scrub(1)

1SCRUB(1)                             SCRUB                            SCRUB(1)
2
3
4

NAME

6       scrub - write patterns on disk/file
7

SYNOPSIS

9       scrub [-f] [-p nnsa|dod|bsi] [-X] [-D newname] [-s size] file
10

DESCRIPTION

12       Scrub  iteratively  writes  patterns  on  files or disk devices to make
13       retrieving the data more difficult.  Scrub operates  in  one  of  three
14       modes:
15
16       1) The special file corresponding to an entire disk is scrubbed and all
17       data on it is destroyed.  This mode is selected if file is a  character
18       or block special file.  This is the most effective method.
19
20       2)  A  regular  file  is  scrubbed  and  only the data in the file (and
21       optionally its name in the directory entry)  is  destroyed.   The  file
22       size  is  rounded up to fill out the last file system block.  This mode
23       is selected if file is a regular file.  See CAVEATS below.
24
25       3) file is created, expanded  until  the  file  system  is  full,  then
26       scrubbed  as  in  2).  This  mode  is selected with the -X option.  See
27       CAVEATS below.
28
29       Scrub accepts the following options:
30
31       -p nnsa|dod|bsi|old|fastold
32              Select the patterns to write.  nnsa selects  patterns  compliant
33              with NNSA Policy Letter NAP-14.x; dod selects patterns compliant
34              with DoD 5220.22-M; bsi selects patterns recommended by the Ger‐
35              man    Center    of   Security   in   Information   Technologies
36              (http://www.bsi.bund.de); old selects pre-version 1.7 scrub pat‐
37              terns;  and  fastold  is old without the random pass.  See STAN‐
38              DARDS below for more detail.  Default: nnsa.
39
40       -b blocksize
41              Perform read(2) and write(2) calls using the specified blocksize
42              (in  bytes).  K, M, or G may be appended to the number to change
43              the  units  to  KiBytes,  MiBytes,  or  GiBytes,   respectively.
44              Default: 1M.
45
46       -f     Scrub  even  if  target  contains  signature  indicating  it has
47              already been scrubbed.
48
49       -S     Do not write scrub signature.  Scrub will not be able to  ascer‐
50              tain if the disk has already been scrubbed.
51
52       -X     Create  specified  regular  file  and keep appending to it until
53              write returns ENOSPC (file system full), then scrub it as usual.
54
55       -D newname
56              After scrubbing the file, scrub its name in the directory entry,
57              then  rename it to the new name.  The scrub patterns used on the
58              directory entry are constrained by the operating system and thus
59              are not compliant with cited standards.
60
61       -s size
62              Override  the device size (in bytes). Without this option, scrub
63              determines media capacity using OS-specific ioctl(2) calls.   K,
64              M,  or  G  may  be appended to the number to change the units to
65              KiBytes, MiBytes, or GiBytes, respectively.
66
67

CAVEATS

69       Scrub may be insufficient to thwart heroic efforts to recover  data  in
70       an appropriately equipped lab.
71
72       Scrub  nnsa  patterns  are  reasonable for sanitizing modern PRML/EPRML
73       encoded disk devices.  For older MFM/RLL encoded drives,  the  shred(1)
74       program  from  GNU  coreutils  does a more thorough and scientific (but
75       more I/O intensive) job of secure deletion,  as  described  in  Guttman
76       below.
77
78       Scrub  makes  no attempt to disable write caching on the disk device or
79       deal with spare blocks.  RAID  and  other  more  sophisticated  storage
80       devices may require special handling.
81
82       The effectiveness of scrubbing regular files through a file system will
83       be limited by the OS and file system.  File systems that are  known  to
84       be problematic are journaled, log structured, copy-on-write, versioned,
85       and network file systems.  If in doubt, scrub the raw disk device.
86
87       Scrubbing free blocks in a file system with the -X method is subject to
88       the  same  caveats as scrubbing regular files, and in addition, is only
89       useful to the extent the file system allows you to reallocate the  tar‐
90       get  blocks  as  data blocks in a new file.  If in doubt, scrub the raw
91       disk device.
92
93       [MacOS X HFS file system] Scrub attempts to overwrite a file's resource
94       fork  if  it  exists.   Although  MacOS X will support additional named
95       forks in the future, scrub is only aware of the  traditional  data  and
96       resource forks.
97

STANDARDS

99       The  dod  scrub  sequence is compliant with the DoD 5220.22-M procedure
100       for sanitizing removeable and non-removeable rigid disks which requires
101       overwriting all addressable locations with a character, its complement,
102       then a random character, and verify.  Please refer to the DoD  document
103       for additional constraints.
104
105       The  nnsa  (default) scrub sequence is compliant with a Dec. 2005 draft
106       of NNSA Policy Letter NAP-14.x (see  reference  below)  for  sanitizing
107       removable  and non-removable hard disks, which requires overwriting all
108       locations with a pseudorandom pattern twice and then with a known  pat‐
109       tern.  Please refer to the NNSA document for additional constraints.
110
111       Please  consult  local  authorities regarding your site policy for disk
112       sanitization.
113

AUTHOR

115       Jim Garlick <garlick@llnl.gov>
116
117       This work was produced at the University of California, Lawrence Liver‐
118       more National Laboratory under Contract No. W-7405-ENG-48 with the DOE.
119       Designated UCRL-CODE-2003-006, scrub is licensed under terms of the GNU
120       General Public License.
121

NAME

SYNOPSIS

DESCRIPTION

CAVEATS

STANDARDS

AUTHOR

SEE ALSO