Attempting to securely wipe drives, running into issue.
49 views
Skip to first unread message
David
Dec 19, 2017, 4:09:50 PM12/19/17
to qubes...@googlegroups.com
Nothing urgent, just stumped — if you've got free time to poke at a
command, thank you in advance!
I've trawled around the web, and the most sane/simple way of wiping is
wielding dd & overwriting a drive with zeroes/urandom/random/etc.
Another, is encrypted random data. That sounds more fun, though perhaps
useless.
I'm attempting to wield a command from the archlinux wiki and getting
access denied, even with sudo in front, and even when on dom0 (against
my better judgment). Any thoughts?
Source:
https://wiki.archlinux.org/index.php/Securely_wipe_disk/Tips_and_tricks#dd_-_advanced_example
Command below:
openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1
2>/dev/null | base64)" -nosalt </dev/zero \
| pv -bartpes <DISK_SIZE> | dd bs=64K of=/dev/sd"X"
In this case, sd"X" is referencing a specific drive. If you run the
command, you'll want to ensure that's a drive with nothing of use on it.
p.s., I'm open to alternative suggestions. If you think a single pass
with /dev/zero is sufficient, I'm all ears or eyes, in this context.
I've never attempted to recover a drive under any circumstances, so I'm
no expert. Happy to accept the lazy way out ;)
Steve Coleman
Dec 19, 2017, 4:14:08 PM12/19/17
to David, qubes...@googlegroups.com
With the redirection pipe operators you may need to put \( \) around
the command so that all commands in the pipe are running at elevated privs.
the command so that all commands in the pipe are running at elevated privs.
David
Dec 19, 2017, 4:18:29 PM12/19/17
to qubes...@googlegroups.com
Steve,
Thank you for the insight, digging in!
Thank you for the insight, digging in!
Ángel
Dec 19, 2017, 6:50:46 PM12/19/17
to qubes...@googlegroups.com
Steve is right in the wrong placement of sudo, but I don't think
brackets would do (that would create a subshell in your current sh).
You simply need to add sudo in front of dd, which is the only one that
needs elevated privileges, ie.
openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1
2>/dev/null | base64)" -nosalt </dev/zero \
| pv -bartpes <DISK_SIZE> | sudo dd bs=64K of=/dev/sd"X"
Cheers
brackets would do (that would create a subshell in your current sh).
You simply need to add sudo in front of dd, which is the only one that
needs elevated privileges, ie.
openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1
2>/dev/null | base64)" -nosalt </dev/zero \
Cheers
Holger Levsen
Dec 20, 2017, 5:59:30 AM12/20/17
to qubes...@googlegroups.com
On Wed, Dec 20, 2017 at 12:50:38AM +0100, Ángel wrote:
> openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1
> 2>/dev/null | base64)" -nosalt </dev/zero \
> | pv -bartpes <DISK_SIZE> | sudo dd bs=64K of=/dev/sd"X"
on Debian this is much easier done with
> openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1
> 2>/dev/null | base64)" -nosalt </dev/zero \
> | pv -bartpes <DISK_SIZE> | sudo dd bs=64K of=/dev/sd"X"
sudo apt install wipe
sudo wipe /dev/sda
I'm sure Fedora has a similar tool, probably even the same.
https://manpages.debian.org/stretch/wipe/wipe.1.en.html is also worth a
read.
oh, and if you want to securly erase data, use /dev/random, not
/dev/urandom.
--
cheers,
Holger
Tom Zander
Dec 20, 2017, 6:04:26 AM12/20/17
to qubes...@googlegroups.com, David
On Tuesday, 19 December 2017 22:09:31 CET David wrote:
> I'm attempting to wield a command from the archlinux wiki and getting
> access denied, even with sudo in front, and even when on dom0 (against
> my better judgment). Any thoughts?
> I'm attempting to wield a command from the archlinux wiki and getting
> access denied, even with sudo in front, and even when on dom0 (against
> my better judgment). Any thoughts?
A complex series like this is best just to run as root in a shell.
First run something like;
# sudo su
which should give you a shell that is owned by root. Type who ami to
confirm.
Then you can copy/paste the line from the archlinux wiki to do the work.
--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel
Tom Zander
Dec 20, 2017, 7:15:32 AM12/20/17
to qubes...@googlegroups.com, Holger Levsen
On Wednesday, 20 December 2017 11:59:26 CET Holger Levsen wrote:
> oh, and if you want to securly erase data, use /dev/random, not
> /dev/urandom.
This is not good advice, your /dev/random device creates true randomness,
> oh, and if you want to securly erase data, use /dev/random, not
> /dev/urandom.
but it only generates a very small amount of data.
Bytes per minute.
Creating enough to write to a many gigabytes data would take centuries.
awokd
Dec 20, 2017, 7:55:48 AM12/20/17
to Tom Zander, qubes...@googlegroups.com, David
On Wed, December 20, 2017 11:04 am, 'Tom Zander' via qubes-users wrote:
> On Tuesday, 19 December 2017 22:09:31 CET David wrote:
>
>> I'm attempting to wield a command from the archlinux wiki and getting
>> access denied, even with sudo in front, and even when on dom0 (against my
>> better judgment). Any thoughts?
>
> A complex series like this is best just to run as root in a shell.
>
>
> First run something like;
> # sudo su
> which should give you a shell that is owned by root. Type who ami to
> confirm. Then you can copy/paste the line from the archlinux wiki to do
> the work.
This, attach the block device to an appVM and wipe from there instead of
> On Tuesday, 19 December 2017 22:09:31 CET David wrote:
>
>> I'm attempting to wield a command from the archlinux wiki and getting
>> access denied, even with sudo in front, and even when on dom0 (against my
>> better judgment). Any thoughts?
>
> A complex series like this is best just to run as root in a shell.
>
>
> First run something like;
> # sudo su
> which should give you a shell that is owned by root. Type who ami to
> confirm. Then you can copy/paste the line from the archlinux wiki to do
> the work.
having to mess with pass through commands.
Holger Levsen
Dec 20, 2017, 7:59:10 AM12/20/17
to qubes...@googlegroups.com
On Wed, Dec 20, 2017 at 01:15:23PM +0100, 'Tom Zander' via qubes-users wrote:
> On Wednesday, 20 December 2017 11:59:26 CET Holger Levsen wrote:
> > oh, and if you want to securly erase data, use /dev/random, not
> > /dev/urandom.
>
> This is not good advice, your /dev/random device creates true randomness,
> but it only generates a very small amount of data, bytes per minute.
> On Wednesday, 20 December 2017 11:59:26 CET Holger Levsen wrote:
> > oh, and if you want to securly erase data, use /dev/random, not
> > /dev/urandom.
>
> This is not good advice, your /dev/random device creates true randomness,
yet, wipe uses it by default. it's slow, but doesnt take *years*, merely
hours. (wipe's default is also to overwrite 4 times…)
and then, haveged can be used to fill the randomness pool. as in apt
install haveged.
--
cheers,
Holger
Reply all
Reply to author
Forward
0 new messages