man : shred
File: fileutils.info, Node: shred invocation, Prev: rm invocation, Up: Basic operations
`shred': Remove files more securely
`shred' overwrites devices or files, to help prevent even very
expensive hardware from recovering the data.
Ordinarily when you remove a file (*note rm invocation::), the data
is not actually destroyed. Only the index listing where the file is
stored is destroyed, and the storage is made available for reuse.
There are undelete utilities that will attempt to reconstruct the index
and can bring the file back if the parts were not reused.
On a busy system with a nearly-full drive, space can get reused in a
few seconds. But there is no way to know for sure. If you have
sensitive data, you may want to be sure that recovery is not possible
by actually overwriting the file with non-sensitive data.
However, even after doing that, it is possible to take the disk back
to a laboratory and use a lot of sensitive (and expensive) equipment to
look for the faint "echoes" of the original data underneath the
overwritten data. If the data has only been overwritten once, it's not
even that hard.
The best way to remove something irretrievably is to destroy the
media it's on with acid, melt it down, or the like. For cheap
removable media like floppy disks, this is the preferred method.
However, hard drives are expensive and hard to melt, so the `shred'
utility tries to achieve a similar effect non-destructively.
This uses many overwrite passes, with the data patterns chosen to
maximize the damage they do to the old data. While this will work on
floppies, the patterns are designed for best effect on hard drives.
For more details, see the source code and Peter Gutmann's paper `Secure
Deletion of Data from Magnetic and Solid-State Memory', from the
proceedings of the Sixth USENIX Security Symposium (San Jose,
California, 22-25 July, 1996). The paper is also available online
*Please note* that `shred' relies on a very important assumption:
that the filesystem overwrites data in place. This is the traditional
way to do things, but many modern filesystem designs do not satisfy this
assumption. Exceptions include:
* Log-structured or journaled filesystems, such as those supplied
with AIX and Solaris.
* Filesystems that write redundant data and carry on even if some
writes fail, such as RAID-based filesystems.
* Filesystems that make snapshots, such as Network Appliance's NFS
* Filesystems that cache in temporary locations, such as NFS version
* Compressed filesystems.
If you are not sure how your filesystem operates, then you should
assume that it does not overwrite data in place, which means that shred
cannot reliably operate on regular files in your filesystem.
Generally speaking, it is more reliable to shred a device than a
file, since this bypasses the problem of filesystem design mentioned
above. However, even shredding devices is not always completely
reliable. For example, most disks map out bad sectors invisibly to the
application; if the bad sectors contain sensitive data, `shred' won't
be able to destroy it.
`shred' makes no attempt to detect or report these problem, just as
it makes no attempt to do anything about backups. However, since it is
more reliable to shred devices than files, `shred' by default does not
truncate or remove the output file. This default is more suitable for
devices, which typically cannot be truncated and should not be removed.
shred [OPTION]... FILE[...]
The program accepts the following options. Also see *Note Common
Override file permissions if necessary to allow overwriting.
By default, `shred' uses 25 passes of overwrite. This is enough
for all of the useful overwrite patterns to be used at least once.
You can reduce this to save time, or increase it if you have a lot
of time to waste.
Shred the first BYTES bytes of the file. The default is to shred
the whole file. BYTES can be followed by a size specification like
`k', `M', or `G' to specify a multiple. *Note Block size::.
After shredding a file, truncate it (if possible) and then remove
it. If a file has multiple links, only the named links will be
Display status updates as sterilization proceeds.
Normally, shred rounds the file size up to the next multiple of
the filesystem block size to fully erase the last block of the
file. This option suppresses that behavior. Thus, by default if
you shred a 10-byte file on a system with 512-byte blocks, the
resulting file will be 512 bytes long. With this option, shred
does not increase the size of the file.
Normally, the last pass that `shred' writes is made up of random
data. If this would be conspicuous on your hard drive (for
example, because it looks like encrypted data), or you just think
it's tidier, the `--zero' option adds an additional overwrite pass
with all zero bits. This is in addition to the number of passes
specified by the `--iterations' option.
Shred standard output.
This argument is considered an option. If the common `--' option
has been used to indicate the end of options on the command line,
then `-' will be interpreted as an ordinary file name.
The intended use of this is to shred a removed temporary file.
i=`tempfile -m 0600`
rm -- "$i"
echo "Hello, world" >&3
shred - >&3
Note that the shell command `shred - >file' does not shred the
contents of FILE, since it truncates FILE before invoking `shred'.
Use the command `shred file' or (if using a Bourne-compatible
shell) the command `shred - 1<>file' instead.
You might use the following command to erase all trace of the file
system you'd created on the floppy disk in your first drive. That
command takes about 20 minutes to erase a 1.44MB floppy.
shred --verbose /dev/fd0
Similarly, to erase all data on a selected partition of your hard
disk, you could give a command like this:
shred --verbose /dev/sda5