scrub(1)

1scrub(1)                             scrub                            scrub(1)
2
3
4

NAME

6       scrub - write patterns on disk/file
7

SYNOPSIS

9       scrub [OPTIONS] special-file
10       scrub [OPTIONS] file
11       scrub -X [OPTIONS] directory
12

DESCRIPTION

14       Scrub  iteratively  writes  patterns  on  files or disk devices to make
15       retrieving the data more difficult.  Scrub operates  in  one  of  three
16       modes:
17
18       1) The special file corresponding to an entire disk is scrubbed and all
19       data on it is destroyed.  This mode is selected if file is a  character
20       or block special file.  This is the most effective method.
21
22       2)  A  regular  file  is  scrubbed  and  only the data in the file (and
23       optionally its name in the directory entry)  is  destroyed.   The  file
24       size  is  rounded up to fill out the last file system block.  This mode
25       is selected if file is a regular file.  See CAVEATS below.
26
27       3) directory is created and filled with files until the file system  is
28       full,  then the files are scrubbed as in 2). This mode is selected with
29       the -X option.  See CAVEATS below.
30

OPTIONS

32       Scrub accepts the following options:
33
34       -v, --version
35              Print scrub version and exit.
36
37       -r, --remove
38              Remove the file after scrubbing.
39
40       -p, --pattern PATTERN
41              Select the patterns to write.  See  SCRUB  METHODS  below.   The
42              default,  nnsa,  is  reasonable for sanitizing modern PRML/EPRML
43              encoded disk devices.
44
45       -b, --blocksize blocksize
46              Perform read(2) and write(2) calls using the specified blocksize
47              (in  bytes).  K, M, or G may be appended to the number to change
48              the  units  to  KiBytes,  MiBytes,  or  GiBytes,   respectively.
49              Default: 4M.
50
51       -f, --force
52              Scrub  even  if  target  contains  signature  indicating  it has
53              already been scrubbed.
54
55       -S, --no-signature
56              Do not write scrub signature.  Later, scrub will not be able  to
57              ascertain if the disk has already been scrubbed.
58
59       -X, --freespace
60              Create  specified  directory  and fill it with files until write
61              returns ENOSPC (file system  full),  then  scrub  the  files  as
62              usual.   The  size of each file can be set with -s, otherwise it
63              will be the maximum file size creatable given  the  user's  file
64              size limit or 1g if unlimited.
65
66       -D, --dirent newname
67              After scrubbing the file, scrub its name in the directory entry,
68              then rename it to the new name.  The scrub patterns used on  the
69              directory entry are constrained by the operating system and thus
70              are not compliant with cited standards.
71
72       -s, --device-size size
73              Override the device size (in bytes). Without this option,  scrub
74              determines  media capacity using OS-specific ioctl(2) calls.  K,
75              M, or G may be appended to the number to  change  the  units  to
76              KiBytes, MiBytes, or GiBytes, respectively.
77
78       -L, --no-link
79              If  file  is  a symbolic link, do not scrub the link target.  Do
80              remove it, however, if --remove is specified.
81
82       -R, --no-hwrand
83              Don't use a hardware random number  generator  even  if  one  is
84              available.
85
86       -t, --no-threads
87              Don't generate random data in parallel with I/O.
88
89       -h, --help
90              Print a summary of command line options on stderr.
91
92       -E, --extent-only
93              When  scrubbing regular files, scrub only the file extents. This
94              option is useful in combination  with  large  sparse  files.  If
95              used,  scrub  will  skip  the holes in the sparse file. Use this
96              option with caution, the result may not be compliant with  cited
97              standards  and information about the actual on-disk data alloca‐
98              tion may leak since only the allocated parts will be scrubbed.
99

SCRUB METHODS

101       nnsa   4-pass NNSA Policy  Letter  NAP-14.1-C  (XVI-8)  for  sanitizing
102              removable and non-removable hard disks, which requires overwrit‐
103              ing all locations with a pseudorandom  pattern  twice  and  then
104              with a known pattern: random(x2), 0x00, verify.
105
106       dod    4-pass  DoD 5220.22-M section 8-306 procedure (d) for sanitizing
107              removable and non-removable rigid disks which requires overwrit‐
108              ing  all addressable locations with a character, its complement,
109              a random character, then verify.  NOTE: scrub performs the  ran‐
110              dom  pass first to make verification easier: random, 0x00, 0xff,
111              verify.
112
113       bsi    9-pass method recommended by the German Center  of  Security  in
114              Information  Technologies  (http://www.bsi.bund.de): 0xff, 0xfe,
115              0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
116
117       gutmann
118              The canonical 35-pass  sequence  described  in  Gutmann's  paper
119              cited below.
120
121       schneier
122              7-pass method described by Bruce Schneier in "Applied Cryptogra‐
123              phy" (1996): 0x00, 0xff, random(x5)
124
125       pfitzner7
126              Roy Pfitzner's 7-random-pass method: random(x7).
127
128       pfitzner33
129              Roy Pfitzner's 33-random-pass method: random(x33).
130
131       usarmy US Army AR380-19 method: 0x00, 0xff, random.   (Note:  identical
132              to  DoD 522.22-M section 8-306 procedure (e) for sanitizing mag‐
133              netic core memory).
134
135       fillzero
136              1-pass pattern: 0x00.
137
138       fillff 1-pass pattern: 0xff.
139
140       random 1-pass pattern: random(x1).
141
142       random2
143              2-pass pattern: random(x2).
144
145       old    6-pass pre-version 1.7 scrub method:  0x00,  0xff,  0xaa,  0x00,
146              0x55, verify.
147
148       fastold
149              5-pass pattern: 0x00, 0xff, 0xaa, 0x55, verify.
150
151       custom=string
152              1-pass  custom  pattern.   String  may contain C-style numerical
153              escapes: \nnn (octal) or \xnn (hex).
154

CAVEATS

156       Scrub may be insufficient to thwart heroic efforts to recover  data  in
157       an  appropriately  equipped lab.  If you need this level of protection,
158       physical destruction is your best bet.
159
160       The effectiveness of scrubbing regular files through a file system will
161       be  limited  by the OS and file system.  File systems that are known to
162       be problematic are journaled, log structured, copy-on-write, versioned,
163       and network file systems.  If in doubt, scrub the raw disk device.
164
165       Scrubbing free blocks in a file system with the -X method is subject to
166       the same caveats as scrubbing regular files, and in addition,  is  only
167       useful  to the extent the file system allows you to reallocate the tar‐
168       get blocks as data blocks in a new file.  If in doubt,  scrub  the  raw
169       disk device.
170
171       On  MacOS  X  HFS  file  system,  scrub  attempts to overwrite a file's
172       resource fork if it exists.  Although MacOS X claims  it  will  support
173       additional named forks in the future, scrub is only aware of the tradi‐
174       tional data and resource forks.
175
176       scrub cannot access disk blocks that have been spared out by  the  disk
177       controller.   For  SATA/PATA  drives,  the ATA "security erase" command
178       built into the drive  controller  can  do  this.   Similarly,  the  ATA
179       "enhanced  security  erase"  can  erase data on track edges and between
180       tracks.  The DOS utility HDDERASE from the  UCSD  Center  for  Magnetic
181       Recording  Research can issue these commands, as can modern versions of
182       Linux hdparm.  Unfortunately, the analogous SCSI  command  is  optional
183       according to T-10, and not widely implemented.
184

EXAMPLES

186       To scrub a raw device /dev/sdf1 with default NNSA patterns:
187
188              # scrub /dev/sdf1
189              scrub: using NNSA NAP-14.1-C patterns
190              scrub: please verify that device size below is correct!
191              scrub: scrubbing /dev/sdf1 1995650048 bytes (~1GB)
192              scrub: random  |................................................|
193              scrub: random  |................................................|
194              scrub: 0x00    |................................................|
195              scrub: verify  |................................................|
196
197       To scrub the file /tmp/scrubme with a sequence of 0xff 0xaa bytes:
198
199              # scrub -p custom="\xff\xaa" /tmp/scrubme
200              scrub: using Custom single-pass patterns
201              scrub: scrubbing /tmp/scrubme 78319616 bytes (~74MB)
202              scrub: 0xffaa  |................................................|
203

AUTHOR

205       Jim Garlick <garlick@llnl.gov>
206
207       This work was produced at the University of California, Lawrence Liver‐
208       more National Laboratory under Contract No. W-7405-ENG-48 with the DOE.
209       Designated UCRL-CODE-2003-006, scrub is licensed under terms of the GNU
210       General Public License.
211