How To Securely Destroy/Wipe Data On Hard Drives With shred

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Mon, 2012-02-20 19:06. :: Linux

How To Securely Destroy/Wipe Data On Hard Drives With shred

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 01/19/2012

Sometimes you need to destroy or wipe data from hard drives (for example, before you sell your old hard drives on eBay) so that nobody else can access them. Simply deleting data (e.g. with rm) is not enough because that just removes the file system pointer, but not the data, so it can easily be undeleted with recovery software. Even zero'ing out your hard drive might not be enough. Here's where shred comes into play - shred can overwrite the files and partitions repeatedly, in order to make it harder for even very expensive hardware probing to recover the data.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

shred can be used to wipe files and also partitions and hard drives. If you take a look at shred's man page...

man shred

... you might notice the following:

CAUTION: Note that shred relies on a very important assumption: that the file system overwrites data in place. This is the traditional way to do things, but many modern file system designs do not satisfy this assumption. The following are examples of file systems on which shred is not effective, or is not guaranteed to be effective in all file system modes:

* log-structured or journaled file systems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)

* file systems that write redundant data and carry on even if some writes fail, such as RAID-based file systems

* file systems that make snapshots, such as Network Appliance's NFS server

* file systems that cache in temporary locations, such as NFS version 3 clients

* compressed file systems

In the case of ext3 file systems, the above disclaimer applies (and shred is thus of limited effectiveness) only in data=journal mode, which journals file data in addition to just metadata. In both the data=ordered (default) and data=writeback modes, shred works as usual. Ext3 journaling modes can be changed by adding the data=something option to the mount options for a particular file system in the /etc/fstab file, as documented in the mount man page (man mount).

This is something you need to worry about only if you use shred to wipe files. However, as I want to wipe hard drives, I will use shred for whole partitions or hard drives in this tutorial.

 

2 Using shred

If you want to wipe your system partition, you must boot into a live system (such as Knoppix, the Ubuntu Live-CD, your hoster's rescue system, etc.). This is not needed if you don't want to wipe your system partition.

shred should already be installed (you can check with

which shred

); if it isn't you can install it as follows (Debian/Ubuntu/Knoppix):

apt-get install coreutils

As I said before, I want to use shred on partitions and hard drives. So, for example, to wipe the partition /dev/sda5, you can use

shred -vfz -n 10 /dev/sda5

-v: show progress

-f: change permissions to allow writing if necessary

-z: add a final overwrite with zeros to hide shredding

-n: overwrite N times instead of the default (3)

So this would overwrite /dev/sda5 ten times.

You can also use shred for RAID partitions, e.g.

shred -vfz -n 10 /dev/md1

And to wipe a full hard drive like /dev/sda, you can use

shred -vfz -n 10 /dev/sda

Please note that shred can take a long time, depending on the size of your partitions/hard drives and the number of runs (-n).


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Neo Jensson (not registered) on Wed, 2013-12-18 19:17.
ErAce will over write hard disk 1-100 times. It is stand alone ISO image. ISO can be burned to cd/dvd or to usb-stick. So it is possible to erase all hard drives in system. It can be downloade from erace.it or from sourceforge.
Submitted by Anonymous (not registered) on Fri, 2014-08-08 15:18.
Lame link to pay to download Linux ISO site. Let's take out most the features of something free like knoppix or ubcd and make people pay to download it. Hate that kind of free software exploitation. Then we can spam useful cool articles and try to sell something they don't need if they read the article. As always, great article Falco.
Submitted by Benedikt Frenzel (not registered) on Tue, 2012-05-01 10:03.

Hey,
 I think the best way to "destroy" your data is just user full disk encryption and if you want to destroy your data change the all the passphrases into 64 Byte of randomness.

echo $(cat /dev/urandom | head -c 256) > /tmp/luksslot0
cryptsetup luksAddKey /dev/disk/by-uuid/$uuid /tmp/luksslot2 --key-file /tmp/luksslot0
After this it will not matter if you use dd or shred to overwrite the partition

Submitted by David (not registered) on Fri, 2012-03-02 09:55.

Other comments here are correct - "shredding" or using other multi-pass overwrites on disks is a useless waste of time.  The "dd" command to zero out the whole disk is all you ever need to clear the disk.

If it were at all possible to read deleted data, there would be commercial companies offering the service.

 If you have good reason to be seriously paranoid (maybe you make nuclear missiles as a hobby), then no amount of overwriting will remove things like re-mapped disk sectors.  So you simply destroy the disk physically, such as by feeding the platters into a real shredder.

 For SSD's, as mentioned in another comment, it's a different matter (though it is incorrect to assume the data is encrypted).  The only way to wipe everything from the chips is to use low-level SATA secure wipe commands.  But the "dd" command is still good enough in most cases - you need soldering and electronic equipment to read the raw data off the memory chips.

Submitted by dakira (not registered) on Thu, 2012-02-23 21:48.

I can't believe people are still believing this "multiple-overwrite" crap. It is totally unnecessary! No one in the world will be able to recover a single byte of data from a harddrive that has been zero'd out like this:

dd if=/dev/zero of=/dev/sda bs=16M

Here's some background:

You can restore stuff from magnetic tapes that has been recorded over (like VHS or MC) because the original signal is not replaced but just dampened. So basically you can filter out the current signal and increase what is left to get a bad quality version of the previous signal. You can actually restore audio and video to some extend using this method.

Now a guy called Peter Gutmann theorized that the same should hold true for data on magnetic drives (i.e. harddisks). He has never proven that this could work nor has anyone ever done it. To the contrary. In a paper from a couple of years ago it has been (mathematically sound) proven to be impossible to restore any data from a drive that has been zero'd out.

Actually that is not quite true. You CAN restore data to some extend. With perfect conditions (i.e. knowing the exact physical position on the drive) you can restore a single bit with a chance of less than 20%. If you want to recover two consecutive bits, the probabilities multiply. So it is 0.2 x 0.2 = 0.04. A chance of 4% to rescue two consecutive bits. No lets go for a full byte: 0.2^8 = 0.00000256 = 0.000256%.

Don't waste your time and health of your drive doing this. And NEVER NEVER ever overwrite, zero-out or whatever an SSD drive. Everything I wrote above goes for magnetical HDDs and not for SSDs. SSDs are encrypted by default. If you want to secure-delete them, use the functions provided by the firmware of the SSD.

Submitted by Anonymous (not registered) on Sun, 2013-09-15 03:53.

SSDs are not "encrypted by default"  If you take an SSD out of one computer and put it in another you can read ALL of the data.  Wear leveling is not encryption.  The storage on hard disks is a "signal", and it does remain  Just because it is a "digital" signal does not mean it isn't a signal.  The read-write head has a specific size, and generates a magnetic field with an area of effect, which falls of by the inverse square of the distance from the head.   This means reading and writing affect nearby bits as well.


If the probability of recovering a single bit is 20% (1 in 5) then it is possible to recover 20% of the disk (even if it is in non-sequential bits).  With that much recovered, and knowledge of a significant part of the drive, such as file descriptors,  headers, OS files, the file allocation table, NTFS alternate data streams, etc; it is possible to recover a large portion of the disk (granted it will be very time intensive).

So if you do some complex math you can figure out what the neighboring bits were and fill in the holes.

Submitted by Anonymous (not registered) on Thu, 2013-08-29 12:14.
Okay, I have worked in computer remarketing for a decade, basically what happens to computer systems after large businesses no longer require them. So, whilst I would never care enough to 3 pass my own hard drive, businesses want this performed to their equipment, and I derive employment out of this perception. So whether it is true or false means little to me at all, who am I to argue with those who want to put money in my wallet for leaving a desk of 100+ computers wiping for a couple of hours? Honestly, any data that is confidential, should really never leave the servers, or if it does, encrypted, and then if you really were that badly paranoid, crush the hard drive, do a Dexter and just drop it in the sea.
Submitted by Horst (not registered) on Fri, 2012-12-21 06:26.

you can restore a single bit with a chance of less than 20%

I get your gist, but your numbers don't make much sense. If my chances of restoring a single bit correctly are only 20%, then for each bit I attempt to recover, I should really go with its logical opposite and be 80% right every time. Maybe you mean a 20% higher chance than the 50:50 chance I have by guessing? If so, you need to adjust your math at the chances of correctly guessing a byte.

Submitted by M Warfield (not registered) on Wed, 2012-02-29 18:37.

Agreed!  NIST revoked that recommendation something like 12 years ago so the government recommendation is long gone and I don't even believe the DoD is doing this any more.  They decided that, particularly with high capacity drives, there is simply no need. 

http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Specifically on Pg 14 it says:

Advancing technology has created a situation that has altered previously held best practices regarding magnetic disk
type storage media. Basically the change in track density and the related changes in the storage medium have created
a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured
after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and
laboratory attack.

 

Submitted by Anonymous (not registered) on Thu, 2012-11-08 01:41.

New location for the document.
http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf

Submitted by sticks221 (not registered) on Wed, 2013-02-06 10:58.
Interestingly,  I could not find the quoted paragraph in the new document.  Moreover,  page 29-31 now suggest an optional multipass erase.
Submitted by Finalbrez (not registered) on Sun, 2013-05-19 18:09.
It's at the end of page 29, but it is in a different format.
Submitted by mdeslaur (not registered) on Wed, 2012-02-29 15:10.
There is no guarantee that your hard drive electronics aren't relocating writes on the actual disk platter also, so good luck with thinking that your data is all wiped.
Submitted by Anonymous (not registered) on Fri, 2012-03-02 01:17.

There is a small chance that zero-ing out a drive will miss sectors that the drive hardware has reallocated.

That's why "Secure Erase" (Google it) will overwrite everything, even sectors marked as bad. The drive's own electronics do the overwrite, you just tell it to start, and it reports when it's finished. It's the fastest method, as well. The Parted Magic live linux CD has a GUI interface to run Secure Erase.