scrub(1)

1scrub(1)                                                              scrub(1)
2
3
4

NAME

6       scrub - write patterns on disk/file
7

SYNOPSIS

9       scrub [OPTIONS] special-file
10       scrub [OPTIONS] file
11       scrub -X [OPTIONS] directory
12

DESCRIPTION

14       Scrub  iteratively  writes  patterns  on  files or disk devices to make
15       retrieving the data more difficult.  Scrub operates  in  one  of  three
16       modes:
17
18       1) The special file corresponding to an entire disk is scrubbed and all
19       data on it is destroyed.  This mode is selected if file is a  character
20       or block special file.  This is the most effective method.
21
22       2)  A  regular  file  is  scrubbed  and  only the data in the file (and
23       optionally its name in the directory entry)  is  destroyed.   The  file
24       size  is  rounded up to fill out the last file system block.  This mode
25       is selected if file is a regular file.  See CAVEATS below.
26
27       3) directory is created and filled with files until the file system  is
28       full,  then the files are scrubbed as in 2). This mode is selected with
29       the -X option.  See CAVEATS below.
30

OPTIONS

32       Scrub accepts the following options:
33
34       -v, --version
35              Print scrub version and exit.
36
37       -r, --remove
38              Remove the file after scrubbing.
39
40       -p, --pattern PATTERN
41              Select the patterns to write.  See  SCRUB  METHODS  below.   The
42              default,  nnsa,  is  reasonable for sanitizing modern PRML/EPRML
43              encoded disk devices.
44
45       -b, --blocksize blocksize
46              Perform read(2) and write(2) calls using the specified blocksize
47              (in  bytes).  K, M, or G may be appended to the number to change
48              the  units  to  KiBytes,  MiBytes,  or  GiBytes,   respectively.
49              Default: 4M.
50
51       -f, --force
52              Scrub  even  if  target  contains  signature  indicating  it has
53              already been scrubbed.
54
55       -S, --no-signature
56              Do not write scrub signature.  Later, scrub will not be able  to
57              ascertain if the disk has already been scrubbed.
58
59       -X, --freespace
60              Create  specified  directory  and fill it with files until write
61              returns ENOSPC (file system  full),  then  scrub  the  files  as
62              usual.   The  size of each file can be set with -s, otherwise it
63              will be the maximum file size creatable given  the  user's  file
64              size limit or 1g if unlimited.
65
66       -D, --dirent newname
67              After scrubbing the file, scrub its name in the directory entry,
68              then rename it to the new name.  The scrub patterns used on  the
69              directory entry are constrained by the operating system and thus
70              are not compliant with cited standards.
71
72       -s, --device-size size
73              Override the device size (in bytes). Without this option,  scrub
74              determines  media capacity using OS-specific ioctl(2) calls.  K,
75              M, or G may be appended to the number to  change  the  units  to
76              KiBytes, MiBytes, or GiBytes, respectively.
77
78       -L, --no-link
79              If  file  is  a symbolic link, do not scrub the link target.  Do
80              remove it, however, if --remove is specified.
81
82       -R, --no-hwrand
83              Don't use a hardware random number  generator  even  if  one  is
84              available.
85
86       -t, --no-threads
87              Don't generate random data in parallel with I/O.
88
89       -h, --help
90              Print a summary of command line options on stderr.
91

SCRUB METHODS

93       nnsa   4-pass  NNSA  Policy  Letter  NAP-14.1-C  (XVI-8) for sanitizing
94              removable and non-removable hard disks, which requires overwrit‐
95              ing  all  locations  with  a pseudorandom pattern twice and then
96              with a known pattern: random(x2), 0x00, verify.
97
98       dod    4-pass DoD 5220.22-M section 8-306 procedure (d) for  sanitizing
99              removable and non-removable rigid disks which requires overwrit‐
100              ing all addressable locations with a character, its  complement,
101              a  random character, then verify.  NOTE: scrub performs the ran‐
102              dom pass first to make verification easier: random, 0x00,  0xff,
103              verify.
104
105       bsi    9-pass  method  recommended  by the German Center of Security in
106              Information Technologies (http://www.bsi.bund.de):  0xff,  0xfe,
107              0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
108
109       gutmann
110              The  canonical  35-pass  sequence  described  in Gutmann's paper
111              cited below.
112
113       schneier
114              7-pass method described by Bruce Schneier in "Applied Cryptogra‐
115              phy" (1996): 0x00, 0xff, random(x5)
116
117       pfitzner7
118              Roy Pfitzner's 7-random-pass method: random(x7).
119
120       pfitzner33
121              Roy Pfitzner's 33-random-pass method: random(x33).
122
123       usarmy US  Army  AR380-19 method: 0x00, 0xff, random.  (Note: identical
124              to DoD 522.22-M section 8-306 procedure (e) for sanitizing  mag‐
125              netic core memory).
126
127       fillzero
128              1-pass pattern: 0x00.
129
130       fillff 1-pass pattern: 0xff.
131
132       random 1-pass pattern: random(x1).
133
134       random2
135              2-pass pattern: random(x2).
136
137       old    6-pass  pre-version  1.7  scrub  method: 0x00, 0xff, 0xaa, 0x00,
138              0x55, verify.
139
140       fastold
141              5-pass pattern: 0x00, 0xff, 0xaa, 0x55, verify.
142
143       custom=string
144              1-pass custom pattern.  String  may  contain  C-style  numerical
145              escapes: \nnn (octal) or \xnn (hex).
146

CAVEATS

148       Scrub  may  be insufficient to thwart heroic efforts to recover data in
149       an appropriately equipped lab.  If you need this level  of  protection,
150       physical destruction is your best bet.
151
152       The effectiveness of scrubbing regular files through a file system will
153       be limited by the OS and file system.  File systems that are  known  to
154       be problematic are journaled, log structured, copy-on-write, versioned,
155       and network file systems.  If in doubt, scrub the raw disk device.
156
157       Scrubbing free blocks in a file system with the -X method is subject to
158       the  same  caveats as scrubbing regular files, and in addition, is only
159       useful to the extent the file system allows you to reallocate the  tar‐
160       get  blocks  as  data blocks in a new file.  If in doubt, scrub the raw
161       disk device.
162
163       On MacOS X HFS file  system,  scrub  attempts  to  overwrite  a  file's
164       resource  fork  if  it exists.  Although MacOS X claims it will support
165       additional named forks in the future, scrub is only aware of the tradi‐
166       tional data and resource forks.
167
168       scrub  cannot  access disk blocks that have been spared out by the disk
169       controller.  For SATA/PATA drives, the  ATA  "security  erase"  command
170       built  into  the  drive  controller  can  do  this.  Similarly, the ATA
171       "enhanced security erase" can erase data on  track  edges  and  between
172       tracks.   The  DOS  utility  HDDERASE from the UCSD Center for Magnetic
173       Recording Research can issue these commands, as can modern versions  of
174       Linux  hdparm.   Unfortunately,  the analogous SCSI command is optional
175       according to T-10, and not widely implemented.
176

EXAMPLES

178       To scrub a raw device /dev/sdf1 with default NNSA patterns:
179
180              # scrub /dev/sdf1
181              scrub: using NNSA NAP-14.1-C patterns
182              scrub: please verify that device size below is correct!
183              scrub: scrubbing /dev/sdf1 1995650048 bytes (~1GB)
184              scrub: random  |................................................|
185              scrub: random  |................................................|
186              scrub: 0x00    |................................................|
187              scrub: verify  |................................................|
188
189       To scrub the file /tmp/scrubme with a sequence of 0xff 0xaa bytes:
190
191              # scrub -p custom="\xff\xaa" /tmp/scrubme
192              scrub: using Custom single-pass patterns
193              scrub: scrubbing /tmp/scrubme 78319616 bytes (~74MB)
194              scrub: 0xffaa  |................................................|
195

AUTHOR

197       Jim Garlick <garlick@llnl.gov>
198
199       This work was produced at the University of California, Lawrence Liver‐
200       more National Laboratory under Contract No. W-7405-ENG-48 with the DOE.
201       Designated UCRL-CODE-2003-006, scrub is licensed under terms of the GNU
202       General Public License.
203