Short answer, one wipe is enough (At least for NIST, and one of the British Infosec standards), wipes miss bad sectors, the ATA secure erase command is worth checking out.
I keep this one on file and update it occasionally. Explanation, references, justification and details to follow. Oh, I saw the recommendation for dban, I couldn't find any reference to erasing bad sectors, if so it likely doesn't work as well as anything that uses secure erase (like a free util or hdparm). ============================================================================== Basically the less you know about disks the more wipes one tends to recommend. Usually mentioning the ridiculous 35 wipes listed by Peter Gutmann. I can't explain it any better than Gutmann "some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques". As well as "A good scrubbing with random data will do about as well as can be expected". While true in 1996 (where storage densities were on the order of $0.40 per MB and 1.6GB was a big disk) it's much more true today where TB disks are under $100 and disks commonly sell for less then $0.10 per GB (a factor of 4000 cheaper and 1000 denser). DoD, US Navy, Airforce, British infosec, german info security, etc all recommend 3-4 wipes. Mostly because large organizations generate standards slowly, often taking years, and many of those standards where published long ago. That and for any engineering justification there's always a temptation to add another wipe or 2 just to be sure. Of course those in tin foil hats mention that the NSA doesn't allow wiping, thus they must be able to recover after N wipes. Instead I suggest that it's because normal user wipes don't wipe bad sectors, and that it's much easier to verify a drive is destroyed visually with 100% reliability then it is to tell if a drive has been securely wiped with 100% reliability. In practice there's a big difference between theory and practice ;-). NSA is all about practice. The problem with wipes is that they won't overwrite bad blocks which an attacker might be able to read. Do you care about this? If it's sector? 10? 100? 0.1% of a disk? If you do you can use ATA Secure wipe, there are utils/boot disks with it, NIST, DOD and others consider it better than a normal wipe or multi-wipe. Alas hdparm supports it, only experimentally. I'd suggest checking out: http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml In general CMRR looks like one of the centers of such expertise, I'd listen to their recommendations. They are cited by NIST (which recommends one wipe). The PDF explains the myth of magnetic force microscope recovery. There are many other research publications that support this idea and debunk the recovering from a wipe via magnetic microscopy. So if you don't use secure wipe and won't lose sleep at night over a few bad blocks being potentially recovered I'd recommend something like: dd if=/dev/urandom of=/dev/sd<whichever disk> Above use something like /dev/sdb, NOT /dev/sdb1. Swap could potentially contain confidential information. If you are ultra paranoid/bored, sure a second pass with either 1's, 0's , or the random would add additional protection in case the NSA or other well funded organization is going to dedicate a few expensive technicians, a hugely expensive microscope, and man months/years trying to recover your data. Alternatively you could bulk erase, but verify the data is unreadable, I have heard of commercial units not actually working. Especially for multiple platter disks. Everywhere I looked seemed to be saying this is a cat and mouse game that the bulk erasers are losing. The above PDF I believe mentions that with the current or next generation recordings nothing external to the drive short of a nuclear EMP blast will work. Or just destroy the disks something like vice, big hammer, big drill, gun, and fire seem to work just fine. Some places even sell specialized versions of the above for such purposes. NIST says: “Studies have shown that most of today’s media can be effectively cleared by one overwrite.” More details at: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf For more info on the single wipe explanation: http://www.anti-forensics.com/disk-wiping-one-pass-is-enough This might be useful, it shows various standards: http://en.wikipedia.org/wiki/Data_erasure It mentions: According to the Center for Magnetic Recording Research, "Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure."[5] "Secure erase" is a function built into modern ATA hard drives that overwrites all data on a disk, including remapped (error) sectors. It seems to be the general consensus of the community that as disk density gets closer to the paramagnetic limit that recovery over previous values for a bit are getting much harder and impractical on drives made after 2001 or so. Thus the number of wipes needed for a given level of security is decreasing over time. Oh, one last thing. If you are using encrypted disk (in OS, driver, or in drive) it's fairly secure to just change the key. You have to be careful that the size of the key is big enough to give you the protection in time that you want. In 10 years bigger keys will be feasible to crack, someone could potentially stick your drive on a shelf until the key is feasible to crack. _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
