NAME¶
wipe - securely erase files from magnetic media
SYNOPSIS¶
wipe [options] path1 path2 ... pathn
CURRENT-VERSION¶
This manual page describes version
0.22 of
wipe , released
November 2010.
DESCRIPTION¶
Recovery of supposedly erased data from magnetic media is easier than what many
people would like to believe. A technique called Magnetic Force Microscopy
(MFM) allows any moderately funded opponent to recover the last two or three
layers of data written to disk;
wipe repeatedly overwrites special
patterns to the files to be destroyed, using the fsync() call and/or the
O_SYNC bit to force disk access. In normal mode, 34 patterns are used (of
which 8 are random). These patterns were recommended in an article from Peter
Gutmann (pgut001@cs.auckland.ac.nz) entitled "Secure Deletion of Data
from Magnetic and Solid-State Memory". A quick mode allows you to use
only 4 passes with random patterns, which is of course much less secure.
NOTE ABOUT JOURNALING FILESYSTEMS AND SOME RECOMMENDATIONS (JUNE
2004)¶
Journaling filesystems (such as Ext3 or ReiserFS) are now being used by default
by most Linux distributions. No secure deletion program that does
filesystem-level calls can sanitize files on such filesystems, because
sensitive data and metadata can be written to the journal, which cannot be
readily accessed. Per-file secure deletion is better implemented in the
operating system.
Encrypting a whole partition with cryptoloop, for example, does not help very
much either, since there is a single key for all the partition.
Therefore
wipe is best used to sanitize a harddisk before giving it to
untrusted parties (i.e. sending your laptop for repair, or selling your disk).
Wiping size issues have been hopefully fixed (I apologize for the long delay).
Be aware that harddisks are quite intelligent beasts those days. They
transparently remap defective blocks. This means that the disk can keep an
albeit corrupted (maybe slightly) but inaccessible and unerasable copy of some
of your data. Modern disks are said to have about 100% transparent remapping
capacity. You can have a look at recent discussions on Slashdot.
I hereby speculate that harddisks can use the spare remapping area to secretly
make copies of your data. Rising totalitarianism makes this almost a
certitude. It is quite straightforward to implement some simple filtering
schemes that would copy potentially interesting data. Better, a harddisk can
probably detect that a given file is being wiped, and silently make a copy of
it, while wiping the original as instructed.
Recovering such data is probably easily done with secret IDE/SCSI commands. My
guess is that there are agreements between harddisk manufacturers and
government agencies. Well-funded mafia hackers should then be able to find
those secret commands too.
Don't trust your harddisk. Encrypt all your data.
Of course this shifts the trust to the computing system, the CPU, and so on. I
guess there are also "traps" in the CPU and, in fact, in every
sufficiently advanced mass-marketed chip. Wealthy nations can find those.
Therefore these are mainly used for criminal investigation and "control
of public dissent".
People should better think of their computing devices as facilities lended by
the DHS.
IMPORTANT WARNING -- READ CAREFULLY¶
The author, the maintainers or the contributors of this package can NOT be held
responsible in any way if
wipe destroys something you didn't want it to
destroy. Let's make this very clear. I want you to assume that this is a nasty
program that will wipe out parts of your files that you didn't want it to
wipe. So whatever happens after you launch
wipe is your entire
responsiblity. In particular, no one guarantees that
wipe will conform
to the specifications given in this manual page.
Similarly, we cannot guarantee that
wipe will actually erase data, or
that wiped data is not recoverable by advanced means. So if nasties get your
secrets because you sold a wiped harddisk to someone you don't know, well, too
bad for you.
The best way to sanitize a storage medium is to subject it to temperatures
exceeding 1500K. As a cheap alternative, you might use
wipe at your own
risk. Be aware that it is very difficult to assess whether running
wipe
on a given file will actually wipe it -- it depends on an awful lot of
factors, such as : the type of file system the file resides on (in particular,
whether the file system is a journaling one or not), the type of storage
medium used, and the least significant bit of the phase of the moon.
Wiping over NFS or over a journalling filesystem (ReiserFS etc.) will most
probably not work.
Therefore I strongly recommend to call
wipe directly on the corresponding
block device with the appropriate options. However
THIS IS AN EXTREMELY
DANGEROUS THING TO DO. Be sure to be sober. Give the right options. In
particular : don't wipe a whole harddisk (eg. wipe -kD /dev/hda is bad) since
this will destroy your master boot record. Bad idea. Prefer wiping partitions
(eg. wipe -kD /dev/hda2) is good, provided, of course, that you have backed up
all necessary data.
COMMAND-LINE OPTIONS¶
- -f (force; disable confirmation query)
- By default wipe will ask for confirmation,
indicating the number of regular and special files and directories
specified on the command line. You must type "yes" for
confirmation, "no" for rejection. You can disable the
confirmation query with the -f (force) option.
- -r (recurse into subdirectories)
- Will allow the removal of the entire directory tree.
Symbolic links are not followed.
- -c (chmod if necessary)
- If a file or directory to be wiped has no write permissions
set, will do a chmod to set the permission.
- -i (informational, verbose mode)
- This enables reporting to stdout. By default all data is
written to stderr.
- -s (silent mode)
- All messages, except the confirmation prompt and error
messages, are suppressed.
- -q (quick wipe)
- If this option is used, wipe will only make (by
default) 4 passes on each file, writing random data. See option -Q
- -Q <number-of-passes>
- Sets the number of passes for quick wiping. Default is 4.
- -a (abort on error)
- The program will exit with EXIT_FAILURE if a non-fatal
error is encountered.
- -R (set random device OR random seed command)
-
With this option which requires an argument you can specify an alternate
/dev/random device, or a command who's standard output will be hashed
using MD5-hashed. The distinction can be made using the -S option.
- -S (random seed method)
-
This option takes a single-character argument, which specifies how the
random device/random seed argument is to be used. The default random
device is /dev/random. It can be set using the -R option.
The possible single-character arguments are:
- r
- If you want the argument to be treated like a regular
file/character device. This will work with /dev/random, and might also
work with FIFOs and the like.
- c
- If you want the argument to be executed as a command. The
output from the command will be hashed using MD5 to provide the required
seed. See the WIPE_SEEDPIPE environment variable for more info.
- p
- If you want wipe to get its seed by hashing environment
variables, the current date and time, its process id. etc. (the random
device argument will not be used). This is of course the least secure
setting.
- -M (select pseudo-random number generator
algorythm)
-
During the random passes,
wipe overwrites the target files with a stream
of binary data, created by the following choice of algorythms:
- l
- will use (depending on your system) your libc's random() or
rand() pseudorandom generator. Note that on most systems, rand() is a
linear congruential generator, which is awfully weak. The choice is made
at compile-time with the HAVE_RANDOM define (see the Makefile).
- a
- will use the Arcfour stream cipher as a PRNG. Arcfour
happens to be compatible with the well-known RC4 cipher. This means that
under the same key, Arcfour generates exactly the same stream as
RC4...
- r
- will use the fresh RC6 algorythm as a PRNG; RC6 is keyed
with the 128-bit seed, and then a null block is repeatedly encrypted to
get the pseudo-random stream. I guess this sould be quite secure. Of
course RC6 with 20 rounds is slower than random(); the compile-time option
WEAK_RC6 allows you to use a 4-round version of RC6, which is faster. In
order to be able to use RC6, wipe must be compiled with ENABLE_RC6
defined; see the Makefile for warnings about patent issues.
In all cases the PRNG is seeded with the data gathered from the random
device (see -R and -S options).
- -l <length>
- As there can be some problems in determining the actual
size of a block device (as some devices do not even have fixed sizes, such
as floppy disks or tapes), you might need to specify the size of the
device by hand; <length> is the device capacity expressed as a
number of bytes. You can use K (Kilo) to specify multiplication by
1024, M (Mega) to specify multiplication by 1048576, G
(Giga) to specify multiplication by 1073741824 and b (block) to
specify multiplication by 512. Thus
-
1024 = 2b = 1K
-
20K33 = 20480+33 = 20513
114M32K = 114*1024*1024+32*1024.
- -o <offset>
- This allows you to specify an offset inside the file or
device to be wiped. The syntax of <offset> is the same as for the
-l option.
- -e
- Use exact file size: do not round up file size to wipe
possible remaining junk on the last block.
- -Z
- Don't try to wipe file sizes by repeatedly halving the file
size. Note that this is only attempted on regular files so there is no use
if you use wipe for cleaning a block or special device.
- -F
- Don't try to wipe file names. Normally, wipe tries
to cover file names by renaming them; this does NOT guarantee that the
physical location holding the old file name gets overwritten. Furthermore,
after renaming a file, the only way to make sure that the name change is
physically carried out is to call sync (), which flushes out ALL the disk
caches of the system, whereas for ading and writing one can use the O_SYNC
bit to get synchronous I/O for one file. As sync () is very slow, calling
sync () after every rename () makes filename wiping extremely slow.
- -k
- Keep files: do not unlink the files after they have been
overwritten. Useful if you want to wipe a device, while keeping the device
special file. This implies -F.
- -D
- Dereference symlinks: by default, wipe will never follow
symlinks. If you specify -D however, wipe will consent to, well, wipe the
targets of any symlinks you might happen to name on the command line. You
can't specify both -D and -r (recursive) options, first because of
possible cycles in the symlink-enhanced directory graph, I'd have to keep
track of visited files to guarantee termination, which, you'll easily
admit, is a pain in C, and, second, for fear of having a (surprise!!)
block device buried somewhere unexpected.
- -v
- Show version information and quit.
- -h
- Display help.
EXAMPLES¶
- wipe -rcf /home/berke/plaintext/
- Wipe every file and every directory (option -r) listed
under /home/berke/plaintext/, including /home/berke/plaintext/.
Regular files will be wiped with 34 passes and their sizes will then be
halved a random number of times. Special files (character and block
devices, FIFOs...) will not. All directory entries (files, special files
and directories) will be renamed 10 times and then unlinked. Things with
inappropriate permissions will be chmod()'ed (option -c). All of this will
happen without user confirmation (option -f).
- wipe -kq /dev/hda3
- Assuming /dev/hda3 is the block device corresponding to the
third partition of the master drive on the primary IDE interface, it will
be wiped in quick mode (option -q) i.e. with four random passes. The inode
won't be renamed or unlinked (option -k). Before starting, it will ask you
to type ``yes''.
- wipe -kqD /dev/floppy
- Since wipe never follows symlinks unless explicitly
told to do so, if you want to wipe /dev/floppy which happens to be a
symlink to /dev/fd0u1440 you will have to specify the -D option. Before
starting, it will ask you to type ``yes''.
- wipe -rfi >wipe.log /var/log/*
- Here, wipe will recursively (option -r) destroy everything
under /var/log, excepting /var/log. It will not attempt to chmod() things.
It will however be verbose (option -i). It won't ask you to type ``yes''
because of the -f option.
- wipe -Kq -l 1440k /dev/fd0
- Due to various idiosyncracies of the operating system, it's
not always easy to obtain the number of bytes a given device might contain
(in fact, that quantity can be variable). This is why you sometimes need
to tell wipe the amount of bytes to destroy. That's what the -l
option is for. Plus, you can use b,K,M and G as multipliers, respectively
for 2^9 (512), 2^10 (1024 or a Kilo), 2^20 (a Mega) and 2^30 (a Giga)
bytes. You can even combine more than one multiplier !! So that 1M416K =
1474560 bytes.
BUGS/LIMITATIONS¶
Wipe should work on harddisks and floppy disks; however the internal
cache of some harddisks might prevent the necessary writes to be done to the
magnetic surface. It would be funny to use it over NFS. Under CFS
(Cryptographic File System) the fsync() call has no effect; wipe has not much
use under it anyway - use wipe directly on the corresponding encrypted files.
Also, under Linux, when using a device mounted thru a loopback device,
synchronous I/O does not get propagated cleanly.
For wiping floppy disks, at least under Linux, there is no way, besides obscure
floppy-driver specific ioctl's to determine the block size of the disk. In
particular, the BLKGETSIZE ioctl is not implemented in the floppy driver. So,
for wiping floppies, you must specify the size of the floppy disk using the -l
option, as in the last example. This option is normally not needed for other
fixed block devices, like IDE and SCSI devices.
File name wiping is implemented since version 0.12. I don't know how efficient
it is. It first changes the name of the file to a random- generated name of
same length, calls sync (), then changes the name to a random-generated name
of maximal length.
File size wiping is implemented by repeatedly truncating the file to half of its
size, until it becomes empty; sync () is called between such operations.
Note that it is still not possible to file creation date and permission bits
portably. A wipe utility working at the block device level could be written
using the ext2fs library.
AUTHOR AND LICENCE¶
Wipe was written by Berke Durak (to find my email address, just type
echo berke1ouvaton2org|tr 12 @. in a shell).
Wipe is released under the conditions of the GNU General Public License.
FILES¶
/dev/random is used by default to seed the pseudo-random number
generators.
ENVIRONMENT VARIABLES¶
WIPE_SEEDPIPE If set,
wipe will execute the command specified in
it (using popen()), and will hash the command's output with the MD5
message-digest algorythm to get a 128-bit seed for its PRNG. For example, on
systems lacking a /dev/random device, this variable might be set in
/etc/profile to a shell script which contains various commands such as ls, ps,
who, last, etc. and which are run asynchronously in order to get an output as
less predictable as possible.
SEE ALSO¶
open(2),
fsync(2),
sync(8),
bdflush(2),
update(8),
random(3)