Using Scrub command to secure erase data in RedHat Linux

Posted on March 10, 2019 by Computer-Tech-Blog

Sometimes you may need to secure wipe information in Linux like disk, partition a file, there are other built in tools to do it in Linux but the below tool looks like lie the below tool covers the most standards. If I client asked me to wipe their data with some type of certified algorithm the I would go with teh below tool as it meets the DoD 5220.22-M standards.

Scrub iteratively writes patterns on files or disk devices to make retrieving the data more difficult. Scrub operates in one of three modes:

Secure Erase a File with scrub

[root@localhost test2]# scrub -r -p dod /tmp/test.txt
scrub: using DoD 5220.22-M patterns
scrub: padding /tmp/test.txt with 4087 bytes to fill last fs block
scrub: scrubbing /tmp/test.txt 4096 bytes (~4KB)
scrub: 0x00    |................................................|
scrub: 0xff    |................................................|
scrub: random  |................................................|
scrub: 0x00    |................................................|
scrub: verify  |................................................|
scrub: unlinking /tmp/test.txt

Secure erase multiple files with scrub

[root@localhost tmp]# find /tmp/test/ -type f -exec scrub -r -p dod {} \;
scrub: using DoD 5220.22-M patterns
scrub: padding /tmp/test/test1.txt with 4084 bytes to fill last fs block
scrub: scrubbing /tmp/test/test1.txt 4096 bytes (~4KB)
scrub: 0x00    |................................................|
scrub: 0xff    |................................................|
scrub: random  |................................................|
scrub: 0x00    |................................................|
scrub: verify  |................................................|
scrub: unlinking /tmp/test/test1.txt
scrub: using DoD 5220.22-M patterns
scrub: padding /tmp/test/test2/test.txt with 4088 bytes to fill last fs block
scrub: scrubbing /tmp/test/test2/test.txt 4096 bytes (~4KB)
scrub: 0x00    |................................................|
scrub: 0xff    |................................................|
scrub: random  |................................................|
scrub: 0x00    |................................................|
scrub: verify  |................................................|
scrub: unlinking /tmp/test/test2/test.txt

Secure erase the entire disk with scrub

[root@localhost scsi_host]# fdisk -l

Disk /dev/sdb: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x2ec0a102

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1         130     1044193+  83  Linux


[root@localhost]# scrub -p dod /dev/sdb
scrub: using DoD 5220.22-M patterns
scrub: please verify that device size below is correct!
scrub: scrubbing /dev/sdb 1073741824 bytes (~1GB)
scrub: 0x00    |................................................|
scrub: 0xff    |................................................|
scrub: random  |................................................|
scrub: 0x00    |................................................|
scrub: verify  |................................................|
[root@localhost]#

Secure Erase a Single partition with scrub

Disk /dev/sdb: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xff9a9e51

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1          60      481918+  83  Linux
/dev/sdb2              61         130      562275   83  Linux


[root@localhost /]# scrub -p dod /dev/sdb1
scrub: using DoD 5220.22-M patterns
scrub: please verify that device size below is correct!
scrub: scrubbing /dev/sdb1 493484544 bytes (~470MB)
scrub: 0x00    |................................................|
scrub: 0xff    |................................................|
scrub: random  |................................................|
scrub: 0x00    |................................................|
scrub: verify  |................................................|
[root@localhost /]#


[root@localhost /]# cd /mnt/partition1
[root@localhost partition1]# ls
[root@localhost partition1]# ls
[root@localhost partition1]# touch test
touch: cannot touch `test': Read-only file system
[root@localhost partition1]# cd /mnt/partition2
[root@localhost partition2]# ls
lost+found  part2.txt

[root@localhost test2]# mount -l
/dev/sdb1 on /mnt/partition1 type ext3 (rw)
/dev/sdb2 on /mnt/partition2 type ext3 (rw)

Usage: scrub [OPTIONS] file
-v, –version display scrub version and exit
-p, –pattern pat select scrub pattern sequence
-b, –blocksize size set I/O buffer size (default 1m)
-s, –device-size size set device size manually
-X, –freespace create dir+files, fill until ENOSPC, then scrub
-D, –dirent newname after scrubbing file, scrub dir entry, rename
-f, –force scrub despite signature from previous scrub
-S, –no-signature do not write scrub signature after scrub
-r, –remove remove file after scrub
-E, –extent-only scrub only file extents

Scrub Methods
nnsa
4-pass NNSA Policy Letter NAP-14.1-C (XVI-8) for sanitizing removable and non-removable hard disks, which requires overwriting all locations with a pseudorandom pattern twice and then with a known pattern: random(x2), 0x00, verify.

dod
4-pass DoD 5220.22-M section 8-306 procedure (d) for sanitizing removable and non-removable rigid disks which requires overwriting all addressable locations with a character, its complement, a random character, then verify. NOTE: scrub performs the random pass first to make verification easier: random, 0x00, 0xff, verify.

bsi
9-pass method recommended by the German Center of Security in Information Technologies (http://www.bsi.bund.de): 0xff, 0xfe, 0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.

gutmann
The canonical 35-pass sequence described in Gutmann's paper cited below.

schneier
7-pass method described by Bruce Schneier in "Applied Cryptography" (1996): 0x00, 0xff, random(x5)

pfitzner7
Roy Pfitzner's 7-random-pass method: random(x7).

pfitzner33
Roy Pfitzner's 33-random-pass method: random(x33).

usarmy
US Army AR380-19 method: 0x00, 0xff, random. (Note: identical to DoD 522.22-M section 8-306 procedure (e) for sanitizing magnetic core memory).

fillzero
1-pass pattern: 0x00.

fillff
1-pass pattern: 0xff.

random
1-pass pattern: random(x1).

random2
2-pass pattern: random(x2).

old
6-pass pre-version 1.7 scrub method: 0x00, 0xff, 0xaa, 0x00, 0x55, verify.

fastold
5-pass pattern: 0x00, 0xff, 0xaa, 0x55, verify.

custom=string
1-pass custom pattern.  String may contain C-style numerical escapes: \nnn (octal) or \xnn (hex).
This entry was posted in Scripting. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *