On Linux, files can be erased but still be recoverable. Here's what to do when you really want them gone. Credit: James West The rm command easily makes files disappear from our file listings, but what does it actually do and how can we ensure that files are unlikely to be recoverable? A little background on Linux file removal To understand what happens when you remove a file from a Linux system with rm, first think about inodes — those intriguing data structures that keep track of all of a file’s attributes (often called “metadata”) — that describe the file. This includes its name, its owner and group, what permissions have been established, and where the file’s contents can be found on the disk. Next, think about Linux directories. While they take the appearance and character of folders (i.e., merely containers for holding files), they are actually files themselves — files that include no more than the names and inode numbers of the files they “contain.” So, what we get is a convenient way to think about directories and files in the same way you might think about the folders and paperwork in your file cabinets (if any of you still have one of those). Your files’ content is actually stored, often in chunks, elsewhere on your disk. So, when you remove a file, the file’s inode is freed up and the directory file adjusted to remove its references to the file just deleted. The file’s data will still be sitting on disk locations that will eventually be made available for reuse. How and when to shred Linux files Most of the time, it likely doesn’t matter that the content of erased files will still be sitting on your disk. They’re often files you just don’t need anymore — last month’s weekly reports, prior versions of scripts that have since been replaced with better ones, and such. When it does matter, there are a number of tools that you can use to reduce the possibity that someone else might recover them. shred The shred command will overwrite a file and, optionally, delete it as well. The overwriting will ensure that the data blocks that contain the old content now have different content. Notice how, by default, the content is overwitten in multiple passes. The options used below include z (add a final overwrite with zeroes), v (verbose — display what is happening), and u (truncate and then remove the file after the overwriting is completed). This makes for a serious overwrite of the file’s content. $ shred -zvu passwords-save shred: passwords-save: pass 1/4 (random)... shred: passwords-save: pass 2/4 (random)... shred: passwords-save: pass 3/4 (random)... shred: passwords-save: pass 4/4 (000000)... shred: passwords-save: removing shred: passwords-save: renamed to 00000000000000 shred: passwords-save: removed wipe The wipe works only for magnetic media, not solid-state disks. It works against something called “magnetic force microscopy” that allows others to recover the last two or three “layers” of data that might have been written to your disk, but it works only with magnetic media, not solid-state disks — and not all disks qualify. You can determine what kind of disks your system has and whether wipe can work with them by looking at the output from this command where 0 = SSD and 1 = HDD (magnetic): $ cat /sys/block/sda/queue/rotational 0 Here’s an example of the wipe command at work: $ wipe -rfi temp Entering directory 'temp' Wiping mno, pass 34 (34) File mno (340 bytes) wiped Wiping fileA, pass 34 (0 ) File fileA (808 bytes) wiped Wiping klm, pass 34 (0 ) File klm (1056 bytes) wiped Wiping lmn, pass 34 (0 ) File lmn (3827 bytes) wiped Wiping fileC, pass 34 (0 ) File fileC (842 bytes) wiped Wiping myfiles.tar, pass 34 (0 ) File myfiles.tar (122880 bytes) wiped Wiping fileB, pass 34 (0 ) File fileB (5092 bytes) wiped Going back to directory /home/shs Operation finished. 7 files wiped and 0 special files ignored in 1 directory, 0 symlinks removed but not followed, 0 errors occurred. In this example, r will get the wipe command to recurse into directories if they exist, f avoids having to confirm each file’s demise, and i makes the command run verbosely (think of this as “i” for “informative”). secure-delete Another tool for serious file deletion is referred to as “secure-delete”, though the command that the package will add to your system is called srm as in “secure rm”. Here’s an example of using this tool: $ srm -vz BoD_meeting Using /dev/urandom for random input. Wipe mode is secure (38 special passes) Wiping BoD_meeting ************************************** Removed file BoD_meeting ... Done Note how many passes were made to ensure the secure removal of the file. Checking up on your file removals Since there are several choices for how to securely remove files from Linux systems, I decided to run a simple test — making several copies of the same file and securely removing them with each of the three tools discussed above. I used a tool called foremost to try to recover files of the same type from the affected partition. $ shred -zvu penguin1.png $ wipe -fi penguin2.png $ srm -vz penguin3.png $ sudo foremost -i /dev/sda1 -t png -o /root/rescued Processing: /dev/sda1 |******************************************************************************* ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** ******************************************************************************** **************************| The foremost command took several minutes to run, but it gave me a chance to grab another cup of coffee before sitting back at my desk a few minutes later. To my surprise, this command found more than 51,000 png files (maybe because I had purchased my Ubuntu system second hand). In any case, one point to remember is that files pulled from your disk during a recovery process will not have their original names, since those were lost when the affected directory file was modified along with the file deletion. Instead, your recovered files will have names like 105210720.png. The foremost command has options for selecting the type of file you want to recover (including “all”). Check the man page for details. And keep in mind that it cannot limit your search to a particular directory because, at this point, directories are no longer relevant. You might be pleased to know that I didn’t spot any penguins in my recovered files though perusing 51,000 files is quite mind-numbing. A note of caution If you are inclined to experiment with shredding, wiping or securely removing files from a system and then using a tool like foremost to see what can be recovered, consider recovering the files to separate media or at least don’t simply remove the files when you’re done examining them or you’ll basically double the number of files you’ll be recovering during your next experimental pass. The recovered files are independent of the original files even though they have the same content. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux how-to Using the apropos command on Linux By Sandra Henry-Stocker Apr 24, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe