1WIPE(1) User Commands WIPE(1)
2
3
4
6 wipe - securely erase files from magnetic media
7
9 wipe [options] path1 path2 ... pathn
10
11
13 This manual page describes version 0.21 of wipe , released September
14 2006.
15
16
17
19 Recovery of supposedly erased data from magnetic media is easier than
20 what many people would like to believe. A technique called Magnetic
21 Force Microscopy (MFM) allows any moderately funded opponent to recover
22 the last two or three layers of data written to disk; wipe repeatedly
23 overwrites special patterns to the files to be destroyed, using the
24 fsync() call and/or the O_SYNC bit to force disk access. In normal
25 mode, 34 patterns are used (of which 8 are random). These patterns were
26 recommended in an article from Peter Gutmann (pgut001@cs.auck‐
27 land.ac.nz) entitled "Secure Deletion of Data from Magnetic and Solid-
28 State Memory". A quick mode allows you to use only 4 passes with random
29 patterns, which is of course much less secure.
30
31
33 Journaling filesystems (such as Ext3 or ReiserFS) are now being used by
34 default by most Linux distributions. No secure deletion program that
35 does filesystem-level calls can sanitize files on such filesystems,
36 because sensitive data and metadata can be written to the journal,
37 which cannot be readily accessed. Per-file secure deletion is better
38 implemented in the operating system.
39
40 Encrypting a whole partition with cryptoloop, for example, does not
41 help very much either, since there is a single key for all the parti‐
42 tion.
43
44 Therefore wipe is best used to sanitize a harddisk before giving it to
45 untrusted parties (i.e. sending your laptop for repair, or selling your
46 disk). Wiping size issues have been hopefully fixed (I apologize for
47 the long delay).
48
49 Be aware that harddisks are quite intelligent beasts those days. They
50 transparently remap defective blocks. This means that the disk can
51 keep an albeit corrupted (maybe slightly) but inaccessible and
52 unerasable copy of some of your data. Modern disks are said to have
53 about 100% transparent remapping capacity. You can have a look at
54 recent discussions on Slashdot.
55
56 I hereby speculate that harddisks can use the spare remapping area to
57 secretly make copies of your data. Rising totalitarianism makes this
58 almost a certitude. It is quite straightforward to implement some sim‐
59 ple filtering schemes that would copy potentially interesting data.
60 Better, a harddisk can probably detect that a given file is being
61 wiped, and silently make a copy of it, while wiping the original as
62 instructed.
63
64 Recovering such data is probably easily done with secret IDE/SCSI com‐
65 mands. My guess is that there are agreements between harddisk manufac‐
66 turers and government agencies. Well-funded mafia hackers should then
67 be able to find those secret commands too.
68
69 Don't trust your harddisk. Encrypt all your data.
70
71 Of course this shifts the trust to the computing system, the CPU, and
72 so on. I guess there are also "traps" in the CPU and, in fact, in
73 every sufficiently advanced mass-marketed chip. Wealthy nations can
74 find those. Therefore these are mainly used for criminal investigation
75 and "control of public dissent".
76
77 People should better think of their computing devices as facilities
78 lended by the DHS.
79
80
82 The author, the maintainers or the contributors of this package can NOT
83 be held responsible in any way if wipe destroys something you didn't
84 want it to destroy. Let's make this very clear. I want you to assume
85 that this is a nasty program that will wipe out parts of your files
86 that you didn't want it to wipe. So whatever happens after you launch
87 wipe is your entire responsiblity. In particular, no one guarantees
88 that wipe will conform to the specifications given in this manual page.
89
90 Similarly, we cannot guarantee that wipe will actually erase data, or
91 that wiped data is not recoverable by advanced means. So if nasties
92 get your secrets because you sold a wiped harddisk to someone you don't
93 know, well, too bad for you.
94
95 The best way to sanitize a storage medium is to subject it to tempera‐
96 tures exceeding 1500K. As a cheap alternative, you might use wipe at
97 your own risk. Be aware that it is very difficult to assess whether
98 running wipe on a given file will actually wipe it -- it depends on an
99 awful lot of factors, such as : the type of file system the file
100 resides on (in particular, whether the file system is a journaling one
101 or not), the type of storage medium used, and the least significant bit
102 of the phase of the moon.
103
104 Wiping over NFS or over a journalling filesystem (ReiserFS etc.) will
105 most probably not work.
106
107 Therefore I strongly recommend to call wipe directly on the correspond‐
108 ing block device with the appropriate options. However THIS IS AN
109 EXTREMELY DANGEROUS THING TO DO. Be sure to be sober. Give the right
110 options. In particular : don't wipe a whole harddisk (eg. wipe -kD
111 /dev/hda is bad) since this will destroy your master boot record. Bad
112 idea. Prefer wiping partitions (eg. wipe -kD /dev/hda2) is good, pro‐
113 vided, of course, that you have backed up all necessary data.
114
115
117 -f (force; disable confirmation query)
118 By default wipe will ask for confirmation, indicating the number
119 of regular and special files and directories specified on the com‐
120 mand line. You must type "yes" for confirmation, "no" for rejec‐
121 tion. You can disable the confirmation query with the -f (force)
122 option.
123
124
125 -r (recurse into subdirectories)
126 Will allow the removal of the entire directory tree. Symbolic
127 links are not followed.
128
129
130 -c (chmod if necessary)
131 If a file or directory to be wiped has no write permissions set,
132 will do a chmod to set the permission.
133
134
135 -i (informational, verbose mode)
136 This enables reporting to stdout. By default all data is written
137 to stderr.
138
139
140 -s (silent mode)
141 All messages, except the confirmation prompt and error messages,
142 are suppressed.
143
144
145 -q (quick wipe)
146 If this option is used, wipe will only make (by default) 4 passes
147 on each file, writing random data. See option -Q
148
149
150 -Q <number-of-passes>
151 Sets the number of passes for quick wiping. Default is 4.
152
153
154 -a (abort on error)
155 The program will exit with EXIT_FAILURE if a non-fatal error is
156 encountered.
157
158
159 -R (set random device OR random seed command)
160
161 With this option which requires an argument you can specify an
162 alternate /dev/random device, or a command who's standard output
163 will be hashed using MD5-hashed. The distinction can be made using
164 the -S option.
165
166
167 -S (random seed method)
168
169 This option takes a single-character argument, which specifies how
170 the random device/random seed argument is to be used. The default
171 random device is /dev/random. It can be set using the -R option.
172
173 The possible single-character arguments are:
174 r If you want the argument to be treated like a regular file/charac‐
175 ter device. This will work with /dev/random, and might also work
176 with FIFOs and the like.
177 c If you want the argument to be executed as a command. The output
178 from the command will be hashed using MD5 to provide the required
179 seed. See the WIPE_SEEDPIPE environment variable for more info.
180 p If you want wipe to get its seed by hashing environment variables,
181 the current date and time, its process id. etc. (the random device
182 argument will not be used). This is of course the least secure
183 setting.
184
185 -M (select pseudo-random number generator algorythm)
186
187 During the random passes, wipe overwrites the target files with a
188 stream of binary data, created by the following choice of algorythms:
189 l will use (depending on your system) your libc's random() or rand()
190 pseudorandom generator. Note that on most systems, rand() is a
191 linear congruential generator, which is awfully weak. The choice
192 is made at compile-time with the HAVE_RANDOM define (see the Make‐
193 file).
194 a will use the Arcfour stream cipher as a PRNG. Arcfour happens to
195 be compatible with the well-known RC4 cipher. This means that
196 under the same key, Arcfour generates exactly the same stream as
197 RC4...
198 r will use the fresh RC6 algorythm as a PRNG; RC6 is keyed with the
199 128-bit seed, and then a null block is repeatedly encrypted to get
200 the pseudo-random stream. I guess this sould be quite secure. Of
201 course RC6 with 20 rounds is slower than random(); the compile-
202 time option WEAK_RC6 allows you to use a 4-round version of RC6,
203 which is faster. In order to be able to use RC6, wipe must be com‐
204 piled with ENABLE_RC6 defined; see the Makefile for warnings about
205 patent issues.
206
207 In all cases the PRNG is seeded with the data gathered from the
208 random device (see -R and -S options).
209
210 -l <length>
211 As there can be some problems in determining the actual size of a
212 block device (as some devices do not even have fixed sizes, such
213 as floppy disks or tapes), you might need to specify the size of
214 the device by hand; <length> is the device capacity expressed as a
215 number of bytes. You can use K (Kilo) to specify multiplication by
216 1024, M (Mega) to specify multiplication by 1048576, G (Giga) to
217 specify multiplication by 1073741824 and b (block) to specify mul‐
218 tiplication by 512. Thus
219
220 1024 = 2b = 1K
221
222 20K33 = 20480+33 = 20513
223
224 114M32K = 114*1024*1024+32*1024.
225
226 -o <offset>
227 This allows you to specify an offset inside the file or device to
228 be wiped. The syntax of <offset> is the same as for the -l option.
229
230 -e Use exact file size: do not round up file size to wipe possible
231 remaining junk on the last block.
232
233 -Z Don't try to wipe file sizes by repeatedly halving the file size.
234 Note that this is only attempted on regular files so there is no
235 use if you use wipe for cleaning a block or special device.
236
237 -F Don't try to wipe file names. Normally, wipe tries to cover file
238 names by renaming them; this does NOT guarantee that the physical
239 location holding the old file name gets overwritten. Furthermore,
240 after renaming a file, the only way to make sure that the name
241 change is physically carried out is to call sync (), which flushes
242 out ALL the disk caches of the system, whereas for ading and writ‐
243 ing one can use the O_SYNC bit to get synchronous I/O for one
244 file. As sync () is very slow, calling sync () after every rename
245 () makes filename wiping extremely slow.
246
247 -k Keep files: do not unlink the files after they have been overwrit‐
248 ten. Useful if you want to wipe a device, while keeping the device
249 special file. This implies -F.
250
251 -D Dereference symlinks: by default, wipe will never follow symlinks.
252 If you specify -D however, wipe will consent to, well, wipe the
253 targets of any symlinks you might happen to name on the command
254 line. You can't specify both -D and -r (recursive) options, first
255 because of possible cycles in the symlink-enhanced directory
256 graph, I'd have to keep track of visited files to guarantee termi‐
257 nation, which, you'll easily admit, is a pain in C, and, second,
258 for fear of having a (surprise!!) block device buried somewhere
259 unexpected.
260
261 -v Show version information and quit.
262
263 -h Display help.
264
266 wipe -rcf /home/berke/plaintext/
267 Wipe every file and every directory (option -r) listed under
268 /home/berke/plaintext/, including /home/berke/plaintext/.
269
270 Regular files will be wiped with 34 passes and their sizes will
271 then be halved a random number of times. Special files (character
272 and block devices, FIFOs...) will not. All directory entries
273 (files, special files and directories) will be renamed 10 times
274 and then unlinked. Things with inappropriate permissions will be
275 chmod()'ed (option -c). All of this will happen without user con‐
276 firmation (option -f).
277
278 wipe -kq /dev/hda3
279 Assuming /dev/hda3 is the block device corresponding to the third
280 partition of the master drive on the primary IDE interface, it
281 will be wiped in quick mode (option -q) i.e. with four random
282 passes. The inode won't be renamed or unlinked (option -k).
283 Before starting, it will ask you to type ``yes''.
284
285 wipe -kqD /dev/floppy
286 Since wipe never follows symlinks unless explicitly told to do so,
287 if you want to wipe /dev/floppy which happens to be a symlink to
288 /dev/fd0u1440 you will have to specify the -D option. Before
289 starting, it will ask you to type ``yes''.
290
291 wipe -rfi >wipe.log /var/log/*
292 Here, wipe will recursively (option -r) destroy everything under
293 /var/log, excepting /var/log. It will not attempt to chmod()
294 things. It will however be verbose (option -i). It won't ask you
295 to type ``yes'' because of the -f option.
296
297 wipe -Kq -l 1440k /dev/fd0
298 Due to various idiosyncracies of the operating system, it's not
299 always easy to obtain the number of bytes a given device might
300 contain (in fact, that quantity can be variable). This is why you
301 sometimes need to tell wipe the amount of bytes to destroy. That's
302 what the -l option is for. Plus, you can use b,K,M and G as multi‐
303 pliers, respectively for 2^9 (512), 2^10 (1024 or a Kilo), 2^20 (a
304 Mega) and 2^30 (a Giga) bytes. You can even combine more than one
305 multiplier !! So that 1M416K = 1474560 bytes.
306
308 Wipe should work on harddisks and floppy disks; however the internal
309 cache of some harddisks might prevent the necessary writes to be done
310 to the magnetic surface. It would be funny to use it over NFS. Under
311 CFS (Cryptographic File System) the fsync() call has no effect; wipe
312 has not much use under it anyway - use wipe directly on the correspond‐
313 ing encrypted files. Also, under Linux, when using a device mounted
314 thru a loopback device, synchronous I/O does not get propagated
315 cleanly.
316
317 For wiping floppy disks, at least under Linux, there is no way, besides
318 obscure floppy-driver specific ioctl's to determine the block size of
319 the disk. In particular, the BLKGETSIZE ioctl is not implemented in the
320 floppy driver. So, for wiping floppies, you must specify the size of
321 the floppy disk using the -l option, as in the last example. This
322 option is normally not needed for other fixed block devices, like IDE
323 and SCSI devices.
324
325 File name wiping is implemented since version 0.12. I don't know how
326 efficient it is. It first changes the name of the file to a random-
327 generated name of same length, calls sync (), then changes the name to
328 a random-generated name of maximal length.
329
330 File size wiping is implemented by repeatedly truncating the file to
331 half of its size, until it becomes empty; sync () is called between
332 such operations.
333
334 Note that it is still not possible to file creation date and permission
335 bits portably. A wipe utility working at the block device level could
336 be written using the ext2fs library.
337
339 Wipe was written by Berke Durak (to find my email address, just type
340 echo berke1ouvaton2org|tr 12 @. in a shell).
341
342 Wipe is released under the conditions of the GNU General Public
343 License.
344
346 /dev/random is used by default to seed the pseudo-random number genera‐
347 tors.
348
350 WIPE_SEEDPIPE If set, wipe will execute the command specified in it
351 (using popen()), and will hash the command's output with the MD5 mes‐
352 sage-digest algorythm to get a 128-bit seed for its PRNG. For example,
353 on systems lacking a /dev/random device, this variable might be set in
354 /etc/profile to a shell script which contains various commands such as
355 ls, ps, who, last, etc. and which are run asynchronously in order to
356 get an output as less predictable as possible.
357
359 open(2), fsync(2), sync(8), bdflush(2), update(8), random(3)
360
361
362
363Linu Wed Sep 20 17:32:02 CEST 2006 WIPE(1)