[vox-tech] Most efficient way to wipe hard drives

Bill Broadley bill at broadley.org
Thu Sep 10 16:07:42 PDT 2009


Brian Lavender wrote:
> On Wed, Sep 09, 2009 at 09:20:30PM -0700, Bill Broadley wrote:
>> Short answer, one wipe is enough (At least for NIST, and one of the British
>> Infosec standards), wipes miss bad sectors, the ATA secure erase command is
>> worth checking out.
> [snip]
> I think caching is a concern on some systems, so more wipes seems to
> magically make the write go to the actual media. But I would agree with

I don't see how.  After all a system wouldn't work well without reliable
writes.  Sure you should do a sync and order shutdown and not pull the power
the second the dd command comes back.  Especially if the disk light is showing
activity.  NIST seems to have made a very informed decision on the single
write is enough.  Keep in mind even if linux random dropped writes without
telling anyone the cache is much much smaller than the disk on any sane system.


> one wipe is probably enough. I had not thought about bad blocks. 

Secure erase or destruction is the only way to get those.

>> So if you don't use secure wipe and won't lose sleep at night over a few bad
>> blocks being potentially recovered I'd recommend something like:
>>
>> dd if=/dev/urandom of=/dev/sd<whichever disk>
> 
> Your computer must have a lot of entropy! Note that that device gathers

Note the above is /dev/urandom, only /dev/random is limited by entropy.
Indeed a read of a disk worth from /dev/random would take a very long time.

As long as your attacker doesn't have root access to the machine doing the
wipe during the wipe you should be good.  Pretty much all linux distributions
since 2000 or so save the seed state across reboots.



More information about the vox-tech mailing list