LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-10-2008, 05:50 PM   #1
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Rep: Reputation: 15
Secure unused disk space wipes, dd and shred


I understand ext2 is the only viable file system to securely delete files and wipe unused areas of the disk due to no journeling.

Which is the most secure method for wiping unused areas of the disk;

1.) dd if=/dev/urandom of=/mnt/hda1 bs=4M

2.) dd if=/dev/urandom of=/mnt/hda1/foo.img bs=4M
shred -uvz -n 7 /mnt/hda1/foo.img

Is shredding a large artificially created file that takes up unused space on disk better than dd because you could control how many times you can write over the file with shred vs. only once with each dd operation?.

Thank you
Akonbobot
 
Old 03-10-2008, 06:38 PM   #2
budword
Member
 
Registered: Apr 2003
Location: Wisconsin
Distribution: Switched to regualr Ubuntu, because I don't like KDE4, at all. Looks like vista on crack.....
Posts: 675

Rep: Reputation: 31
You can wipe files just fine from an ext3 or journaled file system. The problem is in removing the file NAME. That'll stick around in weird spots. I'm no expert though, so take my advice with a grain or 3 of salt.

David
 
Old 03-10-2008, 07:43 PM   #3
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 12,230

Rep: Reputation: 1019Reputation: 1019Reputation: 1019Reputation: 1019Reputation: 1019Reputation: 1019Reputation: 1019Reputation: 1019
Quote:
Originally Posted by budword View Post
You can wipe files just fine from an ext3 or journaled file system.
Only if you can guarantee (*all*) updates are done "in-place". A default ext3 install is generally o.k.
Residual (log) data is the exposure, not the filename.

For general usage, simple overwriting (of any means) is generally sufficient. If you are trying to hide something from the "spooks", good luck ...
 
Old 03-10-2008, 08:13 PM   #4
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Original Poster
Rep: Reputation: 15
Pardon me, I've mis focused the question, again...

In an ext2 file system, which method below is more secure for wiping unused disk space ?

1.) dd if=/dev/urandom of=/mnt/hda1 bs=4M

2.) dd if=/dev/urandom of=/mnt/hda1/foo.img bs=4M
shred -uvz -n 7 /mnt/hda1/foo.img

Thank you.
Akonbobot
 
Old 03-10-2008, 09:14 PM   #5
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
Quote:
Originally Posted by Akonbobot View Post
Pardon me, I've mis focused the question, again...

In an ext2 file system, which method below is more secure for wiping unused disk space ?

1.) dd if=/dev/urandom of=/mnt/hda1 bs=4M

2.) dd if=/dev/urandom of=/mnt/hda1/foo.img bs=4M
shred -uvz -n 7 /mnt/hda1/foo.img

Thank you.
Akonbobot
First, if you are "wiping" an entire drive (or partitions) with a low-level command like dd, then the filesystem makes NO difference.

Second, using dd does not make sense for trying to erase just part of a partition (file system). (How would you know which part to erase?)

In example #2, what is your intent? It LOOKS like it would write random data to a file named "foo.img" on hda1 until either the partition or the entire drive was full. I don't think it erases anything, but I have no system that I can try it on.

The secure way to erase is with several passes of random data and all zeros.

Finally, I think "shred" is used for secure erase of just one file (or directory?)
 
Old 03-10-2008, 11:12 PM   #6
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Original Poster
Rep: Reputation: 15
The intent is;
To securely wipe a single partition (/dev/hda1).


Method 1:
dd if=/dev/urandom of=/dev/hda1

Method 2:
sudo mount /dev/hda1 /media/hda1
dd if=/dev/zero of=/media/hda1/foo.img
shred -uvz -n 7 /media/hda1/foo.img

[Method 1] will write 1 pass, Method 2 creates a fake file (foo.img) until the disk is full, then uses shred to delete that file 7 times.

Does that mean that Method 2 is superior to a dd pass ?

Thanks again.
Akonbobot
 
Old 03-11-2008, 06:03 AM   #7
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
As I said, I don't know what method 2 does, and I have no machine on which I can take the risk of trying.

My hunch is that you are better off just writing directly to the raw device--multiple passes. I have never seen any actual data, but I would doubt that the average person would find anything after two random passes and then all zeros.
 
Old 03-11-2008, 06:11 AM   #8
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 296

Rep: Reputation: 49
sfill from the 'secure_deletion toolkit' might be what you are looking for. It wipes unused space on a drive. From the man page:
Code:
 The secure data deletion process of sfill goes like this:

       *      1 pass with 0xff

       *      5 random passes. /dev/urandom is used for a secure RNG if avail‐
              able.

       *      27 passes with special values defined by Peter Gutmann.

       *      5 random passes. /dev/urandom is used for a secure RNG if avail‐
              able.
Sounds pretty thorough.
 
Old 03-11-2008, 06:18 AM   #9
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
Quote:
Originally Posted by rupertwh View Post
Sounds pretty thorough.
Sounds like overkill to me...

You can also use DBAN, which includes the military standard routines.
 
Old 03-11-2008, 06:49 AM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I have used something similar to zero-fill empty space on a partition before using dd to create an image. Such an image will compress better.

Use df to determine how many blocks are left. Use the same block size in your dd command as the df command shows and use number of free blocks for the "count=" in the dd command. You may need to subtract a block from the count to leave space for the directory change. Then you can use shred on the file as well. More than 5 sweeps is probably overkill.

Your first method would wipe out files as well as free space.
 
Old 03-14-2008, 01:01 AM   #11
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
I think you can just do 'shred /dev/hda1', without the unlink (-u). If you're really concerned about wiping, you may wish to /dev/random, which is stronger "randomness" than urandom, but will take much longer.

From the manpage:
Quote:
Delete FILE(s) if --remove (-u) is specified. The default is not to
remove the files because it is common to operate on device files like
/dev/hda, and those files usually should not be removed.

The method of writing a file then shredding the file might not consume all the space that was on the partition, depending on how it is written to the filesystem.

As far as journaling filesystems go, ext3, xfs and friends- I've heard they are not acceptable for secure deletion.

http://www.slac.stanford.edu/comp/un...ure-erase.html

Quote:
One major problem with all of these utilities is that most modern file systems use techniques called "journaling" or "logging" to help prevent file system corruption. Unfortunately, these techniques can also make it nearly impossible to ensure that all traces of a file's data get overwritten unless you are willing to completely wipe out all data on the disk.
In fact, Gentoo's Portage specifically warns about sfill,srm etc:

http://www.gentooportage.info/portag...re-delete.html

Quote:
ewarn "sfill and srm are useless on journaling filesystems,"
ewarn "such as reiserfs or XFS."
ewarn "See documentation for more information."
Make sure you're taking care of swap space, too.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cedega "Disk space required for the installation exceeds available disk space" Solved Spewdemon LinuxQuestions.org Member Success Stories 1 10-18-2007 06:19 PM
Recovering unused hd space: Server vshell Linux - Newbie 4 05-16-2006 03:53 PM
Deleting unused space from a partition Tsukasa7 Linux - Newbie 2 08-31-2005 02:05 PM
3Gb of disk space lost! Disk space problem or mother board conflicts with HDD Mistreated Linux - Hardware 4 12-06-2004 03:58 PM
trying to use Dell Restore disk wipes RH9 except for GRUB krome Linux - Software 5 11-03-2003 12:31 AM


All times are GMT -5. The time now is 07:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration