Securely erase files and folders on CentOS 7

With the increasing number of data breaches, and the ever tighter regulation surrounding data security – it’s now more important than ever to ensure you securely erase old data.  Physical destruction of hard drives is widely acknowledged as the most secure method, but isn’t always possible.  If, like us, you use cloud servers, you don’t have this option.  Similarly, rented servers rarely give you the option to keep the physical disks after the contract ends.

There are, however, a range of tools available to ensure your data is securely scrubbed prior to cancelling your CentOS servers.

Be warned, you can render your system unusable and data irrecoverable with these commands so be careful and use at your own risk.

Scrub

Scrub is available in the base CentOS repository, so you can install it with

yum -y install scrub

Scrub works by over-writing your data with other date.  By default it is a 4-pass process : two sets of random data, one set of zeros then a final verification.

To securely erase a file you simply use the command

scrub -r filename

Scrub will display the output as it goes and finally confirm deletion:

scrub: using NNSA NAP-14.1-C patterns
scrub: padding filename with 4088 bytes to fill last fs block
scrub: scrubbing filename 4096 bytes
scrub: random  |................................................|
scrub: random  |................................................|
scrub: 0x00    |................................................|
scrub: verify  |................................................|
scrub: unlinking filename

It also has a handy feature to allow you to ensure previously deleted files cannot be restored.  It can fill all remaining disk space with random data, and then automatically remove it – leaving all the free space nicely sanitised.  Make sure you’re on the drive you wish to fill/scrub and use the commend:

scrub -X empty

Where ’empty’ is the name of the directory that scrub will create to then fill with files.  Obviously, depending on the size and speed of your disks this may take a lot of time to complete.

Shred

Shred is builtin to CentOS 7 and works in a similar way to scrub for single files.

shred -fuv deleteme 

(where -f forces permissions change if required, -u deleted the file after shredding and -v gives a verbose output)

shred: deleteme: pass 1/3 (random)...
shred: deleteme: pass 2/3 (random)...
shred: deleteme: pass 3/3 (random)...
shred: deleteme: removing
shred: deleteme: renamed to 00000000
shred: 00000000: renamed to 0000000
shred: 0000000: renamed to 000000
shred: 000000: renamed to 00000
shred: 00000: renamed to 0000
shred: 0000: renamed to 000
shred: 000: renamed to 00
shred: 00: renamed to 0
shred: deleteme: removed

As you can see, shred overwrites the file with random data 3 time, then zeros out the name and finally removes it.

It can also be used to securely delete all the files within a directory.

find /directory -type f | xargs shred -fuv

will shred and remove all the files in /directory

SRM

As a secure alternative to ‘rm’, srm is included as part of the EPEL repository.

With EPEL enabled you can install it with a simple:

yum -y install srm

Usage is then the same as for rm – however, instead of just unlinking your files, they will first be overwritten.  By default the overwrite is just a single pass of zeros.  If you need more security you can change the method by adding flags such as:

-P (3-pass OpenBSD style)
-D (DoD recommended 7 pass)
-G (35 pass Gutmann method)

So, if you wish to delete a directory with a 3 pass overwrite, you could simply use:

srm -rfP /directory

Finally

All of these tools come with caveats relating to limits on their security and possible incompatibilities with certain types of disk or raid setups, so if you are unsure please do research these further.  If your data is especially valuable you should never underestimate the efforts to which someone could go to recover it.