This tutorial explains how to use the shred command to permanently and securely delete files, partitions and drives in Linux. It also explains why deleting important files from the rm command is not sufficient.
Broadly, data is organized in disk just like the chapters are organized in book. In book, an index page is used to tell the location where an actual chapter is stored. Instead of searching in entire book, one can easily look at the index page and directly go to the page where his desired chapter is located. Same way indexing is used in disk. An index entry tells the operating system what is stored in which particular block of the disk.
Following figure illustrates an example disk with indexing.
The rm command
In Linux, the rm command is used to delete a file or folder permanently. In normal circumstances, the rm command does its job perfectly.
However, does the rm command delete a file permanently?
From a normal user’s point of view, yes, a file deleted with the rm command is deleted permanently.
Unlike Windows system or Linux desktop environment where a deleted file is moved in Recycle Bin or Trash folder respectively, a file deleted with the rm command is not moved in any folder. It is deleted permanently.
From technical point of view, no, a deleted file persists in the disk until a new file or folder is stored at the same place where the file was stored.
So, what does exactly happen when we use the rm command?
The rm command removes the entry of specified file from indexing. Since file is removed, Linux marks the block where the file was stored as free and makes it available for new file. While storing a new file in disk, Linux uses indexing to find the free blocks. If a block is marked as free in indexing, it is used to store the new data regardless what it contains.
Until the new data is written in the block that is marked as free, it contains the old deleted data. Various Data recovery software and technique take advantage of this default behavior to retrieve the deleted data from the blocks which are marked as free in indexing.
For example if we use the #rm e command to delete the file e in previous example, it will only remove the file’s entry from indexing.
So, deleting a super-sensitive file with the rm command is not sufficient. To ensure that none of the data can be recovered from the deleted file, we have to use the advance utility or command such as shred. The shred command not only removes the deleted file’s entry from indexing but also overwrites the blocks in which original file was stored with dummy or raw data.
Installing shred utility
The shred utility is the part of the package coreutils. Since the package coreutils is the part of essential packages in default installation, the shred utility should almost always be installed. Still due to any reason if this command is not available in system, you can always reinstall or update the coreutils package with following command: -
$sudo apt-get install coreutils
Using shred command
The shred command uses following syntax: -
$shred [option] file/partition/drive
Here are some important options to use with shred command.
-f :- Perform delete and overwrite operation forcefully.
-v :- Display operation’s progress.
-z :- Add a final overwrite with zeros to hide the act of shredding.
-n :- Perform overwrite operation number of times specified with this option.
-u :- Delete file/partition/drive after overwriting.
For a complete list of options with other details, you can check the manual pages with following command
$man shred
Lab setup for practical examples of shred command
To demonstrate the practical examples of shred command, I added a separate disk (/dev/sdb) is my test system. This disk contains two partitions; /dev/sdb1 and /dev/sdb2. Both partitions are mounted in directories /securedrive/digilocker and /securedrive/database respectively. There is a text file in /securedrive/digilocker directory named credit-card.
Deleting a file
In /securedirve/digilocker directory we have a file named credit-card. To delete this file, we will use the following command.
$sudo shred –vfzu –n 5 /securedirve/digilocker/credit-card
Deleting a partition
With the same command, we can also delete a partition. To overwrite and delete the entire partition, replace the file name with partition number. For example, following command overwrites the partition /dev/sdb1 ten times with random data.
$sudo shred -vfzu -n 10 /dev/sdb1
While deleting the entire partition, make sure you specify the exact partition number. Skipping last numeric value will force this command to delete the entire drive instead of a single partition form drive. For example, to delete a single partition /dev/sdb1 from the drive /dev/sdb, use /dev/sdb1 while to delete the entire drive, use /dev/sdb.
If you are unsure about the partition number, you can list all partitions from the fdisk command.
Since the shred command overwrites entire partition, you may get low disk space warning if running this command in GUI environment.
Overwriting / deleting the entire drive
Just like the file and partition, if require we can also overwrite the entire drive with random garbage data. For example, following command first overwrites the drive /dev/sdb three times (first two times with random data + one last time with all zeros), renames drive name using zeros and finally removes all recoverable traces of the drive.
$sudo shred –vfzu –n 2 /dev/sdb
Depending on drive size and number of overwrite steps the process may take a long time.
Why system does not boot after deleting partition/drive from the shred command?
The shred command only overwrites and deletes the data and indexing information. It does not make any change in partition table and configuration files which mange storage devices in system.
In boot process, Linux uses the configuration file /etc/fstab to mount the storage devices. If information about the deleted drive or partition is not updated in this file, Linux will try to mount them also. Since the partition or drive has been deleted, Linux will fail to mount it. A mount failure halts the boot process with the following error message.
To solve this issue, when overwriting and deleting the entire partition or drive with the shred command, make sure you also delete the relative information from the file /etc/fstab.
Compatibility
The manual pages of shred command provide all necessary information about compatibility.
As stated in the manual, shred command may not work effectively on the following types of filesystems: -
- Log-structured or journaled filesystems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)
- Filesystems that write redundant data and carry on even if some writes fail, such as RAID-based filesystems
- Filesystems that make snapshots, such as Network Appliance’s NFS server
- Filesystems that cache in temporary locations, such as NFS version 3 clients
- Compressed filesystems
That’s all for this tutorial. If you like this tutorial, please don’t forget to share it through your favorite social platform.
