scrub
is one of the most popular tools that specialized in securely remove files on UNIX, MacOS X and Linux distros. Let’s see how to install and use it to prevent or at least decrease the possibilities of recovering them.
As usual, become a root or use sudo
whenever is needed with the following commands.
Installation:
scrub
too isn’t installed on most Linux distributions by default. But let’s check whether or not it’s being installed. To do so please, see : How to check whether or not a package is installed.
If it wasn’t installed, simply install it:
Such as: Debian / Ubuntu / Linux Mint / Devuan / elementary OS / MX Linux / antiX / deepin / Linux Lite / Zorin OS / LXLE / Peppermint OS / SparkyLinux:
$ apt install scrub
If apt
wasn’t installed by default, then use apt-get
or aptitude
instead.
On Fedora:
$ dnf install scrub
On RedHat 7 / CentOS 7 / Scientific Linux 7:
$ yum install scrub
On RedHat 8+ / CentOS 8+ / Scientific Linux 8+:
$ dnf install scrub
On Mageia:
$ urpmi scrub
On ArchLinux and its its derivatives: (like: Manjaro / KaOS / ArchBang Linux / BlackArch Linux / Parabola GNU/Linux-libre / Chakra GNU/Linux):
$ pacman -S scrub
On Gentoo:
$ emerge app-misc/scrub
On Void Linux: Unfortunately, scrub
is not available in Void Linux repositories.
On Alpine: Unfortunately, scrub
is not available in Alpine Linux repositories.
On FreeBSD:
To install the pre-compiled package:
$ pkg install diskscrub
If you prefer to compile it yourself:
Using portmaster
:
$ portmaster -v sysutils/diskscrub
Or, the traditional way:
$ cd /usr/ports/sysutils/diskscrub $ make install clean $ rehash
Usage:
Then, use the scrub
command to securely remove the file’s contents:
$ scrub -f FILE-NAME
To use patterns complaint with DoD 5220.22-M:
$ scrub -fp dod FILE-NAME
While:
-f
: Force. Scrub even if target contains signature indicating it has already been scrubbed.-p
: Select the patterns to write. The default, nnsa, is reasonable for sanitizing modern PRML/EPRML encoded disk devices.
The Available scrub
methods:
- nnsa : 4-pass NNSA Policy Letter NAP-14.1-C (XVI-8) for sanitizing removable and non-removable hard disks, which requires overwriting all locations with a pseudorandom pattern twice and then with a known pattern: random(x2), 0x00, verify. [default]
- dod : 4-pass DoD 5220.22-M section 8-306 procedure (d) for sanitizing removable and non-removable rigid disks which requires overwriting all addressable locations with a character, its complement, a random character, then verify. NOTE: scrub performs the random pass first to make verification easier: random, 0x00, 0xff, verify.
- bsi : 9-pass method recommended by the German Center of Security in Information Technologies (http://www.bsi.bund.de): 0xff, 0xfe, 0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
- gutmann : The canonical 35-pass sequence described in Gutmann’s paper cited below.
- schneier : 7-pass method described by Bruce Schneier in “Applied Cryptography” (1996): 0x00, 0xff, random(x5).
- pfitzner7 : Roy Pfitzner’s 7-random-pass method: random(x7).
- pfitzner33 : Roy Pfitzner’s 33-random-pass method: random(x33).
- usarmy : US Army AR380-19 method: 0x00, 0xff, random. (Note: identical to DoD 522.22-M section 8-306 procedure (e) for sanitizing magnetic core memory).
- fillzero : 1-pass pattern: 0x00.
- fillff : 1-pass pattern: 0xff.
- random : 1-pass pattern: random(x1).
- random2 : 2-pass pattern: random(x2).
- old : 6-pass pre-version 1.7 scrub method: 0x00, 0xff, 0xaa, 0x00, 0x55, verify.
- fastold : 5-pass pattern: 0x00, 0xff, 0xaa, 0x55, verify.
- custom=string : 1-pass custom pattern. String may contain C-style numerical escapes: \nnn (octal) or \xnn (hex).
Unfortunately, scrub
doesn’t have a recursive flag, but you can achieve that if you combine it with find
command like the following if you want to securely remove all files contents in the current directory no matter how deep it is.
$ find . -type f -exec scrub -f {} +
To securely remove all files contents of a disk-partition:
$ scrub /dev/sda3
For more information, check the manual:
$ man scrub
Or read it online: scrub(1)