scrub

scrub(1)                                                              scrub(1)



NAME
       scrub - write patterns on disk/file

SYNOPSIS
       scrub [OPTIONS] special-file
       scrub [OPTIONS] file
       scrub -X [OPTIONS] directory

DESCRIPTION
       Scrub iteratively writes patterns on files or disk devices to make
       retrieving the data more difficult.  Scrub operates in one of three
       modes:

       1) The special file corresponding to an entire disk is scrubbed and all
       data on it is destroyed.  This mode is selected if file is a character
       or block special file.  This is the most effective method.

       2) A regular file is scrubbed and only the data in the file (and
       optionally its name in the directory entry) is destroyed.  The file
       size is rounded up to fill out the last file system block.  This mode
       is selected if file is a regular file.  See CAVEATS below.

       3) directory is created and filled with files until the file system is
       full, then the files are scrubbed as in 2). This mode is selected with
       the -X option.  See CAVEATS below.

OPTIONS
       Scrub accepts the following options:

       -v, --version
              Print scrub version and exit.

       -r, --remove
              Remove the file after scrubbing.

       -p, --pattern PATTERN
              Select the patterns to write.  See SCRUB METHODS below.  The
              default, nnsa, is reasonable for sanitizing modern PRML/EPRML
              encoded disk devices.

       -b, --blocksize blocksize
              Perform read(2) and write(2) calls using the specified blocksize
              (in bytes).  K, M, or G may be appended to the number to change
              the units to KiBytes, MiBytes, or GiBytes, respectively.
              Default: 4M.

       -f, --force
              Scrub even if target contains signature indicating it has
              already been scrubbed.

       -S, --no-signature
              Do not write scrub signature.  Later, scrub will not be able to
              ascertain if the disk has already been scrubbed.

       -X, --freespace
              Create specified directory and fill it with files until write
              returns ENOSPC (file system full), then scrub the files as
              usual.  The size of each file can be set with -s, otherwise it
              will be the maximum file size creatable given the user's file
              size limit or 1g if unlimited.

       -D, --dirent newname
              After scrubbing the file, scrub its name in the directory entry,
              then rename it to the new name.  The scrub patterns used on the
              directory entry are constrained by the operating system and thus
              are not compliant with cited standards.

       -s, --device-size size
              Override the device size (in bytes). Without this option, scrub
              determines media capacity using OS-specific ioctl(2) calls.  K,
              M, or G may be appended to the number to change the units to
              KiBytes, MiBytes, or GiBytes, respectively.

       -L, --no-link
              If file is a symbolic link, do not scrub the link target.  Do
              remove it, however, if --remove is specified.

       -R, --no-hwrand
              Don't use a hardware random number generator even if one is
              available.

       -t, --no-threads
              Don't generate random data in parallel with I/O.

       -h, --help
              Print a summary of command line options on stderr.

SCRUB METHODS
       nnsa   4-pass NNSA Policy Letter NAP-14.1-C (XVI-8) for sanitizing
              removable and non-removable hard disks, which requires
              overwriting all locations with a pseudorandom pattern twice and
              then with a known pattern: random(x2), 0x00, verify.

       dod    4-pass DoD 5220.22-M section 8-306 procedure (d) for sanitizing
              removable and non-removable rigid disks which requires
              overwriting all addressable locations with a character, its
              complement, a random character, then verify.  NOTE: scrub
              performs the random pass first to make verification easier:
              random, 0x00, 0xff, verify.

       bsi    9-pass method recommended by the German Center of Security in
              Information Technologies (http://www.bsi.bund.de): 0xff, 0xfe,
              0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.

       gutmann
              The canonical 35-pass sequence described in Gutmann's paper
              cited below.

       schneier
              7-pass method described by Bruce Schneier in "Applied
              Cryptography" (1996): 0x00, 0xff, random(x5)

       pfitzner7
              Roy Pfitzner's 7-random-pass method: random(x7).

       pfitzner33
              Roy Pfitzner's 33-random-pass method: random(x33).

       usarmy US Army AR380-19 method: 0x00, 0xff, random.  (Note: identical
              to DoD 522.22-M section 8-306 procedure (e) for sanitizing
              magnetic core memory).

       fillzero
              1-pass pattern: 0x00.

       fillff 1-pass pattern: 0xff.

       random 1-pass pattern: random(x1).

       random2
              2-pass pattern: random(x2).

       old    6-pass pre-version 1.7 scrub method: 0x00, 0xff, 0xaa, 0x00,
              0x55, verify.

       fastold
              5-pass pattern: 0x00, 0xff, 0xaa, 0x55, verify.

       custom=string
              1-pass custom pattern.  String may contain C-style numerical
              escapes: \nnn (octal) or \xnn (hex).

CAVEATS
       Scrub may be insufficient to thwart heroic efforts to recover data in
       an appropriately equipped lab.  If you need this level of protection,
       physical destruction is your best bet.

       The effectiveness of scrubbing regular files through a file system will
       be limited by the OS and file system.  File systems that are known to
       be problematic are journaled, log structured, copy-on-write, versioned,
       and network file systems.  If in doubt, scrub the raw disk device.

       Scrubbing free blocks in a file system with the -X method is subject to
       the same caveats as scrubbing regular files, and in addition, is only
       useful to the extent the file system allows you to reallocate the
       target blocks as data blocks in a new file.  If in doubt, scrub the raw
       disk device.

       On MacOS X HFS file system, scrub attempts to overwrite a file's
       resource fork if it exists.  Although MacOS X claims it will support
       additional named forks in the future, scrub is only aware of the
       traditional data and resource forks.

       scrub cannot access disk blocks that have been spared out by the disk
       controller.  For SATA/PATA drives, the ATA "security erase" command
       built into the drive controller can do this.  Similarly, the ATA
       "enhanced security erase" can erase data on track edges and between
       tracks.  The DOS utility HDDERASE from the UCSD Center for Magnetic
       Recording Research can issue these commands, as can modern versions of
       Linux hdparm.  Unfortunately, the analogous SCSI command is optional
       according to T-10, and not widely implemented.

EXAMPLES
       To scrub a raw device /dev/sdf1 with default NNSA patterns:

              # scrub /dev/sdf1
              scrub: using NNSA NAP-14.1-C patterns
              scrub: please verify that device size below is correct!
              scrub: scrubbing /dev/sdf1 1995650048 bytes (~1GB)
              scrub: random  |................................................|
              scrub: random  |................................................|
              scrub: 0x00    |................................................|
              scrub: verify  |................................................|

       To scrub the file /tmp/scrubme with a sequence of 0xff 0xaa bytes:

              # scrub -p custom="\xff\xaa" /tmp/scrubme
              scrub: using Custom single-pass patterns
              scrub: scrubbing /tmp/scrubme 78319616 bytes (~74MB)
              scrub: 0xffaa  |................................................|

AUTHOR
       Jim Garlick <garlick@llnl.gov>

       This work was produced at the University of California, Lawrence
       Livermore National Laboratory under Contract No. W-7405-ENG-48 with the
       DOE.  Designated UCRL-CODE-2003-006, scrub is licensed under terms of
       the GNU General Public License.

SEE ALSO
       DoD 5220.22-M, "National Industrial Security Program Operating Manual",
       Chapter 8, 01/1995.

       NNSA Policy Letter: NAP-14.1-C, "Clearing, Sanitizing, and Destroying
       Information System Storage Media, Memory Devices, and other Related
       Hardware", 05-02-08, page XVI-8.

       "Secure Deletion of Data from Magnetic and Solid-State Memory", by
       Peter Gutmann, Sixth USENIX Security Symposium, San Jose, CA, July
       22-25, 1996.

       "Gutmann Method", Wikipedia,
       http://en.wikipedia.org/wiki/Gutmann_method.

       Darik's boot and Nuke FAQ: http://dban.sourceforge.net/faq/index.html

       "Tutorial on Disk Drive Data Sanitization", by Gordon Hugues and Tom
       Coughlin,
       http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf.

       "Guidelines for Media Sanitization", NIST special publication 800-88,
       Kissel et al, September, 2006.

       shred(1), hdparm(8)



                                                                      scrub(1)