I deleted a file I meant to shred first.
$ rm somefile
instead of
$ shred somefile
$ rm somefile
Is there a way to shred a file after 'rm'-ing it?
Asked
Active
Viewed 4,846 times
7
1 Answers
9
There is no way to properly securely erase a file with modern filesystems anymore, because the journal can still contain data and there is no reliable way to overwrite the journal.
You can try to disable journalling on the filesystem before deletion, but it won't do anything about data that may already be in the journal from writing the file and not erased. It's not entirely secure.
An ounce of prevention is a pound of cure; it's better to sidestep the issue of needing to shred the file entirely by encrypting your files using an encrypted volume to begin with. This sidesteps the need to actually shred your data, so long as you keep your key safe. In a pinch, you could just use dd to erase the entire volume securely by using a few passes of random data. If you don't want to use full-volume encryption, there is also file-level encryption in ext4 now.
Elizafox
- 806
- 7
- 15
-
4«using a few passes of random data» A single pass with zeros is equally effective (1) (2). – Andrea Lazzarotto Jul 28 '16 at 11:57
-
1The first reference is to an article written by an economist and the second is to an article that uses broken links to back up it's claims. I'm not sure how the 'single pass with zeros is sufficient' conclusion is justified by these reference. – Drist Jul 29 '16 at 16:27
-
If you open the file in overwrite mode before deleting it and fill it with random data to the size it was originally, does that replace the journal info? – jc__ Jul 29 '16 at 17:42
-
1@Drist nice argumentum ad hominem, but you should analyze the facts provided there, combining them with what you studied during your degree in Computer Science (I assume you have one since you are so confident in combinatorics and information theory), not who wrote the piece. Moreover, the second link does not provide broken links at all. It is a snapshot taken through the WayBack Machine but you can clearly see the original link to this paper. – Andrea Lazzarotto Jan 07 '17 at 00:45
-
@Andrea Lazzarotto - I didn't mean to be inflammatory, it might be that I'm picky about my facts. I apologize for inciting you. I think there's a distinction to be made here though. Suppose a single pass overwrite is sufficient to hide the previous state of the physical domains containing the data. IF an analyst can get at older copies of the file that were written to different physical domains, it might not matter at all if you overwrote the most recent iteration of the file. – Drist Jan 09 '17 at 19:34
-
@Drist I'm afraid I don't understand what you are referring to with “physical domains”. – Andrea Lazzarotto Jan 09 '17 at 19:47
-
I say physical domain to mean the real-life location that stores the information via orientation of magnetic domains, also read as, the bit as it can be measured with magnetic force microscopy. From my reading today, modern filesystems may wind up writing new instances of files to entirely different hardware bits (physical domains) than previous instances of the same file. In such a case, if you zero'd the current file, a previous version (instance) of the file may still be completely accessible. – Drist Jan 09 '17 at 20:16
-
@Drist “In such a case, if you zero'd the current file” Yes, this is also specified in the man page for
shred, but we were talking about overwritten data. One doesn't overwrite a single file, one overwrites the whole drive. – Andrea Lazzarotto Jan 17 '17 at 15:52 -
shredis pretty ineffective these days. Most filesystems have journals, and shread will not clean that. If you are using a journaled filesystem there is pretty much no security advantage in shred. – grochmal Jul 26 '16 at 21:49zerofill? The journal might still be a problem, though. – Andrea Lazzarotto Jul 28 '16 at 11:59