Does filling up disk with dd removes files securely?

Solution 1:

This will go against most conventional wisdom on the Internet, but here we go...

If this is a modern rotating disk, a simple pass of dd with /dev/zero is enough to foil almost any attempt at data recovery, even from a professional data recovery house. It might be possible to extract some data with extremely expensive specialized equipment (e.g. a government lab), but that is out of reach of pretty much anyone that isn't willing to spend $millions on you. (Note this will not comply with any official-sounding government standards for data disposal, but it works.)

The problem with most of the wisdom you read on the Internet about this topic, is that it is more urban legend than actual fact. If you look for an actual source on this topic, most people refer back to a paper that was published in 1996, and was referring to MFM/RLL drives (pre-IDE). Additionally, most of the government standards for data destruction that people refer to are decades old.

The logic behind multiple passes to erase data boils down to the idea that residual information can linger in the space between sectors on a platter. On older drives, the density of sectors was relatively low, and there was lots of empty space on the platters where this residual data could linger. Since 1996, hard drive capacities have increased by orders of magnitude, while platter size has remained the same. There simply is not that much empty space in a platter for data to linger anymore. If there was usable extra space in the platters, drive manufactures would be using it and selling you a higher-capacity disk.

The wisdom of these secure erase standards has been picked apart, and papers have been published that say a single pass is enough.

A few years ago, someone issued the Great Zero Challenge, where someone overwrote a drive with dd and /dev/zero, and issued an open challenge for someone to extract the data. There were no takers as I recall. (Disclaimer: The original web site for this challenge is gone now.)

But what about Solid State Drives? Because of the flash wear leveling, bad sector remapping, and garbage collection, and additional "hidden capacity", traditional overwrite methods may not actually overwrite the data (although it will appear overwritten to the host PC). A single pass of dd with /dev/zero will stop a casual user from reading back any data from the SSD. However, a dedicated attacker with a logic analyzer can crack open the drive and extract data from the flash chips inside.

This problem was identified a while ago. So, a command called Secure Erase was added to the ATA standard. The firmware in the drive will securely erase all of the flash cells. Most modern SSDs will support this command. I beleive it also works with rotating drives. Note that this command can sometimes be tricky for an end user to access. You typically need a special utility to use it, some BIOSes implement a "security freeze" that can get in the way. Check with the SSD manufacturer for a utility. If they do not have one you there are 3rd party ones that may work.

Note that some people have raised concerns about the reliability of the secure erase functionality built into the drive firmware. There was a paper published in 2011 that showed some drives will leave data behind after a secure erase. Note that SSD firmware has advanced quite a bit since then. If secure erase is an important function to you, I would recommend purchasing drives from a top-tier manufacturer, preferably something in their server/datacenter line (where buggy firmware is less likely to be tolerated).

If the above make you nervous about data remaining on the drive, your next best option is to fill the drives with random data multiple times, as this will hopefully take care of overwriting the excess hidden capacity in the SSD, but you cannot be absolutely sure without knowledge of the internal workings of the firmware. This will also shorten the lifespan of the SSD.

What you should take away from this:

  1. Overwriting a drive with dd and /dev/zero or the single pass option in DBAN is enough to stop most people from getting your data (SSD or Rotating).
  2. If you have a rotating drive, you can use a multi-pass erasure method. It won't hurt anything, but it will take longer.
  3. If you have a recent-vintage SSD from a reputable manufacturer, you should use the ATA Secure Erase Command, preferably using a manufacturer-supplied utility.
  4. If ATA Secure Erase is not supported by your drive (or known to be buggy), multi-pass erasure is your next best option.
  5. If you are required to erase the drive to a certain standard (e.g. you have a contract says the data shall be erased per DoD 5220.22-M), just do it and don't argue with whether or not it is necessary.
  6. Nothing beats physical destruction. If the data on the drive is so sensitive that its value exceeds the cash value of the drive itself, you should physically destroy it (use a hammer, vise, drill press, or get creative). If you are really paranoid, make sure the remains of the drive are scattered over a wide area (e.g. multiple public trash cans in multiple parts of the city).

Solution 2:

Define "securely". How badly do you want this data to be gone, and how painful would it be to lose the storage space? If the data absolutely positively must never be seen ever again by anybody, the proper tool isn't dd or shred: it's a sledgehammer.

If you don't quite need to go that far, then you can use software, but the question still remains: who do you think might want the data, and how important is it that they not get it? A pass of zeroes will stop a script kiddie, but if anyone is actually being paid to recover your data, they won't have much trouble getting it. A pass of zeroes, a pass of ones, and a pass of /dev/random will make a determined attacker's life pretty miserable, but if they've got the resources and want your data badly enough, there are still ways to get it, and running that many passes takes long enough that you might as well use shred anyway.

The bottom line is that if you really want to be secure, there's no reason to use dd for erasing things. It won't stop any kind of sophisticated attack. If shred takes longer than a sledgehammer would, then use the sledgehammer instead. If you can't afford to lose the disk space, then take the time to use shred. Using dd for this purpose just isn't secure enough.

Tags:

Linux

Dd