securely deleting files

securely deleting files

[Jason Holt]

shred is a tool which is supposed to overwrite files so that they're
unrecoverable, even with fairly involved recovery techniques.  

But it isn't guaranteed to work - sensitive blocks may get moved around on the
physical disk, stored in journals, etc.

So here's how I get around it:

$ cat >sensitive
there's something sensitive in this file...

$ rm sensitive
$ cat /dev/zero    >foo ; sync ; rm foo  # Fill up the disk, then delete.
$ cat /dev/urandom >foo ; sync ; rm foo  # For the *truly* paranoid

Now, a good friend of mine pointed out that part of the space on a filesystem
is kept aside just for root, so you may want to fill the disk up as root.  
(Is this actually a concern?  Can blocks which used to hold user data end up
being reserved?)  

Also, if your sensitive file was in memory recently it might have been swapped
out, in which case it may still be in the swap partition.  I have a program
which fills up all available *memory* as well, and I could post the source
here if everyone's interested.

						-J

Re: securely deleting files

[Hans Reiser]

Jason Holt wrote:

>shred is a tool which is supposed to overwrite files so that they're
>unrecoverable, even with fairly involved recovery techniques.  
>
>But it isn't guaranteed to work - sensitive blocks may get moved around on the
>physical disk, stored in journals, etc.
>
>So here's how I get around it:
>
>$ cat >sensitive
>there's something sensitive in this file...
>
>$ rm sensitive
>$ cat /dev/zero    >foo ; sync ; rm foo  # Fill up the disk, then delete.
>$ cat /dev/urandom >foo ; sync ; rm foo  # For the *truly* paranoid
>
>Now, a good friend of mine pointed out that part of the space on a filesystem
>is kept aside just for root, so you may want to fill the disk up as root.  
>(Is this actually a concern?  Can blocks which used to hold user data end up
>being reserved?) 
>
Yes.

Edward, please put this in the faq, credit Jason, add a note that this 
will not protect against media scans using special equipment because 
writes and overwrites are not always equally aligned.

> 
>
>Also, if your sensitive file was in memory recently it might have been swapped
>out, in which case it may still be in the swap partition.  I have a program
>which fills up all available *memory* as well, and I could post the source
>here if everyone's interested.
>
>						-J
>
>
>
>  
>


-- 
Hans

Re: securely deleting files

[Oleg Drokin]

Hello!

On Tue, May 06, 2003 at 05:37:13AM +0000, Jason Holt wrote:

> Now, a good friend of mine pointed out that part of the space on a filesystem
> is kept aside just for root, so you may want to fill the disk up as root.  
> (Is this actually a concern?  Can blocks which used to hold user data end up
> being reserved?)  

Yes they can.
No, we don't have such (supported) feature in reiserfsv3 yet.
Also if the file was deleted, but something still have open filehandle to it (or hardlink),
its blocks are not freed at rm time and therefore filling all the free space won't help.
There are other caveats.

> Also, if your sensitive file was in memory recently it might have been swapped
> out, in which case it may still be in the swap partition.  I have a program
> which fills up all available *memory* as well, and I could post the source
> here if everyone's interested.

If the program that used the file and still have the copy of it is still running,
no matter how much you eat all the ram, the file still can end up in swap.

The program that fills up all available memory is called "tail". Just run
"tail /dev/zero" and enjoy ;) (this does not work on FreeBSD, though).

Bye,
    Oleg

Re: securely deleting files

[Hans Reiser]

Oleg Drokin wrote:

>Hello!
>
>On Tue, May 06, 2003 at 05:37:13AM +0000, Jason Holt wrote:
>
>  
>
>>Now, a good friend of mine pointed out that part of the space on a filesystem
>>is kept aside just for root, so you may want to fill the disk up as root.  
>>(Is this actually a concern?  Can blocks which used to hold user data end up
>>being reserved?)  
>>    
>>
>
>Yes they can.
>No, we don't have such (supported) feature in reiserfsv3 yet.
>
You meant the reserved space for root?

>Also if the file was deleted, but something still have open filehandle to it (or hardlink),
>its blocks are not freed at rm time and therefore filling all the free space won't help.
>There are other caveats.
>
>  
>
>>Also, if your sensitive file was in memory recently it might have been swapped
>>out, in which case it may still be in the swap partition.  I have a program
>>which fills up all available *memory* as well, and I could post the source
>>here if everyone's interested.
>>    
>>
>
>If the program that used the file and still have the copy of it is still running,
>no matter how much you eat all the ram, the file still can end up in swap.
>
>The program that fills up all available memory is called "tail". Just run
>"tail /dev/zero" and enjoy ;) (this does not work on FreeBSD, though).
>
>Bye,
>    Oleg
>
>
>  
>


-- 
Hans

Re: securely deleting files

[Oleg Drokin]

Hello!

On Mon, May 12, 2003 at 02:39:51PM +0400, Hans Reiser wrote:

> >Yes they can.
> >No, we don't have such (supported) feature in reiserfsv3 yet.
> You meant the reserved space for root?

Yes.
Also starting from 2.4.20 (with new block allocator), we do not
reserve any space at all (we used to reserve 2M or so before 2.4.20,
and those reserved 2M could not be used by anything in kernel).

Bye,
    Oleg