOS (which is reported to include the open source FreeDOS), and although it is not under a free software license, it was developed by the University of California San Diego, not a commercial software vendor. HDDErase uses a text-driven interface, but it does locate attached hard disks automatically, and gives you several erasure options, the details of which depend on your hard drive's factory feature set.

What makes HDDErase special is that it is the only tool that uses modern ATA disks' built-in "secure erase" feature, which uses the drive's firmware to erase disk blocks directly, rather than going through the filesystem at all. The main advantage to this approach is that HDDErase can erase sectors of the disk that the filesystem has marked as "bad blocks" — which could still be readable by forensics experts.

Applying the Tinfoil in Layers

Admittedly, the odds that your old hard disk's bad blocks will be scoured by a forensics team with access to a magnetic scanning device are pretty slim, but only you know what the black-hats will find if they look. It is interesting to see how all of the open source secure-deletion tools base their approach around the Gutmann method, despite the fact that it is optimized for hard disk technology no longer in use.

The honest truth is that, although Gutmann predicted that it was possible to recover deleted information from old disks if naive overwriting patterns were used, there is no known example of this ever happening, even in the lab. In fact, 16 Systems posed what it called "The Great Zero Challenge" in 2008, offering a prize to anyone who could recover data from an overwritten drive, and no one took them up on it. You are certainly taking ten times as long to pursue the full Gutmann algorithm as you are to perform four random passes, but it does not seem likely you are getting ten times the security.

Consequently, it's a tiny bit embarrassing that no other open source tools take a different approach. HDDErase's development was previously funded by government grant money, which has since ended, so it is always possible that its creators could be persuaded to release the source code under an approved open source license. It never hurts to have options, particularly where covering your tracks is concerned.

Click Here!