Sunday, December 6, 2009

Shredding files from your hard disk


When you normally 'delete' a file from your hard disk, it's not actually removed from the disk. Instead, only the information that such a file exists is removed. The storage space occupied by the file is made available for reuse. It is therefore possible to recover the deleted files, as long as those disk areas are not overwritten. There are a variety of tools to recover deleted files. But this post is about deleting files permanently and thereby eliminating the possibility of recovery.

One of my hard disks had failed and since it was under warranty, I wanted to return it to the service centre. I wanted to make sure that all files on the disk are destroyed. The following gives the steps to be taken to wipe-out files from the disk using a Linux machine.


The shred utility

The 'shred' program can be used to repeatedly over-write a file's contents so that it's nearly impossible to recover the original data. shred uses specially designed patterns that are written over the file's contents over several passes to maximise the damage caused to the original data.

To shred one file, use the following command:
shred --verbose filename

By default, shred uses 3 overwrite passes. You can change it by using the -n option. You may wish to do more passes on more sensitive files or less passes on ordinary files to save time.

The following command does 2 over-write passes on a file:
shred --verbose -n 2 filename

If you want the file to be deleted after shredding, do this:
shred --verbose --remove filename

shred cannot automatically process directories recursively. You can use the find command as below to shred all files inside a directory recursively:
cd target_dir
find . -name "*" -type f -exec shred '{}' \;


If you want an entire partition to be shredded, the easier way is to first unmount the partition and then do:
shred --verbose /dev/sdxx

Make sure you substitute sdxx with appropriate device for your target partition (sda1, sdb5 etc.)



A less secure, but simpler alternative

If you're not too bothered about security and are not paranoid about government agents conducting Magnetic force microscopy on your HDD to recover your sensitive files, then you can simply overwrite them once with zeros.

This ought to be enough for most purposes:
dd if=/dev/zero of=/dev/sdxx



For the absolutely paranoid

  1. You have your filesystem encrypted to begin with, don't you?

  2. Use shred with 25 passes

  3. As the shred manual says: the best way to remove something irretrievably is to destroy the media it's on with acid, melt it down, or the like

  4. Don't give your HDD to the service centre. Bury it (or what's left of it after step 3) in your backyard instead and buy a new one.


More info
Do info coreutils 'shred invocation' to know more about the shred program.
Read this for some theory on file recovery and secure deletion.

No comments:

Post a Comment