NAME
scrub - write patterns on disk/file
SYNOPSIS
scrub [OPTIONS] special-file
scrub [OPTIONS] file
scrub -X [OPTIONS] directory
DESCRIPTION
Scrub iteratively writes patterns on files or disk devices to make
retrieving the data more difficult. Scrub operates in one of three
modes:
1) The special file corresponding to an entire disk is scrubbed and all
data on it is destroyed. This mode is selected if file is a character
or block special file. This is the most effective method.
2) A regular file is scrubbed and only the data in the file (and
optionally its name in the directory entry) is destroyed. The file
size is rounded up to fill out the last file system block. This mode
is selected if file is a regular file. See CAVEATS below.
3) directory is created and filled with files until the file system is
full, then the files are scrubbed as in 2). This mode is selected with
the -X option. See CAVEATS below.
Scrub accepts the following options:
-v, --version
Print scrub version and exit.
-r, --remove
Remove the file after scrubbing.
-p, --pattern nnsa|dod|bsi|old|fastold|gutmann|random|random2
Select the patterns to write. nnsa selects patterns compliant
with NNSA Policy Letter NAP-14.x; dod selects patterns compliant
with DoD 5220.22-M; bsi selects patterns recommended by the
German Center of Security in Information Technologies
(http://www.bsi.bund.de); old selects pre-version 1.7 scrub
patterns; and fastold is old without the random pass. gutmann
is a 35-pass sequence described in Gutmann’s paper cited below.
See STANDARDS below for more detail. random is a single random
pass. random2 is two random passes. Default: nnsa.
-b, --blocksize blocksize
Perform read(2) and write(2) calls using the specified blocksize
(in bytes). K, M, or G may be appended to the number to change
the units to KiBytes, MiBytes, or GiBytes, respectively.
Default: 1M.
-f, --force
Scrub even if target contains signature indicating it has
already been scrubbed.
-S, --no-signature
Do not write scrub signature. Scrub will not be able to
ascertain if the disk has already been scrubbed.
-X, --freespace
Create specified directory and fill it with files until write
returns ENOSPC (file system full), then scrub the files as
usual. The size of each file can be set with -s, otherwise it
will be the maximum file size creatable given the user’s file
size limit or 1g if umlimited.
-D, --dirent newname
After scrubbing the file, scrub its name in the directory entry,
then rename it to the new name. The scrub patterns used on the
directory entry are constrained by the operating system and thus
are not compliant with cited standards.
-s, --device-size size
Override the device size (in bytes). Without this option, scrub
determines media capacity using OS-specific ioctl(2) calls. K,
M, or G may be appended to the number to change the units to
KiBytes, MiBytes, or GiBytes, respectively.
CAVEATS
Scrub may be insufficient to thwart heroic efforts to recover data in
an appropriately equipped lab.
Scrub nnsa patterns are reasonable for sanitizing modern PRML/EPRML
encoded disk devices.
The effectiveness of scrubbing regular files through a file system will
be limited by the OS and file system. File systems that are known to
be problematic are journaled, log structured, copy-on-write, versioned,
and network file systems. If in doubt, scrub the raw disk device.
Scrubbing free blocks in a file system with the -X method is subject to
the same caveats as scrubbing regular files, and in addition, is only
useful to the extent the file system allows you to reallocate the
target blocks as data blocks in a new file. If in doubt, scrub the raw
disk device.
[MacOS X HFS file system] Scrub attempts to overwrite a file’s resource
fork if it exists. Although MacOS X will support additional named
forks in the future, scrub is only aware of the traditional data and
resource forks.
STANDARDS
The dod scrub sequence is compliant with the DoD 5220.22-M procedure
for sanitizing removeable and non-removeable rigid disks which requires
overwriting all addressable locations with a character, its complement,
then a random character, and verify. Please refer to the DoD document
for additional constraints.
The nnsa (default) scrub sequence is compliant with a Dec. 2005 draft
of NNSA Policy Letter NAP-14.x (see reference below) for sanitizing
removable and non-removable hard disks, which requires overwriting all
locations with a pseudorandom pattern twice and then with a known
pattern. Please refer to the NNSA document for additional constraints.
Please consult local authorities regarding your site policy for disk
sanitization.
AUTHOR
Jim Garlick <garlick@llnl.gov>
This work was produced at the University of California, Lawrence
Livermore National Laboratory under Contract No. W-7405-ENG-48 with the
DOE. Designated UCRL-CODE-2003-006, scrub is licensed under terms of
the GNU General Public License.
SEE ALSO
DoD 5220.22-M, "National Industrial Security Program Operating Manual",
Chapter 8, 01/1995.
NNSA Policy Letter: NAP-14.x, "Clearing, Sanitizing, and Destroying
Information System Storage Media, Memory Devices, and other Related
Hardware", Unpublished Draft, 2005
"Secure Deletion of Data from Magnetic and Solid-State Memory", by
Peter Gutmann, Sixth USENIX Security Symposium, San Jose, CA, July
22-25, 1996.
"Gutmann Method", wikiedia,
http://en.wikipedia.org/wiki/Gutmann_method.
Darik’s boot and Nuke FAQ: http://dban.sourceforge.net/faq/index.html
shred(1)