-
Notifications
You must be signed in to change notification settings - Fork 18
A Unix tool for secure deletion
berke/wipe
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
wipe 0.24 by Berke Durak Wed Nov 02 2016 WHAT IS WIPE ? "wipe" is a short, nice tool for securely wiping out files from magnetic media. Purpose: to quickly wipe out traces of your latest dissident activities (cryptography etc.) when you realise that your local SSP (State Security Police, aka. NSA, DST, CIA, MIT (Turkish Intelligence Agency), Mossad, ...) is knocking at your door. QUICK START See file "QUICKSTART". RTFM Please READ THE MAN PAGE for more detailed information on wipe. Also, if you haven't done it yet, read Peter Gutmann's article on "Secure Deletion of Data from Magnetic and Solid-State Memory", included in this directory, which can also be retrieved from http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html CHANGES See the file CHANGES for a short history of wipe. You can get the latest version of wipe at these addresses: http://lambda-diode.com/software/wipe/ COPYING Wipe is under the GNU Public License (see file COPYING). PROBLEMS Wiping is a tricky affair. "wipe" tries to do everything that a portable user-level program can do to securely erase the given files. However, there are several limitations: 1.Since file meta information such as file name, size, creation/modification/access dates as well as directory structures are filesystem-specific, and as file systems tend to have extremely various architectures, there is no hope in seeing a uniform interface for accessing low-level filesystem data. Therefore a portable program must be filesystem-independent. It must thus use standard file operations in a way that will make most file systems effectively overwrite the desired portions of the magnetic media. 2.Since IDE and SCSI hard disks are driven by their own logic, nothing guarantees that the required data is written out effectively at the required place, i.e. over the old data. 3.The successfull erasure of off-track data is a function of drive temperature, usage history, drive mechanics and luck. Therefore I cannot and will not guarantee you that the files erased with wipe are unrecoverable. SOME RECENT VERSIONS (0.11, 0.12, 0.13) HAVE SERIOUS BUGS: I was too lazy to check if wipe was still working as expected after doing various improvements. It was not. Mea culpa. The current version (0.14) has been more or less verified, in different wipe modes, on different files and block devices. You can use "strace" on wipe to check that it effectively does the announced writes with different random data. From a software-level, wipe seems to do what it claims to do, i.e. overwriting, renaming, truncating, etc. Verification at the hardware-level requires specialised hardware. I don't have hardware. If anyone has got access to such hardware and is willing to check the effectiveness of wipe (and other secure deletion tools) PLEASE INFORM THE PUBLIC ABOUT IT. Verifications made on an Ext2 file system mounted through loopback shows that wipe 0.14 correctly erases the data blocks of files. However, file name wiping did not work as well as expected: plain filenames were still discernable at the block level after wiping a large directory tree. But filling the filesystem with a maximum size file and wiping it (as a crude but portable way to wipe out free blocks) erased the remaining plain filenames. There will be problems with files having "holes" in them; as wipe will try to completely overwrite those files with random data, the holes will get filled, possibly exceeding available disk space. Briefly: you can reasonably expect that the DATA contained in your files is EFFECTIVELY WIPED. However on complex file systems like Ext2 it is likely that FILE META-INFORMATION is NOT securely erased, or even not overwritten at all. RECOMMANDATIONS FOR MAXIMUM SAFETY For maximum safety, use an encrypted file system. Use wipe to clean whole partitions. For example, if I had guilty stuff on /dev/hda3, assuming that /dev/hda3 is less than, say 70% full, I would first mount /dev/hda3 on /mount, then do wipe -cfrsF /mount/ to wipe the contents of the data files using 34 passes, then wipe -kqZ -Q 1 /dev/hda3 to erase file meta-information. However if /dev/hda3 is more than 70% full, it might be quicker to erase the whole hard disk using 34 passes: wipe -kZ /dev/hda3 If you don't have to hide that you have guilty stuff but just want to be sure that someone else won't get at the CONTENTS of that guilty stuff, or in other words if you don't care about wiping file names, sizes etc. but just want to wipe out file contents, simply do wipe -cfrZF /mount/. And, last but not least, think of TEMPEST monitoring. I don't know how feasible it is to remotely eavesdrop your computer's internal bus or your IDE ribbon but using the "-s" (silent) option will prevent wipe from outputting to your monitor the names of all the files it erases. Eavesdropping your CRT is much easier for amateurs as well as for professionals. REQUIREMENTS wipe used to require Linux kernel 2.0.x or newer, in order to use the O_SYNC bit, and the /dev/random device. Since version 0.10, it no longer expressely requires O_SYNC, uses strong PRNGs and can gather the required seeds from different sources, including /dev/random-like devices, by hashing the output of a user-defined command or, in the worst case, by hashing its PID, the local date/time and its environment variables. Thanks to Chris L. Mason <[email protected]> who initially motivated me to make wipe portable and helped me with compilation tips, bug reports, suggestions and patches. He maintains a site with reviews on UNIX software at http://www.unixzone.com THANKS Many thanks to the following people who sent in bug reports, compilation tips, and even whole patches ! In alphabetical order, hoping to not forget anyone, they are: Alexey Marinichev Chris L. Mason Jason Axley Erik Vogan, 64-bit offset fix Michael S. Rhee Paul H. Hargrove Peter Miller, for contributing an ETA patch Thomas Schoepf Joao Eriberto Mota Filho INSTALLATION To compile wipe, type "make" to get a list of supported unices. If your operating system appears in the list, type "make <your operating system>"; otherwise try "make generic". If this does not work, you'll have to hand-edit the Makefile: please mail me about your results. You can then copy the "wipe" executable in /usr/local/bin/ or in ~/bin if you wish. Install the man page in /usr/local/man/man1/, or use "man -l wipe.1" to read the manual page from wipe's directory. On systems lacking a /dev/random-like device, the shell script "randompipe.sh" can be used with the -R and -S options or the WIPE_SEEDPIPE environment variable. For more info, see the man page. OTHER WIPE IMPLEMENTATIONS There are several file-wiping tools available for Windows. There are two other ones I know for Linux: Calvin Clark's wipe 1.0beta, and Tom Viers' wipe v0.55beta3. These have exactly the same semantics as mine, i.e. their aim is to overwrite files with data in order to prevent recovery of their contents. Tom Viers' wipe is very similar to mine and is also based on Peter Gutmann's article. However, Calvin's wipe does simply write zeroes out on the file, which is not secure at all (RTF article !). There is also Van Hauser's srm (secure remove) available at http://r3wt.base.org, and which uses /dev/urandom as a PRNG. AUTHOR I can be reached at <[email protected]>. Send bug reports, ideas for improvement, compilation problems and other comments to this address.
About
A Unix tool for secure deletion
Resources
Stars
Watchers
Forks
Packages 0
No packages published