About drive wiping: You're probably better off using the ATA Secure Erase command, which is very quick and does the entire disc. dd and other tools risk not doing blocks marked as bad, for example.
He's right that a single overwrite of zero is probably good enough to make sure that data is gone, but it's probably not enough to persuade other people that it's gone. A few passes of pseudo random data is probably better if you need to persuade other people that the data has gone.
But if it's really important drive wiping is what you do to protect the drives until you get a change to grind them.
There is also a cryptographic erase option on secure erase if the drive supports it. It is nearly instantaneous and you can follow up with other slower methods if desired.
Also for SSDs, using the secure erase method is important because of overprovisioning and garbage collection. If that is not available, on most SSD algorithms, doing two full pass writes (with random sector data if drive supported compression) will get you close to wiping out all contents as possible.
The OPAL standard has that cryptographic erase function. I've used it before, but did not deeply verify if any data was recoverable. At least the partition table was gone. In theory, the command destroys the old key and creates a new one that the drive uses to read and write data. A different key means everything is noise. You do need access to the printed label on the drive itself to do it (for the PSID).
>but it's probably not enough to persuade other people that it's gone.
I believe there is a long standing bounty for anyone who can retrieve useful data from a drive that had been zero'd once. No one has been able to thus far.
A lot of the disk wiping "culture" stems from a much earlier time when disk technology was less reliable, especially in regards to writes. Dan Gutmann himself says that the Gutmann method is long antiquated and only worked with MFM/RLL encoded disks from the 80s and early 90s.
Perhaps instead of humoring these people, we should be educating them. A zero'd out disk is a wiped disk until someone proves otherwise.
This reminds me of assertions we used to take for granted about DRAM. We used to assume that the contents are lost when you cut the power, but then someone turned a can of cold air on a DIMM. We usually assume that bits are completely independent of each other, but then someone discovered the row hammer. The latter is especially interesting because it only works on newer DIMM technology. Technology details change, and it's hard to predict what the ramifications will be. A little extra caution isn't necessarily a bad thing.
I agree but redoing a wipe isn't extra caution, its just literally repeating the same thing. If that thing is wrong, you're not helping the situation, just wasting time/resources.
Extra caution would be shredding the drive or some other non-wipe method. At work for example, we zero out drives and then those drives get physically destroyed by a vendor.
Gutmann's paper talks about a time when you didn't know what drive controller was used, and so he created a set of patterns to be used for each pattern. That comes to (about) 35 different patterns.
This gets misunderstood as "you need to do 35 passes of these patterns". You don't, Gutmann recommends a couple of overwrites of random data, and a single overwrite of zeros is probably enough.
This may be my paranoia talking, but is there a way short of an examination with a scanning electron microscope to ensure that the erase command is actually doing what it's supposed to do?
Not so much that the drive manufacturers are engaging in malfeasance (though that's certainly not off the table), but that it's not unheard of for certain agencies in certain governments to crock low level system components (intercepting them in shipping and so forth) so they work against the user.
You could just read the disk again and check for nonzero blocks. If you don't trust the disk to read or write to itself either, then you might as well just toss it.
It wouldn't be that technically complex to have modified firmware that looks for the secure erase command (not something that's ever invoked except purposefully by the user), and returns all random for read sectors without ever actually overwriting the underlying data.
But yeah, you're right. If you ever have reason to invoke the secure erase command, you're probably in a position where the next step is throwing the drive in a shredder.
> Unfortunately, there is no command-line option to have `dd` print progress
How difficult could it be to write a dd command from scratch that does include progress-reporting? I mean, dd is simply reading blocks of data from one file descriptor and writing them to another.
> The other way to see progress on `dd` is to issue a signal 3 (USR1, iirc) to the dd process. kill -3 <dd pid>
Be careful with this on some distributions and compilations of DD. Purely anecdotal evidence, but in college I had a friend imaging a very large (5400RPM) drive and about 10 hours into the process he lamented that he wished he could see how far along it was.
I popped open a terminal, ps -A |grep dd, kill -USR1 $PID, and it just exited.
I tend to run `watch kill -USR1 $(pidof dd)` in a second terminal. Watch executes your command repeatidly (by default every two seconds) so you then get regular dd status updates.
'>>' will cause O_APPEND to be specified as flags when opening "/dev/sda". I'm pretty sure this flag is ignored on block devices as it's obviously useless.
The redirection will happen in your shell, but the command will be called inside the shell invoked by sudo. So that won't work either unless you have write privs to the block device, but if that were the case, you probably didn't need sudo to read the dmg file. So this will likely fail for a reason other than the one you pointed out.
A better way to write files as root is to pipe the output into `tee`. eg:
blah blah blah | sudo tee -a file
This will do the appending as per your example. If you want to write to the file like people are doing with the Ubuntu image then just drop the append (-a) flag:
cat ubuntu-14.04-desktop-amd64.dmg | sudo tee /dev/sda1
Though obviously the `dd` utility is still a better way of writing disk images than any of the above.
I know you meant to use the pipe instead of redirection, but it might be worth updating your comment for the benefit of others who are less command line literate :)
mysqldump -u mysql db | ssh user@rsync.net "cat > db_dump"
Namely, the syntax is one character shorter. (But only because I used whitespace around >).
With dd, you can control the transfer units (the size of the read and write system calls which are performed) whereas cat chooses its own buffering. However, this doesn't matter on regular files and block devices. The transfer sizes only matter on raw devices where the block size must be observed. E.g. traditional tape devices on Unix where if you do a short read, or oversized write, you get truncation.
> is there a disadvantage to using a higher blocksize?
Maybe, depending on the details. Imagine reading 4 GB from one disk then writing it all to another, all at 1 MB/sec. If your block size is 4 GB, It'll take 4000 seconds to read, then another 4000 seconds to write... and will also use 4 GB of memory.
If your block size is 1 MB instead, then the system has the opportunity to run things in parallel, so it'll take 4001 seconds, because every read beyond the first happens at the same time as a write.
And if your block size is 1 byte, then in theory the transfer would take almost exactly 4000 seconds... except that now the system is running in circles ferrying a single byte at a time, so your throughput drops to something much less than 1 MB/sec.
In practice, a 1 MB block size works fine on modern systems, and there's not much to be gained by fine-tuning.
It is worth noteting that the shred program mentioned is more or less useless on modern filesystems for a variety of reasons, the man-page has a list that it will fail to work correctly on (btrfs, ext3, NFS).
It may well be that the only usable filesystem for it, is FAT32 (and possibly NTFS, not sure on that thou).
The "Unable to install GRUB" recommended fix to remove the GPT is wrong. The proper thing to do is create a 1MiB partition, BIOSBoot partition type (gdisk internal code 0xEF02), and then grub-install will find it and install core.img there automatically.
Also, some (flash) drives are compressing data on the fly. Writing zeroes to such a drive might just not actually write anything at all to the flash cells except for some run length descriptors (numbers).
Since the worry seems to be speed, here's a tool I wrote to get random bytes about as fast as drives can accept (well, at least spinning disk drives, there might be some flash drives that are faster):
The people who propose using multiple overwrites are clear that they're talking about making it harder to recover bits. (They're wrong, but it's what they say.)
In the case of a partial erasure (eg, maybe someone disconnected the power during the write, to stop the write from completing), I guess it would make it harder to prove someone had tried to erase (and therefore possibly hide/destroy) information.
He's right that a single overwrite of zero is probably good enough to make sure that data is gone, but it's probably not enough to persuade other people that it's gone. A few passes of pseudo random data is probably better if you need to persuade other people that the data has gone.
But if it's really important drive wiping is what you do to protect the drives until you get a change to grind them.