Man Pages

shred - phpMan shred - phpMan

Command: man perldoc info search(apropos)  


File: coreutils.info,  Node: shred invocation,  Prev: rm invocation,  Up: Basic operations

11.6 `shred': Remove files more securely
========================================

`shred' overwrites devices or files, to help prevent even very
expensive hardware from recovering the data.

   Ordinarily when you remove a file (*note rm invocation::), the data
is not actually destroyed.  Only the index listing where the file is
stored is destroyed, and the storage is made available for reuse.
There are undelete utilities that will attempt to reconstruct the index
and can bring the file back if the parts were not reused.

   On a busy system with a nearly-full drive, space can get reused in a
few seconds.  But there is no way to know for sure.  If you have
sensitive data, you may want to be sure that recovery is not possible
by actually overwriting the file with non-sensitive data.

   However, even after doing that, it is possible to take the disk back
to a laboratory and use a lot of sensitive (and expensive) equipment to
look for the faint "echoes" of the original data underneath the
overwritten data.  If the data has only been overwritten once, it's not
even that hard.

   The best way to remove something irretrievably is to destroy the
media it's on with acid, melt it down, or the like.  For cheap
removable media like floppy disks, this is the preferred method.
However, hard drives are expensive and hard to melt, so the `shred'
utility tries to achieve a similar effect non-destructively.

   This uses many overwrite passes, with the data patterns chosen to
maximize the damage they do to the old data.  While this will work on
floppies, the patterns are designed for best effect on hard drives.
For more details, see the source code and Peter Gutmann's paper `Secure
Deletion of Data from Magnetic and Solid-State Memory'
(http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html), from the
proceedings of the Sixth USENIX Security Symposium (San Jose,
California, July 22-25, 1996).

   *Please note* that `shred' relies on a very important assumption:
that the file system overwrites data in place.  This is the traditional
way to do things, but many modern file system designs do not satisfy
this assumption.  Exceptions include:

   * Log-structured or journaled file systems, such as those supplied
     with AIX and Solaris, and JFS, ReiserFS, XFS, Ext3 (in
     `data=journal' mode), BFS, NTFS, etc. when they are configured to
     journal _data_.

   * File systems that write redundant data and carry on even if some
     writes fail, such as RAID-based file systems.

   * File systems that make snapshots, such as Network Appliance's NFS
     server.

   * File systems that cache in temporary locations, such as NFS
     version 3 clients.

   * Compressed file systems.

   In the particular case of ext3 file systems, the above disclaimer
applies (and `shred' is thus of limited effectiveness) only in
`data=journal' mode, which journals file data in addition to just
metadata. In both the `data=ordered' (default) and `data=writeback'
modes, `shred' works as usual.  Ext3 journaling modes can be changed by
adding the `data=something' option to the mount options for a
particular file system in the `/etc/fstab' file, as documented in the
mount man page (man mount).

   If you are not sure how your file system operates, then you should
assume that it does not overwrite data in place, which means that shred
cannot reliably operate on regular files in your file system.

   Generally speaking, it is more reliable to shred a device than a
file, since this bypasses the problem of file system design mentioned
above.  However, even shredding devices is not always completely
reliable.  For example, most disks map out bad sectors invisibly to the
application; if the bad sectors contain sensitive data, `shred' won't
be able to destroy it.

   `shred' makes no attempt to detect or report this problem, just as
it makes no attempt to do anything about backups.  However, since it is
more reliable to shred devices than files, `shred' by default does not
truncate or remove the output file.  This default is more suitable for
devices, which typically cannot be truncated and should not be removed.

   Finally, consider the risk of backups and mirrors.  File system
backups and remote mirrors may contain copies of the file that cannot
be removed, and that will allow a shredded file to be recovered later.
So if you keep any data you may later want to destroy using `shred', be
sure that it is not backed up or mirrored.

     shred [OPTION]... FILE[...]

   The program accepts the following options.  Also see *note Common
options::.

`-f'
`--force'
     Override file permissions if necessary to allow overwriting.

`-NUMBER'
`-n NUMBER'
`--iterations=NUMBER'
     By default, `shred' uses 3 passes of overwrite. You can reduce
     this to save time, or increase it if you think it's appropriate.
     After 25 passes all of the internal overwrite patterns will have
     been used at least once.

`--random-source=FILE'
     Use FILE as a source of random data used to overwrite and to
     choose pass ordering.  *Note Random sources::.

`-s BYTES'
`--size=BYTES'
     Shred the first BYTES bytes of the file.  The default is to shred
     the whole file.  BYTES can be followed by a size specification like
     `K', `M', or `G' to specify a multiple.  *Note Block size::.

`-u'
`--remove'
     After shredding a file, truncate it (if possible) and then remove
     it.  If a file has multiple links, only the named links will be
     removed.

`-v'
`--verbose'
     Display to standard error all status updates as sterilization
     proceeds.

`-x'
`--exact'
     By default, `shred' rounds the size of a regular file up to the
     next multiple of the file system block size to fully erase the
     last block of the file.  Use `--exact' to suppress that behavior.
     Thus, by default if you shred a 10-byte regular file on a system
     with 512-byte blocks, the resulting file will be 512 bytes long.
     With this option, shred does not increase the apparent size of the
     file.

`-z'
`--zero'
     Normally, the last pass that `shred' writes is made up of random
     data.  If this would be conspicuous on your hard drive (for
     example, because it looks like encrypted data), or you just think
     it's tidier, the `--zero' option adds an additional overwrite pass
     with all zero bits.  This is in addition to the number of passes
     specified by the `--iterations' option.


   You might use the following command to erase all trace of the file
system you'd created on the floppy disk in your first drive.  That
command takes about 20 minutes to erase a "1.44MB" (actually 1440 KiB)
floppy.

     shred --verbose /dev/fd0

   Similarly, to erase all data on a selected partition of your hard
disk, you could give a command like this:

     shred --verbose /dev/sda5

   A FILE of `-' denotes standard output.  The intended use of this is
to shred a removed temporary file.  For example:

     i=`tempfile -m 0600`
     exec 3<>"$i"
     rm -- "$i"
     echo "Hello, world" >&3
     shred - >&3
     exec 3>-

   However, the command `shred - >file' does not shred the contents of
FILE, since the shell truncates FILE before invoking `shred'.  Use the
command `shred file' or (if using a Bourne-compatible shell) the
command `shred - 1<>file' instead.

   An exit status of zero indicates success, and a nonzero value
indicates failure.