shred command usage and examples for deleting files securely in linux

Whenever you delete a file under Linux or any other operating system, the operating system does not remove the data of that file completely from the hard disk. There are several things that an operating system does whenever you ask it to delete a file. If you want to understand how a file deletion works then getting some basic understanding of inodes in Linux is very much necessary.

Many open source forensic tools are freely available on the internet which can be used to retrieve lost or deleted data from the hard disk. Many of them are so easy to use and are graphical, that normal desktop users can also simply download them and retrieve data.

So if you want to securely delete some data on the disk without being worried about the retrieval then shred utility available in Linux will be a good tool to start with.

I recommend reading my posts on inodes and file deletion to have some idea.

Shred is a program that comes preloaded in most of the distributions out there. If you look at the command, you will come to know that, it gets installed through coreutils package in redhat/centos

[root@localhost ~]# rpm -qf /usr/bin/shred

coreutils-5.97-34.el5

coreutils package is avialble in the installation DVD centos/redhat. Now lets understand the command and its working.

if you delete a file with shred command lets see what happens to the file. We will test this with the default installation kickstart file in root's home directory.

Normally the contents of the file are as below.

[root@localhost ~]# tail -f anaconda-ks.cfg
trousers
fipscheck
device-mapper-multipath
sgpio
perl-Convert-ASN1

lets delete this file with shred command. 

[root@localhost ~]# shred anaconda-ks.cfg

And now lets try and look at the contents of the file.

tail -f anaconda-ks.cfg
¾µÏ4%ú  ¶½hùcc~l&bÅYV¿þÌзÞUwFLÇ
+³²ç3ÛªÀÛê|áðVqOÕömIJÀ\ºçέð`º4£hÒÂ"/¹ÖIDP1`;í4#iHqÇGÿ
¨6ýÀ·UGç4÷sÜMó­Poõ"®Xm{XÚþ_?Î]JíÀ,_GIÆR~ïi¦õ©¯ÁU
.Ç]kh¤ó^`·¯>è]TX>=

you can clearly see that shred made the contents of the file full gibrish. Which is junk. So it overwrites the file's blocks with junk data when ran with no other options. This means the real data is overwrited with some gibrish data, so that even if someone recovers the file, they will not get the original data.

By default shred will overwrite the contents of the file with junk data 25 times.

If you want to overwrite the data of the file more times than the default 25, then you can do that by using the -n option as shown below.

[root@localhost ~]# shred -n 30 anaconda-ks.cfg
[root@localhost ~]#

Note: The default anaconda  kickstart file is so small, thats why shred was able to overwrite it 30 times, so fast. The speed of the overwrite will depend on the size of the file.

If you want to see the operation in verbose mode, then you can use the -v option as shown below.

[root@localhost ~]#  shred -v -n 30 anaconda-ks.cfg
shred: anaconda-ks.cfg: pass 1/30 (random)...
shred: anaconda-ks.cfg: pass 2/30 (7fffff)...
shred: anaconda-ks.cfg: pass 3/30 (000000)...
shred: anaconda-ks.cfg: pass 4/30 (dddddd)...
shred: anaconda-ks.cfg: pass 5/30 (800000)...
shred: anaconda-ks.cfg: pass 6/30 (777777)...
shred: anaconda-ks.cfg: pass 7/30 (888888)...
shred: anaconda-ks.cfg: pass 8/30 (249249)...

shred works by taking an assumption that the file system always overwrites data.

There are some major limitations of applying shred on a file(although it works perfect on ext2).Some are mentioned below.

1. shred file deletion does not applies to some journaling file system's, which journals both the data and the blocks
2. Shredding files on a heavily deployed RAID, where data is copied in multiple disks, might involve some complications.

You can use -s option to shred some first required bytes of a file.

[root@localhost ~]# shred -s 2B anaconda-ks.cfg
[root@localhost ~]#

The above mentioned example will overwrite the first 2 bytes of the file (similarly you can use K, for kilobytes,M for mega, etc).

[root@localhost ~]# shred -n 30 -u anaconda-ks.cfg

using the -u option as shown above will truncate/delete the file after overwriting it with junk content 30 times.

Due to the previously mentioned limitations of shred  while deleting files with it, its better suited to wipe out partitions and devices fully.

example shredding of the whole partition is shown below.

[root@localhost ~]# shred -n 30 /dev/sda1

if you want to delete the contents of an external device, you can pass the device name as an argument, to shred, similar to the above shown.

Please note that, data recovery is not secure until you destroy the whole physical device with some acid or burning the whole device. Because underlying data can be retrieved with expensive laboratory research, which IT forensic team does.

However you can be sure about the fact that, shred utility will help you achieve a considerable level of security. Because normal tools out there in the market cannot easily detect data from the partitions or devices shredded with this utility.