Clean-up your data

Deleting files permanently and securely

 Posted on May 2, 2019  |  4 minutes  |  752 words  |  blinkeye

Option 1: ATA Secure erase of disk

If possible use ATA Secure Erase to delete your files securely, that is if you trust your harddisk manufacturer. The precondition to this is an unfrozen harddisk.

Many BIOSes will protect your drives if you have a password set (security enabled) by issuing a SECURITY FREEZE command before booting an operating system. If your drive is frozen, and it has a password enabled, try removing the password using the BIOS and powering down the system to see if that disables the freeze. Otherwise you may need to use a different motherboard (with a different BIOS).

$ hdparm -I /dev/sda

/dev/sda:

ATA device, with non-removable media
        Model Number:       INTEL SSDSC2BW240A4
        Serial Number:      PHDA419500H02403GN
        Firmware Revision:  DC32
        Transport:          Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
...
Security: 
        Master password revision code = 65534
                supported
        not     enabled
        not     locked
                frozen
        not     expired: security count
                supported: enhanced erase
        4min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
...

In the above case the harddisk is frozen (Hetzner Root server).

Option 2: Secure erase of disk with userspace tools

Due to the (many) caveats of shred and the rather un-maintained wipe it is recommended to use scrub instead:

$ scrub --force --no-signature --pattern nnsa /dev/sdX

scrub: using NNSA NAP-14.1-C patterns
scrub: please verify that device size below is correct!
scrub: scrubbing /dev/sda 240057409536 bytes (~223GB)
scrub: random  |................................................|
scrub: random  |................................................|
scrub: 0x00    |................................................|
scrub: verify  |................................................|

Parameter explanation for scrub:

write patterns on disk/file

-f, --force
       Scrub even if target contains signature indicating it has already been scrubbed.

-S, --no-signature
       Do  not  write  scrub signature.  Scrub will not be able to ascertain if the disk has already been
       scrubbed.

-p, --pattern PATTERN
       Select the patterns to write.  nnsa selects patterns compliant with NNSA Policy Letter NAP-14.1-C;
       dod  selects patterns compliant with DoD 5220.22-M; bsi selects patterns recommended by the German
       Center of Security in Information Technologies (http://www.bsi.bund.de); old  selects  pre-version
       1.7  scrub  patterns;  and  fastold is old without the random pass.  gutmann is a 35-pass sequence
       described in Gutmann's paper cited below.  See STANDARDS below  for  more  detail.   random  is  a
       single  random  pass.   random2  is  two random passes.  schneier is the method described by Bruce
       Schneier in ''Applied Cryptography'' (1996) consisting of one 0x00 pass, one 0xff pass,  and  five
       random  passes.   pfitzner7  is Roy Pfitzner's 7-random-pass method.  pfitzner33 is Roy Pfitzner's
       33-random-pass method.  usarmy is the US Army AR380-19 method consisting of  one  0x00  pass,  one
       0xff pass, and a random pass.  Default: nnsa.

Additionally you may execute a destructive badblocks command:

$ badblocks -wsv /dev/sdX

Checking for bad blocks in read-write mode
From block 0 to 234431063
Testing with pattern 0xaa: done
Reading and comparing: done
Testing with pattern 0x55: done
Reading and comparing: done
Testing with pattern 0xff: done
Reading and comparing: done
Testing with pattern 0x00: done
Reading and comparing: done
Pass completed, 0 bad blocks found. (0/0/0 errors)

Parameter explanation for badblocks:

search a device for bad blocks

-w     Use  write-mode  test.  With  this option, badblocks scans for bad blocks by writing some patterns
       (0xaa, 0x55, 0xff, 0x00) on every block of the device,  reading  every  block  and  comparing  the
       contents.  This option may not be combined with the -n option, as they are mutually exclusive.

-s     Show  the progress of the scan by writing out rough percentage completion of the current badblocks
       pass over the disk.  Note that badblocks may do multiple test passes over the disk, in  particular
       if the -p or -w option is requested by the user.
       
-v     Verbose mode.  Will write the number of read errors, write errors and data- corruptions to stderr.

Option 3: Secure erase of directories/files with userspace tools

If you cannot shred the whole disk (for example a NFS share) use scrub:

$ cd /to/directory/to/wipe
$ scrub --freespace dump --force --no-signature --remove --pattern nnsa

The -X / --freespace command tells scrub to create a directory dump (in this case) and fill it with files until write returns ENOSPC (file system full), then scrub the files as usual.

Shred is only a last resort:

$ find <directory> -depth -type f -exec shred -v -n3 -z -u {} \;

Parameter explanation for shred

overwrite a file to hide its contents, and optionally delete it

-v, --verbose
       show progress

-n, --iterations=N
       overwrite N times instead of the default (3)
       
-z, --zero
       add a final overwrite with zeros to hide shredding

References

Sysadmin