1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229
|
.TH scrub 1 "@META_DATE@" "@META_ALIAS@" "@META_NAME@"
.SH NAME
scrub \- write patterns on disk/file
.SH SYNOPSIS
.B scrub
.I "[OPTIONS] special-file"
.br
.B scrub
.I "[OPTIONS] file"
.br
.B scrub
.I "-X [OPTIONS] directory"
.SH DESCRIPTION
.B Scrub
iteratively writes patterns on files or disk devices
to make retrieving the data more difficult.
.B Scrub
operates in one of three modes:
.LP
1) The special file corresponding to an entire disk is scrubbed and
all data on it is destroyed. This mode is selected if
.I "file"
is a character or block special file. This is the most effective method.
.LP
2) A regular file is scrubbed and only the data in the file (and optionally
its name in the directory entry) is destroyed.
The file size is rounded up to fill out the last file system block.
This mode is selected if
.I "file"
is a regular file.
See CAVEATS below.
.LP
3)
.I "directory"
is created and filled with files until the file system is full,
then the files are scrubbed as in 2). This mode is selected with the
.I "-X"
option. See CAVEATS below.
.SH OPTIONS
.B Scrub
accepts the following options:
.TP
\fI-v\fR, \fI--version\fR
Print scrub version and exit.
.TP
\fI-r\fR, \fI--remove\fR
Remove the file after scrubbing.
.TP
\fI-p\fR, \fI--pattern\fR \fIPATTERN\fR
Select the patterns to write. See SCRUB METHODS below.
The default, \fInnsa\fR, is reasonable for sanitizing modern
PRML/EPRML encoded disk devices.
.TP
\fI-b\fR, \fI--blocksize\fR \fIblocksize\fR
Perform read(2) and write(2) calls using the specified blocksize (in bytes).
.I "K,"
.I "M,"
or
.I "G"
may be appended to the number to change the units to
KiBytes, MiBytes, or GiBytes, respectively.
Default: 1M.
.TP
\fI-f\fR, \fI--force\fR
Scrub even if target contains signature indicating it has already been
scrubbed.
.TP
\fI-S\fR, \fI--no-signature\fR
Do not write scrub signature. Later,
.B scrub
will not be able to ascertain if the disk has already been scrubbed.
.TP
\fI-X\fR, \fI--freespace\fR
Create specified directory and fill it with files until
write returns ENOSPC (file system full), then scrub the files as usual.
The size of each file can be set with \fI-s\fR, otherwise it will be
the maximum file size creatable given the user's file size limit or
1g if umlimited.
.TP
\fI-D\fR, \fI--dirent\fR \fInewname\fR
After scrubbing the file, scrub its name in the directory entry,
then rename it to the new name.
The scrub patterns used on the directory entry are constrained by the
operating system and thus are not compliant with cited standards.
.TP
\fI-s\fR, \fI--device-size\fR \fIsize\fR
Override the device size (in bytes). Without this option,
.B scrub
determines media capacity using OS-specific ioctl(2) calls.
.I "K,"
.I "M,"
or
.I "G"
may be appended to the number to change the units to
KiBytes, MiBytes, or GiBytes, respectively.
.TP
\fI-L\fR, \fI--no-link\fR
If \fIfile\fR is a symbolic link, do not scrub the link target.
Do remove it, however, if \fI--remove\fR is specified.
.TP
\fI-h\fR, \fI--help\fR
Print a summary of command line options on stderr.
.SH SCRUB METHODS
.TP
.I "nnsa"
4-pass NNSA Policy Letter NAP-14.1-C (XVI-8) for sanitizing
Removable and non-removable hard disks, which requires overwriting all
locations with a pseudorandom pattern twice and then with a known pattern:
\fBrandom(x2), 0x00, verify\fR.
.TP
.I "dod"
4-pass DoD 5220.22-M section 8-306 procedure (d) for sanitizing removable
and non-removable rigid disks which requires overwriting all addressable
locations with a character, its complement, a random character, then verify.
NOTE: \fBscrub\fR performs the random pass first to make verification
easier: \fBrandom, 0x00, 0xff, verify\fR.
.TP
.I "bsi"
9-pass method recommended by the German Center of Security in Information
Technologies (http://www.bsi.bund.de):
\fB0xff, 0xfe, 0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f\fR.
.TP
.I "gutmann"
The canonical 35-pass sequence described in Gutmann's paper cited below.
.TP
.I "schneier"
7-pass method described by Bruce Schneier in "Applied Cryptography" (1996):
\fB0x00, 0xff, random(x5)\fR
.TP
.I "pfitzner7"
Roy Pfitzner's 7-random-pass method:
\fBrandom(x7)\fR.
.TP
.I "pfitzner33"
Roy Pfitzner's 33-random-pass method:
\fBrandom(x33)\fR.
.TP
.I "usarmy"
US Army AR380-19 method:
\fB0x00, 0xff, random\fR.
(Note: identical to DoD 522.22-M section 8-306 procedure (e)
for sanitizing magnetic core memory).
.TP
.I "fillzero"
1-pass pattern: \fB0x00\fR.
.TP
.I "fillff"
1-pass pattern: \fB0xff\fR.
.TP
.I "random"
1-pass pattern: \fBrandom(x1)\fR.
.TP
.I "random2"
2-pass pattern: \fBrandom(x2)\fR.
.TP
.I "old"
6-pass pre-version 1.7 scrub method:
\fB0x00, 0xff, 0xaa, 0x00, 0x55, verify\fR.
.TP
.I "fastold"
5-pass pattern:
\fB0x00, 0xff, 0xaa, 0x55, verify\fR.
.SH CAVEATS
.B Scrub
may be insufficient to thwart heroic efforts to recover data
in an appropriately equipped lab. If you need this level of
protection, physical destruction is your best bet.
.PP
The effectiveness of scrubbing regular files through a file system
will be limited by the OS and file system. File systems that are
known to be problematic are journaled, log structured, copy-on-write,
versioned, and network file systems. If in doubt, scrub the raw disk device.
.PP
Scrubbing free blocks in a file system with the
.I "-X"
method is subject to the same caveats as scrubbing regular files,
and in addition, is only useful to the extent the file system allows
you to reallocate the target blocks as data blocks in a new file.
If in doubt, scrub the raw disk device.
.PP
On MacOS X HFS file system,
.B scrub
attempts to overwrite a file's resource fork if it exists.
Although MacOS X claims it will support additional named forks in the future,
.B scrub
is only aware of the traditional data and resource forks.
.PP
.B scrub
cannot access disk blocks that have been spared out by the disk controller.
For SATA/PATA drives, the ATA "security erase" command built into the drive
controller can do this. Similarly, the ATA "enahanced security erase" can
erase data on track edges and between tracks.
The DOS utility HDDERASE from from the UCSD Center for Magnetic
Recording Research can issue these commands, as can modern versions
of Linux \fBhdparm\fR.
Unfortunately, the analagous SCSI command is optional according to T-10,
and not widely implemented.
.SH AUTHOR
Jim Garlick <garlick@llnl.gov>
.LP
This work was produced at the University of California,
Lawrence Livermore National Laboratory under Contract
No. W-7405-ENG-48 with the DOE.
Designated UCRL-CODE-2003-006, scrub is licensed under terms of the GNU
General Public License.
.SH SEE ALSO
DoD 5220.22-M, "National Industrial Security Program Operating Manual",
Chapter 8, 01/1995.
.LP
NNSA Policy Letter: NAP-14.1-C, "Clearing, Sanitizing, and
Destroying Information System Storage Media, Memory Devices, and other
Related Hardware", 05-02-08, page XVI-8.
.LP
"Secure Deletion of Data from Magnetic and Solid-State Memory", by Peter
Gutmann, Sixth USENIX Security Symposium, San Jose, CA, July 22-25, 1996.
.LP
"Gutmann Method", Wikipedia, http://en.wikipedia.org/wiki/Gutmann_method.
.LP
Darik's boot and Nuke FAQ:
http://dban.sourceforge.net/faq/index.html
.LP
"Tutorial on Disk Drive Data Sanitization", by Gordon Hugues and Tom Coughlin,
.br
http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf.
.LP
"Guidelines for Media Sanitization", NIST special publication 800-88,
Kissel et al, September, 2006.
.LP
shred(1), hdparm(8)
|