scrub(1) - f37

1scrub(1)                             scrub                            scrub(1)
2
3
4

NAME

6       scrub - write patterns on disk/file
7

SYNOPSIS

9       scrub [OPTIONS] special-file [special-file ...]
10       scrub [OPTIONS] file [file ...]
11       scrub -X [OPTIONS] directory
12

DESCRIPTION

14       Scrub  iteratively  writes  patterns  on  files or disk devices to make
15       retrieving the data more difficult.  Scrub operates  in  one  of  three
16       modes:
17
18       1) The special file corresponding to an entire disk is scrubbed and all
19       data on it is destroyed.  This mode is selected if file is a  character
20       or block special file.  This is the most effective method.
21
22       2)  A  regular  file  is  scrubbed  and  only the data in the file (and
23       optionally its name in the directory entry)  is  destroyed.   The  file
24       size  is  rounded up to fill out the last file system block.  This mode
25       is selected if file is a regular file.  See CAVEATS below.
26
27       3) directory is created and filled with files until the file system  is
28       full,  then the files are scrubbed as in 2). This mode is selected with
29       the -X option.  See CAVEATS below.
30

OPTIONS

32       Scrub accepts the following options:
33
34       -v, --version
35              Print scrub version and exit.
36
37       -r, --remove
38              Remove the file after scrubbing.
39
40       -p, --pattern PATTERN
41              Select the patterns to write.  See  SCRUB  METHODS  below.   The
42              default,  nnsa,  is  reasonable for sanitizing modern PRML/EPRML
43              encoded disk devices.
44
45       -b, --blocksize blocksize
46              Perform read(2) and write(2) calls using the specified blocksize
47              (in  bytes).  K, M, or G may be appended to the number to change
48              the  units  to  KiBytes,  MiBytes,  or  GiBytes,   respectively.
49              Default: 4M.
50
51       -f, --force
52              Scrub  even  if  target  contains  signature  indicating  it has
53              already been scrubbed.
54
55       -S, --no-signature
56              Do not write scrub signature.  Later, scrub will not be able  to
57              ascertain if the disk has already been scrubbed.
58
59       -X, --freespace
60              Create  specified  directory  and fill it with files until write
61              returns ENOSPC (file system  full),  then  scrub  the  files  as
62              usual.   The  size of each file can be set with -s, otherwise it
63              will be the maximum file size creatable given  the  user's  file
64              size limit or 1g if unlimited.
65
66       -D, --dirent newname
67              After scrubbing the file, scrub its name in the directory entry,
68              then rename it to the new name.  The scrub patterns used on  the
69              directory entry are constrained by the operating system and thus
70              are not compliant with cited standards.  This option only  works
71              with a single target.
72
73       -s, --device-size size
74              Override  the device size (in bytes). Without this option, scrub
75              determines media capacity using OS-specific ioctl(2) calls.   K,
76              M,  or  G  may  be appended to the number to change the units to
77              KiBytes, MiBytes, or GiBytes, respectively.
78
79       -L, --no-link
80              If file is a symbolic link, do not scrub the  link  target.   Do
81              remove it, however, if --remove is specified.
82
83       -R, --no-hwrand
84              Don't  use  a  hardware  random  number generator even if one is
85              available.
86
87       -t, --no-threads
88              Don't generate random data in parallel with I/O.
89
90       -n, --dry-run
91              Do everything but write to targets.
92
93       -h, --help
94              Print a summary of command line options on stderr.
95
96       -E, --extent-only
97              When scrubbing regular files, scrub only the file extents.  This
98              option  is  useful  in  combination  with large sparse files. If
99              used, scrub will skip the holes in the  sparse  file.  Use  this
100              option  with caution, the result may not be compliant with cited
101              standards and information about the actual on-disk data  alloca‐
102              tion may leak since only the allocated parts will be scrubbed.
103

SCRUB METHODS

105       nnsa   4-pass  NNSA  Policy  Letter  NAP-14.1-C  (XVI-8) for sanitizing
106              removable and non-removable hard disks, which requires overwrit‐
107              ing  all  locations  with  a pseudorandom pattern twice and then
108              with a known pattern: random(x2), 0x00, verify.
109
110       dod    4-pass DoD 5220.22-M section 8-306 procedure (d) for  sanitizing
111              removable and non-removable rigid disks which requires overwrit‐
112              ing all addressable locations with a character, its  complement,
113              a  random character, then verify.  NOTE: scrub performs the ran‐
114              dom pass first to make verification easier: random, 0x00,  0xff,
115              verify.
116
117       bsi    9-pass  method  recommended  by the German Center of Security in
118              Information Technologies (http://www.bsi.bund.de):  0xff,  0xfe,
119              0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
120
121       gutmann
122              The  canonical  35-pass  sequence  described  in Gutmann's paper
123              cited below.
124
125       schneier
126              7-pass method described by Bruce Schneier in "Applied Cryptogra‐
127              phy" (1996): 0x00, 0xff, random(x5)
128
129       pfitzner7
130              Roy Pfitzner's 7-random-pass method: random(x7).
131
132       pfitzner33
133              Roy Pfitzner's 33-random-pass method: random(x33).
134
135       usarmy US  Army  AR380-19 method: 0x00, 0xff, random.  (Note: identical
136              to DoD 522.22-M section 8-306 procedure (e) for sanitizing  mag‐
137              netic core memory).
138
139       fillzero
140              1-pass pattern: 0x00.
141
142       fillff 1-pass pattern: 0xff.
143
144       random 1-pass pattern: random(x1).
145
146       random2
147              2-pass pattern: random(x2).
148
149       old    6-pass  pre-version  1.7  scrub  method: 0x00, 0xff, 0xaa, 0x00,
150              0x55, verify.
151
152       fastold
153              5-pass pattern: 0x00, 0xff, 0xaa, 0x55, verify.
154
155       custom=string
156              1-pass custom pattern.  String  may  contain  C-style  numerical
157              escapes: \nnn (octal) or \xnn (hex).
158

CAVEATS

160       Scrub  may  be insufficient to thwart heroic efforts to recover data in
161       an appropriately equipped lab.  If you need this level  of  protection,
162       physical destruction is your best bet.
163
164       The effectiveness of scrubbing regular files through a file system will
165       be limited by the OS and file system.  File systems that are  known  to
166       be problematic are journaled, log structured, copy-on-write, versioned,
167       and network file systems.  If in doubt, scrub the raw disk device.
168
169       Scrubbing free blocks in a file system with the -X method is subject to
170       the  same  caveats as scrubbing regular files, and in addition, is only
171       useful to the extent the file system allows you to reallocate the  tar‐
172       get  blocks  as  data blocks in a new file.  If in doubt, scrub the raw
173       disk device.
174
175       On MacOS X HFS file  system,  scrub  attempts  to  overwrite  a  file's
176       resource  fork  if  it exists.  Although MacOS X claims it will support
177       additional named forks in the future, scrub is only aware of the tradi‐
178       tional data and resource forks.
179
180       scrub  cannot  access disk blocks that have been spared out by the disk
181       controller.  For SATA/PATA drives, the  ATA  "security  erase"  command
182       built  into  the  drive  controller  can  do  this.  Similarly, the ATA
183       "enhanced security erase" can erase data on  track  edges  and  between
184       tracks.   The  DOS  utility  HDDERASE from the UCSD Center for Magnetic
185       Recording Research can issue these commands, as can modern versions  of
186       Linux  hdparm.   Unfortunately,  the analogous SCSI command is optional
187       according to T-10, and not widely implemented.
188

EXAMPLES

190       To scrub a raw device /dev/sdf1 with default NNSA patterns:
191
192              # scrub /dev/sdf1
193              scrub: using NNSA NAP-14.1-C patterns
194              scrub: please verify that device size below is correct!
195              scrub: scrubbing /dev/sdf1 1995650048 bytes (~1GB)
196              scrub: random  |................................................|
197              scrub: random  |................................................|
198              scrub: 0x00    |................................................|
199              scrub: verify  |................................................|
200
201       To scrub the file /tmp/scrubme with a sequence of 0xff 0xaa bytes:
202
203              # scrub -p custom="\xff\xaa" /tmp/scrubme
204              scrub: using Custom single-pass patterns
205              scrub: scrubbing /tmp/scrubme 78319616 bytes (~74MB)
206              scrub: 0xffaa  |................................................|
207

AUTHOR

209       Jim Garlick <garlick@llnl.gov>
210
211       This work was produced at the University of California, Lawrence Liver‐
212       more National Laboratory under Contract No. W-7405-ENG-48 with the DOE.
213       Designated UCRL-CODE-2003-006, scrub is licensed under terms of the GNU
214       General Public License.
215