Securely remove files using scrub tool

scrub is one of the most popular tools that specialized in securely remove files on UNIX, MacOS X and Linux distros. Let’s see how to install and use it to prevent or at least decrease the possibilities of recovering them.

As usual, become a root or use sudo whenever is needed with the following commands.


Installation:

scrub too isn’t installed on most Linux distributions by default. But let’s check whether or not it’s being installed. To do so please, see : How to check whether or not a package is installed.

If it wasn’t installed, simply install it:

Debian and its based distrosFedoraredhat / CentOS / Scientific LinuxSUSE / openSUSEMageiaArchLinux and its based distrosGentooVoid LinuxAlpine LinuxFreeBSDMacOS X

Such as: Debian / Ubuntu / Linux Mint / Devuan / elementary OS / MX Linux / antiX / deepin / Linux Lite / Zorin OS / LXLE / Peppermint OS / SparkyLinux:

$ apt install scrub

If apt wasn’t installed by default, then use apt-get or aptitude instead.

On Fedora:

$ dnf install scrub

On RedHat 7 / CentOS 7 / Scientific Linux 7:

$ yum install scrub

On RedHat 8+ / CentOS 8+ / Scientific Linux 8+:

$ dnf install scrub

On SUSE / openSUSE:

$ zypper in scrub

On Mageia:

$ urpmi scrub

On ArchLinux and its its derivatives: (like: ManjaroKaOS / ArchBang Linux / BlackArch Linux / Parabola GNU/Linux-libre / Chakra GNU/Linux):

$ pacman -S scrub

On Gentoo:

$ emerge app-misc/scrub

On Void Linux: Unfortunately, scrub is not available in Void Linux repositories.

On Alpine: Unfortunately, scrub is not available in Alpine Linux repositories.

On FreeBSD:

To install the pre-compiled package:

$ pkg install diskscrub

If you prefer to compile it yourself:

Using portmaster:

$ portmaster -v sysutils/diskscrub

Or, the traditional way:

$ cd /usr/ports/sysutils/diskscrub
$ make install clean
$ rehash

On MacOS X:

If you’re using MacPorts:

$ port install scrub

If you’re using Brew:

$ brew install scrub

Usage:

Then, use the scrub command to securely remove the file’s contents:

$ scrub -f FILE-NAME

To use patterns complaint with DoD 5220.22-M:

$ scrub -fp dod FILE-NAME

While:

  • -f : Force. Scrub even if target contains signature indicating it has already been scrubbed.
  • -p : Select the patterns to write.  The default, nnsa, is reasonable for sanitizing modern PRML/EPRML encoded disk devices.

The Available scrub methods:

  • nnsa : 4-pass NNSA Policy Letter NAP-14.1-C (XVI-8) for sanitizing removable and non-removable hard disks, which requires overwriting all locations with a pseudorandom pattern twice and then with a known pattern: random(x2), 0x00, verify. [default]
  • dod : 4-pass DoD 5220.22-M section 8-306 procedure (d) for sanitizing removable and non-removable rigid disks which requires overwriting all addressable locations with a character, its complement, a random character, then verify. NOTE: scrub performs the random pass first to make verification easier: random, 0x00, 0xff, verify.
  • bsi : 9-pass method recommended by the German Center of Security in Information Technologies (http://www.bsi.bund.de): 0xff, 0xfe, 0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
  • gutmann : The canonical 35-pass sequence described in Gutmann’s paper cited below.
  • schneier : 7-pass method described by Bruce Schneier in “Applied Cryptography” (1996): 0x00, 0xff, random(x5).
  • pfitzner7 : Roy Pfitzner’s 7-random-pass method: random(x7).
  • pfitzner33 : Roy Pfitzner’s 33-random-pass method: random(x33).
  • usarmy : US Army AR380-19 method: 0x00, 0xff, random.  (Note: identical to DoD 522.22-M section 8-306 procedure (e) for sanitizing magnetic core memory).
  • fillzero : 1-pass pattern: 0x00.
  • fillff : 1-pass pattern: 0xff.
  • random : 1-pass pattern: random(x1).
  • random2 : 2-pass pattern: random(x2).
  • old : 6-pass pre-version 1.7 scrub method: 0x00, 0xff, 0xaa, 0x00, 0x55, verify.
  • fastold : 5-pass pattern: 0x00, 0xff, 0xaa, 0x55, verify.
  • custom=string : 1-pass custom pattern.  String may contain C-style numerical escapes: \nnn (octal) or \xnn (hex).

Unfortunately, scrub doesn’t have a recursive flag, but you can achieve that if you combine it with find command like the following if you want to securely remove all files contents in the current directory no matter how deep it is.

$ find . -type f -exec scrub -f {} +

To securely remove all files contents of a disk-partition:

$ scrub /dev/sda3

For more information, check the manual:

$ man scrub

Or read it online: scrub(1)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.