Shredding files on Linux

The rm command easily makes files disappear from our file listings, but what does it actually do and how can we ensure that files are unlikely to be recoverable?

A little background on Linux file removal

To understand what happens when you remove a file from a Linux system with rm, first think about inodes — those intriguing data structures that keep track of all of a file’s attributes (often called “metadata”) — that describe the file. This includes its name, its owner and group, what permissions have been established, and where the file’s contents can be found on the disk.

Next, think about Linux directories. While they take the appearance and character of folders (i.e., merely containers for holding files), they are actually files themselves — files that include no more than the names and inode numbers of the files they “contain.” So, what we get is a convenient way to think about directories and files in the same way you might think about the folders and paperwork in your file cabinets (if any of you still have one of those).

Your files’ content is actually stored, often in chunks, elsewhere on your disk. So, when you remove a file, the file’s inode is freed up and the directory file adjusted to remove its references to the file just deleted. The file’s data will still be sitting on disk locations that will eventually be made available for reuse.

How and when to shred Linux files

Most of the time, it likely doesn’t matter that the content of erased files will still be sitting on your disk. They’re often files you just don’t need anymore — last month’s weekly reports, prior versions of scripts that have since been replaced with better ones, and such. When it does matter, there are a number of tools that you can use to reduce the possibity that someone else might recover them.

shred

The shred command will overwrite a file and, optionally, delete it as well. The overwriting will ensure that the data blocks that contain the old content now have different content. Notice how, by default, the content is overwitten in multiple passes. The options used below include z (add a final overwrite with zeroes), v (verbose — display what is happening), and u (truncate and then remove the file after the overwriting is completed). This makes for a serious overwrite of the file’s content.

$ shred -zvu passwords-save
shred: passwords-save: pass 1/4 (random)...
shred: passwords-save: pass 2/4 (random)...
shred: passwords-save: pass 3/4 (random)...
shred: passwords-save: pass 4/4 (000000)...
shred: passwords-save: removing
shred: passwords-save: renamed to 00000000000000
shred: passwords-save: removed

wipe

The wipe works only for magnetic media, not solid-state disks. It works against something called “magnetic force microscopy” that allows others to recover the last two or three “layers” of data that might have been written to your disk, but it works only with magnetic media, not solid-state disks — and not all disks qualify. You can determine what kind of disks your system has and whether wipe can work with them by looking at the output from this command where 0 = SSD and 1 = HDD (magnetic):

$ cat /sys/block/sda/queue/rotational
0

Here’s an example of the wipe command at work:

$ wipe -rfi temp
Entering directory 'temp'
Wiping mno, pass 34 (34)
File mno (340 bytes) wiped
Wiping fileA, pass 34 (0 )
File fileA (808 bytes) wiped
Wiping klm, pass 34 (0 )
File klm (1056 bytes) wiped
Wiping lmn, pass 34 (0 )
File lmn (3827 bytes) wiped
Wiping fileC, pass 34 (0 )
File fileC (842 bytes) wiped
Wiping myfiles.tar, pass 34 (0 )
File myfiles.tar (122880 bytes) wiped
Wiping fileB, pass 34 (0 )
File fileB (5092 bytes) wiped
Going back to directory /home/shs
Operation finished.
7 files wiped and 0 special files ignored in 1 directory, 0 symlinks removed but not followed, 0 errors occurred.

In this example, r will get the wipe command to recurse into directories if they exist, f avoids having to confirm each file’s demise, and i makes the command run verbosely (think of this as “i” for “informative”).

secure-delete

Another tool for serious file deletion is referred to as “secure-delete”, though the command that the package will add to your system is called srm as in “secure rm”.

Here’s an example of using this tool:

$ srm -vz BoD_meeting
Using /dev/urandom for random input.
Wipe mode is secure (38 special passes)
Wiping BoD_meeting ************************************** Removed file BoD_meeting ... Done

Note how many passes were made to ensure the secure removal of the file.

Checking up on your file removals

Since there are several choices for how to securely remove files from Linux systems, I decided to run a simple test — making several copies of the same file and securely removing them with each of the three tools discussed above. I used a tool called foremost to try to recover files of the same type from the affected partition.

$ shred -zvu penguin1.png
$ wipe -fi penguin2.png
$ srm -vz penguin3.png
$ sudo foremost -i /dev/sda1 -t png -o /root/rescued
Processing: /dev/sda1
|*******************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
********************************************************************************
**************************|

The foremost command took several minutes to run, but it gave me a chance to grab another cup of coffee before sitting back at my desk a few minutes later. To my surprise, this command found more than 51,000 png files (maybe because I had purchased my Ubuntu system second hand). In any case, one point to remember is that files pulled from your disk during a recovery process will not have their original names, since those were lost when the affected directory file was modified along with the file deletion. Instead, your recovered files will have names like 105210720.png.

The foremost command has options for selecting the type of file you want to recover (including “all”). Check the man page for details. And keep in mind that it cannot limit your search to a particular directory because, at this point, directories are no longer relevant.

You might be pleased to know that I didn’t spot any penguins in my recovered files though perusing 51,000 files is quite mind-numbing.

A note of caution

If you are inclined to experiment with shredding, wiping or securely removing files from a system and then using a tool like foremost to see what can be recovered, consider recovering the files to separate media or at least don’t simply remove the files when you’re done examining them or you’ll basically double the number of files you’ll be recovering during your next experimental pass. The recovered files are independent of the original files even though they have the same content.