1WIPE(1)                          User Commands                         WIPE(1)
2
3
4

NAME

6       wipe - securely erase files from magnetic media
7

SYNOPSIS

9       wipe [options] path1 path2 ... pathn
10
11

CURRENT-VERSION

13       This  manual  page  describes version 0.21 of wipe , released September
14       2006.
15
16
17

DESCRIPTION

19       Recovery of supposedly erased data from magnetic media is  easier  than
20       what  many  people  would  like to believe. A technique called Magnetic
21       Force Microscopy (MFM) allows any moderately funded opponent to recover
22       the  last  two or three layers of data written to disk; wipe repeatedly
23       overwrites special patterns to the files to  be  destroyed,  using  the
24       fsync()  call  and/or  the  O_SYNC  bit to force disk access. In normal
25       mode, 34 patterns are used (of which 8 are random). These patterns were
26       recommended   in   an  article  from  Peter  Gutmann  (pgut001@cs.auck‐
27       land.ac.nz) entitled "Secure Deletion of Data from Magnetic and  Solid-
28       State Memory". A quick mode allows you to use only 4 passes with random
29       patterns, which is of course much less secure.
30
31

NOTE ABOUT JOURNALING FILESYSTEMS AND SOME RECOMMENDATIONS (JUNE 2004)

33       Journaling filesystems (such as Ext3 or ReiserFS) are now being used by
34       default  by  most Linux distributions.  No secure deletion program that
35       does filesystem-level calls can sanitize  files  on  such  filesystems,
36       because  sensitive  data  and  metadata  can be written to the journal,
37       which cannot be readily accessed.  Per-file secure deletion  is  better
38       implemented in the operating system.
39
40       Encrypting  a  whole  partition  with cryptoloop, for example, does not
41       help very much either, since there is a single key for all  the  parti‐
42       tion.
43
44       Therefore  wipe is best used to sanitize a harddisk before giving it to
45       untrusted parties (i.e. sending your laptop for repair, or selling your
46       disk).   Wiping  size issues have been hopefully fixed (I apologize for
47       the long delay).
48
49       Be aware that harddisks are quite intelligent beasts those days.   They
50       transparently  remap  defective  blocks.   This means that the disk can
51       keep  an  albeit  corrupted  (maybe  slightly)  but  inaccessible   and
52       unerasable  copy  of  some of your data.  Modern disks are said to have
53       about 100% transparent remapping capacity.  You  can  have  a  look  at
54       recent discussions on Slashdot.
55
56       I  hereby  speculate that harddisks can use the spare remapping area to
57       secretly make copies of your data.  Rising totalitarianism  makes  this
58       almost a certitude.  It is quite straightforward to implement some sim‐
59       ple filtering schemes that would  copy  potentially  interesting  data.
60       Better,  a  harddisk  can  probably  detect  that a given file is being
61       wiped, and silently make a copy of it, while  wiping  the  original  as
62       instructed.
63
64       Recovering  such data is probably easily done with secret IDE/SCSI com‐
65       mands.  My guess is that there are agreements between harddisk manufac‐
66       turers  and government agencies.  Well-funded mafia hackers should then
67       be able to find those secret commands too.
68
69       Don't trust your harddisk.  Encrypt all your data.
70
71       Of course this shifts the trust to the computing system, the  CPU,  and
72       so  on.   I  guess  there  are also "traps" in the CPU and, in fact, in
73       every sufficiently advanced mass-marketed chip.   Wealthy  nations  can
74       find those.  Therefore these are mainly used for criminal investigation
75       and "control of public dissent".
76
77       People should better think of their  computing  devices  as  facilities
78       lended by the DHS.
79
80

IMPORTANT WARNING -- READ CAREFULLY

82       The author, the maintainers or the contributors of this package can NOT
83       be held responsible in any way if wipe destroys  something  you  didn't
84       want  it  to destroy.  Let's make this very clear. I want you to assume
85       that this is a nasty program that will wipe out  parts  of  your  files
86       that  you  didn't want it to wipe. So whatever happens after you launch
87       wipe is your entire responsiblity.  In particular,  no  one  guarantees
88       that wipe will conform to the specifications given in this manual page.
89
90       Similarly,  we  cannot guarantee that wipe will actually erase data, or
91       that wiped data is not recoverable by advanced means.   So  if  nasties
92       get your secrets because you sold a wiped harddisk to someone you don't
93       know, well, too bad for you.
94
95       The best way to sanitize a storage medium is to subject it to  tempera‐
96       tures  exceeding  1500K.  As a cheap alternative, you might use wipe at
97       your own risk. Be aware that it is very  difficult  to  assess  whether
98       running  wipe on a given file will actually wipe it -- it depends on an
99       awful lot of factors, such as :  the  type  of  file  system  the  file
100       resides  on (in particular, whether the file system is a journaling one
101       or not), the type of storage medium used, and the least significant bit
102       of the phase of the moon.
103
104       Wiping  over  NFS or over a journalling filesystem (ReiserFS etc.) will
105       most probably not work.
106
107       Therefore I strongly recommend to call wipe directly on the correspond‐
108       ing  block  device  with  the  appropriate  options. However THIS IS AN
109       EXTREMELY DANGEROUS THING TO DO.  Be sure to be sober. Give  the  right
110       options.  In  particular  :  don't  wipe a whole harddisk (eg. wipe -kD
111       /dev/hda is bad) since this will destroy your master boot  record.  Bad
112       idea.  Prefer  wiping partitions (eg. wipe -kD /dev/hda2) is good, pro‐
113       vided, of course, that you have backed up all necessary data.
114
115

COMMAND-LINE OPTIONS

117       -f (force; disable confirmation query)
118            By default wipe will ask for confirmation, indicating  the  number
119            of regular and special files and directories specified on the com‐
120            mand line. You must type "yes" for confirmation, "no"  for  rejec‐
121            tion.  You  can disable the confirmation query with the -f (force)
122            option.
123
124
125       -r (recurse into subdirectories)
126            Will allow the removal of  the  entire  directory  tree.  Symbolic
127            links are not followed.
128
129
130       -c (chmod if necessary)
131            If  a  file or directory to be wiped has no write permissions set,
132            will do a chmod to set the permission.
133
134
135       -i (informational, verbose mode)
136            This enables reporting to stdout. By default all data  is  written
137            to stderr.
138
139
140       -s (silent mode)
141            All  messages,  except the confirmation prompt and error messages,
142            are suppressed.
143
144
145       -q (quick wipe)
146            If this option is used, wipe will only make (by default) 4  passes
147            on each file, writing random data. See option -Q
148
149
150       -Q <number-of-passes>
151            Sets the number of passes for quick wiping. Default is 4.
152
153
154       -a (abort on error)
155            The  program  will  exit with EXIT_FAILURE if a non-fatal error is
156            encountered.
157
158
159       -R (set random device OR random seed command)
160
161            With this option which requires an argument  you  can  specify  an
162            alternate  /dev/random  device, or a command who's standard output
163            will be hashed using MD5-hashed. The distinction can be made using
164            the -S option.
165
166
167       -S (random seed method)
168
169            This option takes a single-character argument, which specifies how
170            the random device/random seed argument is to be used. The  default
171            random device is /dev/random. It can be set using the -R option.
172
173       The possible single-character arguments are:
174       r    If you want the argument to be treated like a regular file/charac‐
175            ter device. This will work with /dev/random, and might  also  work
176            with FIFOs and the like.
177       c    If  you  want the argument to be executed as a command. The output
178            from the command will be hashed using MD5 to provide the  required
179            seed. See the WIPE_SEEDPIPE environment variable for more info.
180       p    If you want wipe to get its seed by hashing environment variables,
181            the current date and time, its process id. etc. (the random device
182            argument  will  not  be  used). This is of course the least secure
183            setting.
184
185       -M (select pseudo-random number generator algorythm)
186
187       During the random passes, wipe  overwrites  the  target  files  with  a
188       stream of binary data, created by the following choice of algorythms:
189       l    will use (depending on your system) your libc's random() or rand()
190            pseudorandom generator. Note that on most  systems,  rand()  is  a
191            linear  congruential  generator, which is awfully weak. The choice
192            is made at compile-time with the HAVE_RANDOM define (see the Make‐
193            file).
194       a    will  use  the Arcfour stream cipher as a PRNG. Arcfour happens to
195            be compatible with the well-known  RC4  cipher.  This  means  that
196            under  the  same key, Arcfour generates exactly the same stream as
197            RC4...
198       r    will use the fresh RC6 algorythm as a PRNG; RC6 is keyed with  the
199            128-bit seed, and then a null block is repeatedly encrypted to get
200            the pseudo-random stream.  I guess this sould be quite secure.  Of
201            course  RC6  with  20 rounds is slower than random(); the compile-
202            time option WEAK_RC6 allows you to use a 4-round version  of  RC6,
203            which is faster. In order to be able to use RC6, wipe must be com‐
204            piled with ENABLE_RC6 defined; see the Makefile for warnings about
205            patent issues.
206
207            In  all  cases  the PRNG is seeded with the data gathered from the
208            random device (see -R and -S options).
209
210       -l <length>
211            As there can be some problems in determining the actual size of  a
212            block  device  (as some devices do not even have fixed sizes, such
213            as floppy disks or tapes), you might need to specify the  size  of
214            the device by hand; <length> is the device capacity expressed as a
215            number of bytes. You can use K (Kilo) to specify multiplication by
216            1024,  M  (Mega) to specify multiplication by 1048576, G (Giga) to
217            specify multiplication by 1073741824 and b (block) to specify mul‐
218            tiplication by 512. Thus
219
220            1024 = 2b = 1K
221
222                                20K33 = 20480+33 = 20513
223
224                                114M32K = 114*1024*1024+32*1024.
225
226       -o <offset>
227            This  allows you to specify an offset inside the file or device to
228            be wiped. The syntax of <offset> is the same as for the -l option.
229
230       -e   Use exact file size: do not round up file size  to  wipe  possible
231            remaining junk on the last block.
232
233       -Z   Don't  try to wipe file sizes by repeatedly halving the file size.
234            Note that this is only attempted on regular files so there  is  no
235            use if you use wipe for cleaning a block or special device.
236
237       -F   Don't  try  to wipe file names. Normally, wipe tries to cover file
238            names by renaming them; this does NOT guarantee that the  physical
239            location holding the old file name gets overwritten.  Furthermore,
240            after renaming a file, the only way to make  sure  that  the  name
241            change is physically carried out is to call sync (), which flushes
242            out ALL the disk caches of the system, whereas for ading and writ‐
243            ing  one  can  use  the  O_SYNC bit to get synchronous I/O for one
244            file. As sync () is very slow, calling sync () after every  rename
245            () makes filename wiping extremely slow.
246
247       -k   Keep files: do not unlink the files after they have been overwrit‐
248            ten. Useful if you want to wipe a device, while keeping the device
249            special file. This implies -F.
250
251       -D   Dereference symlinks: by default, wipe will never follow symlinks.
252            If you specify -D however, wipe will consent to,  well,  wipe  the
253            targets  of  any  symlinks you might happen to name on the command
254            line.  You can't specify both -D and -r (recursive) options, first
255            because  of  possible  cycles  in  the  symlink-enhanced directory
256            graph, I'd have to keep track of visited files to guarantee termi‐
257            nation,  which,  you'll easily admit, is a pain in C, and, second,
258            for fear of having a (surprise!!) block  device  buried  somewhere
259            unexpected.
260
261       -v   Show version information and quit.
262
263       -h   Display help.
264

EXAMPLES

266       wipe -rcf /home/berke/plaintext/
267            Wipe  every  file  and  every  directory  (option -r) listed under
268            /home/berke/plaintext/, including /home/berke/plaintext/.
269
270            Regular files will be wiped with 34 passes and  their  sizes  will
271            then  be halved a random number of times. Special files (character
272            and block devices, FIFOs...)   will  not.  All  directory  entries
273            (files,  special  files  and directories) will be renamed 10 times
274            and then unlinked. Things with inappropriate permissions  will  be
275            chmod()'ed (option -c).  All of this will happen without user con‐
276            firmation (option -f).
277
278       wipe -kq /dev/hda3
279            Assuming /dev/hda3 is the block device corresponding to the  third
280            partition  of  the  master  drive on the primary IDE interface, it
281            will be wiped in quick mode (option  -q)  i.e.  with  four  random
282            passes.   The  inode  won't  be  renamed  or unlinked (option -k).
283            Before starting, it will ask you to type ``yes''.
284
285       wipe -kqD /dev/floppy
286            Since wipe never follows symlinks unless explicitly told to do so,
287            if  you  want to wipe /dev/floppy which happens to be a symlink to
288            /dev/fd0u1440 you will have  to  specify  the  -D  option.  Before
289            starting, it will ask you to type ``yes''.
290
291       wipe -rfi >wipe.log /var/log/*
292            Here,  wipe  will recursively (option -r) destroy everything under
293            /var/log, excepting /var/log.  It  will  not  attempt  to  chmod()
294            things.  It  will however be verbose (option -i). It won't ask you
295            to type ``yes'' because of the -f option.
296
297       wipe -Kq -l 1440k /dev/fd0
298            Due to various idiosyncracies of the operating  system,  it's  not
299            always  easy  to  obtain  the number of bytes a given device might
300            contain (in fact, that quantity can be variable). This is why  you
301            sometimes need to tell wipe the amount of bytes to destroy. That's
302            what the -l option is for. Plus, you can use b,K,M and G as multi‐
303            pliers, respectively for 2^9 (512), 2^10 (1024 or a Kilo), 2^20 (a
304            Mega) and 2^30 (a Giga) bytes.  You can even combine more than one
305            multiplier !! So that 1M416K = 1474560 bytes.
306

BUGS/LIMITATIONS

308       Wipe  should  work  on harddisks and floppy disks; however the internal
309       cache of some harddisks might prevent the necessary writes to  be  done
310       to  the  magnetic  surface. It would be funny to use it over NFS. Under
311       CFS (Cryptographic File System) the fsync() call has  no  effect;  wipe
312       has not much use under it anyway - use wipe directly on the correspond‐
313       ing encrypted files. Also, under Linux, when  using  a  device  mounted
314       thru  a  loopback  device,  synchronous  I/O  does  not  get propagated
315       cleanly.
316
317       For wiping floppy disks, at least under Linux, there is no way, besides
318       obscure  floppy-driver  specific ioctl's to determine the block size of
319       the disk. In particular, the BLKGETSIZE ioctl is not implemented in the
320       floppy  driver.  So,  for wiping floppies, you must specify the size of
321       the floppy disk using the -l option,  as  in  the  last  example.  This
322       option  is  normally not needed for other fixed block devices, like IDE
323       and SCSI devices.
324
325       File name wiping is implemented since version 0.12. I  don't  know  how
326       efficient  it  is.  It  first changes the name of the file to a random-
327       generated name of same length, calls sync (), then changes the name  to
328       a random-generated name of maximal length.
329
330       File  size  wiping  is implemented by repeatedly truncating the file to
331       half of its size, until it becomes empty; sync  ()  is  called  between
332       such operations.
333
334       Note that it is still not possible to file creation date and permission
335       bits portably. A wipe utility working at the block device  level  could
336       be written using the ext2fs library.
337

AUTHOR AND LICENCE

339       Wipe  was  written  by Berke Durak (to find my email address, just type
340       echo berke1ouvaton2org|tr 12 @.  in a shell).
341
342       Wipe is released  under  the  conditions  of  the  GNU  General  Public
343       License.
344

FILES

346       /dev/random is used by default to seed the pseudo-random number genera‐
347       tors.
348

ENVIRONMENT VARIABLES

350       WIPE_SEEDPIPE If set, wipe will execute the  command  specified  in  it
351       (using  popen()),  and will hash the command's output with the MD5 mes‐
352       sage-digest algorythm to get a 128-bit seed for its PRNG. For  example,
353       on  systems lacking a /dev/random device, this variable might be set in
354       /etc/profile to a shell script which contains various commands such  as
355       ls,  ps,  who,  last, etc. and which are run asynchronously in order to
356       get an output as less predictable as possible.
357

SEE ALSO

359       open(2), fsync(2), sync(8), bdflush(2), update(8), random(3)
360
361
362
363Linu                     Wed Sep 20 17:32:02 CEST 2006                 WIPE(1)
Impressum