1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
|
.TH WIPE 1
.SH NAME
wipe \- secure file deletion utility
.SH SYNOPSIS
.B wipe
[\-ucwsiIhfFdDnNvVzZrRtTkKaAeE] [\-B(count)] [\-S(size)] [\-C(size)]
[\-o[size] \-O] [\-l[0\-2]] [\-x[1\-32] \-X] [\-p(1\-32)] [\-b(0\-255)] [files]
.SH DEFAULT
.B wipe
\-ZdNTVEAkO \-S512 \-C4096 \-l1 \-x1 \-p1
.SH DESCRIPTION
Wipe is a secure file wiping utility. There are some low level issues
that must be taken into consideration. One of these is that there must
be some sort of write barrier between passes. Wipe uses fdatasync(2)
(or fsync(2)) as a write barrier, or if fsync(2) isn't available, the
file is opened with the O_DSYNC or O_SYNC flag. For wipe to be
effective, each pass must be completely written. To ensure this, the
drive must support some form of a write barrier, write cache flush, or
write cache disabling. SCSI supports ordered command tags, has a force
media access bit for commands, and write cache can be disable on mode
page 8. IDE/ATA drives support write cache flushes and write cache
disabling. Unfortunetly, not all drives actually disable write cache
when asked to. Those drives are broken. Write caching should always be
disabled, unless your system is battery backed and always powers down
cleanly.
.PP
Under linux, the mount option "mand" must be used (see
linux/Documentation/mandatory.txt) for mandatory file locks to be
enabled. Wipe should make it extremely difficult for all but the most
determined person(s) to recover the original plaintext data. Utilities
such as PGP and the GNU Privacy Guard provide strong encryption, but
encryption is useless if the original plaintext can be recovered. When
using PGP and GPG, temporary files that are disk-backed should be
stored on an encrypted file system. That way, the plaintext never hits
the platters. Wipe is designed for situations where an encrypted file
system isn't practical.
.PP
Wipe uses /dev/urandom, or if unavailable, /dev/random, as a source
for entropy. The Mersenne Twister PRNG is used for speed. The MT site
is at:
.PP
\fIhttp://www.math.keio.ac.jp/~matumoto/emt.html\fP
.PP
For more information on the secure deletion of magnetic media and
solid state storage devices (such as DRAM) see the USENIX article by
Peter Gutmann at:
.PP
\fIhttp://www.cs.auckland.ac.nz/~pgut001/secure_del.html\fP
.SH OPTIONS
.TP
.B \-h
Display help screen. Shows options and what they do.
.TP
.B \-u
usage \- shows options
.TP
.B \-c
shows copywrite information
.TP
.B \-w
shows warranty
.TP
.B \-i
interactive \- prompt whether to remove each file
explicitly checks file permissions
.TP
.B \-I
disables interaction
.TP
.B \-f
forces file wiping and suppresses permission warnings
.TP
.B \-r or \-R
recursion \- traverse subdirectories
.TP
.B \-s
silent \- disable percent reporting and some warnings
.TP
.B \-V
verbose \- shows percentage if file size is above a certain limit (see
wipe -h)
.TP
.B \-v
force verbose \- always show percentage
.TP
.B \-e and \-E
on (-e) makes the percentage (only if shown) more accurate by calling
fdatasync() before each update
off (-E) will be slightly less accurate, but wipe will only call
fdatasync() between passes
.TP
.B \-d and \-D
delete (\-d) or keep (\-D) after wiping
.TP
.B \-n and \-N
delete (\-n) or skip (\-N) fifos, sockets, sym links, and char devices
.TP
.B \-k and \-K
lock (\-k) or don't lock (\-K) files during wiping
.TP
.B \-z
zero-out file \- performs a single pass of zeros
.TP
.B \-Z
perform normal passes \- overrides \-z
.TP
.B \-t and \-T
enable (\-t) or disable (\-T) static passes
.TP
.B \-a and \-A
write until out of space (\-a) or don't (\-A)
.TP
.B \-o and \-O
write [size] to stdout (\-o) or use files (\-O)
Since wipe does not have specific support for char devs, like it does
for block devs, this is the preferred method of wiping them, such as
tape drives; eg, wipe \-za -o | buffer > /dev/nst0
It can also be used for block devs; eg wipe \-To | dd count=size of=blkdev
You can also use this to create files containing pseudo-random output
from the MT PRNG; eg, wipe \-To10240 -x1 > prand
For static passes, you must specify a stdout length.
.TP
.B \-B
override block device sector count
.TP
.B \-S
override block device sector size
.TP
.B \-C
chunk size - the maximum file buffer size
.TP
.B \-l
sets generic security level
level 0, the PRNG is only seeded once
level 1, the PRNG is seeded once per file
level 2, the PRNG is seeded once per random pass
.TP
.B \-x
enables random passes and optionally, how many random passes to
perform \- note that this option now sets the number of random passes
per wipe loop \- in other words, the total number of random passes
will be random passes * wipe loops (\-p)
.TP
.B \-X
disable random passes
.TP
.B \-p
loop passes \- perform wipe sequence x times, including random passes
.TP
.B \-b
custom byte \- overwrite once with a specific byte
.SH FILES
.TP
.B /dev/urandom
Wipe uses this character device for a source of entropy
.TP
.B /dev/random
Wipe falls back to using this if /dev/urandom is not available
.SH DIAGNOSTICS
If an error occurs, the exit code will be the errno value. An exit
code of 2 indicates bad usage.
.SH BUGS
Wipe does not work on log structured file systems, or any other type
of file system or block device that reallocates sectors on write.
Some programs are vulnerable to symlink races. To avoid this problem
with wipe, only wipe files in directories that are not writable by
untrusted users.
.SH NOTES
.B Tapes and other sequential access devices
Choose an appropriate buffer size to match the logic or physical block
size of the device. When using the pattern passes, you should disable
compression on the drive, and it's generally best to so for other
passes as well.
For VXA drives, I used mt-st under linux to set the block size to 0
(variable) and turn off compression, and I run wipe with a 64k block
size, to match the on-tape format''s native block size.
.B Example:
mt-st setblk 0
mt-st compression 0
wipe -C64 /dev/st0
.SH ALTERNATIVES
.P
.B Other file wiping utilities:
Another "wipe" by Berke Durak <\fIdurakb@crit2.univ-montp2.fr\fP>
Colin Plumb's <\fIcolin@nyx.net\fP> sterilize.
Todd Burgess's <\fItburgess@eddie.cis.uoguelph.ca\fP> srm is available on sunsite/metalab in
\fIftp://metalab.unc.edu/pub/Linux/system/filesystems/\fP
.SH SEE ALSO
/usr/doc/wipe/README
.SH AUTHORS
.P
Wipe
.br
Copyright (C) 1998-2009 Thomas M. Vier, Jr. <\fInester@users.sf.net\fP>
Mersenne Twister PRNG module
.br
Copyright (C) 1997 Makoto Matsumoto and Takuji Nishimura
|
