On Wed, Sep 09, 2009 at 09:20:30PM -0700, Bill Broadley wrote: > > Short answer, one wipe is enough (At least for NIST, and one of the British > Infosec standards), wipes miss bad sectors, the ATA secure erase command is > worth checking out. [snip] I think caching is a concern on some systems, so more wipes seems to magically make the write go to the actual media. But I would agree with one wipe is probably enough. I had not thought about bad blocks.
> > So if you don't use secure wipe and won't lose sleep at night over a few bad > blocks being potentially recovered I'd recommend something like: > > dd if=/dev/urandom of=/dev/sd<whichever disk> Your computer must have a lot of entropy! Note that that device gathers entropy from the system. When an event happens, it may be worth one or two bits. Last time I wrote a program that read from that device, it seemed that I got a number of bytes, and then I had to wait as various events occured to the system. That is why they often tell you to move the mouse around when generating keys. It generates entropy for the system. You can feed that data from /dev/urandom into AES as the key, then use Cipher Block Chaining so that it looks more random. Essentially, you are using the /dev/urandom as the key to produce cipher text. I believe dban does this. If you wipe with /dev/zero, then the adversary could be correct for half the bits assuming that they are equaly distributed! brian -- Brian Lavender http://www.brie.com/brian/ _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
