Can I secure erase HDD using raspbian?

[MacBH928]

I have a raspberrypi that I use as a pihole and it just sitting there, is there a way I can attach an external HDD and let it secure delete the HDD through SSH commands?

Basically I kind of want it to do what DBAN does. Note I am unfamiliar with linux but I can SSH into the raspberry and type commands that I do not understand.

multiple writes on an HDD can go up to hours, so i thought this might be a good use of a system that is always on.

 

[2984839]

Yes. I will assume you have some way of attaching the drive to the Pi via an external enclosure. Then, you will need to get the device ID of the external drive with this command:

sudo blkid

This command will return something like the following:

/dev/sda1: UUID="d88b67c5-fba8-4bb8-8756-f79eb11e4b5c" TYPE="ext4" PARTUUID="580e7198-691e-4ba0-84a5-7fc5fe6e8647"

/dev/sda2: UUID="d88b67c5-fba8-4bb8-8756-f79eb11e4b5c" TYPE="ext4" PARTUUID="580e7198-691e-4ba0-84a5-7fc5fe6e8647"

/dev/sdb1: UUID="d88b67c5-fba8-4bb8-8756-f79eb11e4b5c" TYPE="ext4" PARTUUID="580e7198-691e-4ba0-84a5-7fc5fe6e8647

The "/dev/sda1", "/dev/sda2", and "/dev/sdb1" part is what you need to watch. That is the device identifier for each attached disk. A different disk will have a different letter. Partitions are noted by the numbers. So /dev/sda1 is the first partition on disk sda, /dev/sda2 is the second partition, etc. /dev/sdb1 is the first partition on a different disk (/dev/sdb in this case). You may also be able to glean some info about which identifier is for your external HDD by running

sudo dmesg | grep sd

This will dump the kernel message buffer to the console, search through it for lines containing "sd", and only display those lines. Look for a disk ID related to your external drive in that output. You can also replace "sd" with the search term of your choice.

Once you have the device ID of your external drive (say it's /dev/sdb for this example), you're ready to overwrite it with random data. Note that you do not include the partition number in this command because you want to overwrite the whole drive, not just a single partition.

sudo dd if=/dev/urandom of=/dev/sdb bs=1M

The dd command copies data from an input file ("if") to an output file ("of"). In this case, we are copying pseudorandom data from the pseudorandom device /dev/urandom and using it to overwrite everyhting on the external disk that we identified as /dev/sdb. This is why getting the device identifier is so important. If you picked the wrong one, such as /dev/sda, you could end up overwriting the internal system storage for your Linux system. dd will not give you a chance to confirm before it starts writing, so make sure you get the right device identifier before running this command.

This command will simply overwrite everything on the disk with random data 1 time. On a traditional HDD, this is probably good enough. While you could be paranoid and run this command again once it's finished, it's not clear that multiple passes accomplish much in the way of security. Finally, on a SSD, it is better to issue a secure erase command to the controller that will clear all the data held in the storage cells than to try overwriting it.

 

[MacBH928]

Yes. I will assume you have some way of attaching the drive to the Pi via an external enclosure. Then, you will need to get the device ID of the external drive with this command:

sudo blkid

This command will return something like the following:

/dev/sda1: UUID="d88b67c5-fba8-4bb8-8756-f79eb11e4b5c" TYPE="ext4" PARTUUID="580e7198-691e-4ba0-84a5-7fc5fe6e8647"

/dev/sda2: UUID="d88b67c5-fba8-4bb8-8756-f79eb11e4b5c" TYPE="ext4" PARTUUID="580e7198-691e-4ba0-84a5-7fc5fe6e8647"

/dev/sdb1: UUID="d88b67c5-fba8-4bb8-8756-f79eb11e4b5c" TYPE="ext4" PARTUUID="580e7198-691e-4ba0-84a5-7fc5fe6e8647

The "/dev/sda1", "/dev/sda2", and "/dev/sdb1" part is what you need to watch. That is the device identifier for each attached disk. A different disk will have a different letter. Partitions are noted by the numbers. So /dev/sda1 is the first partition on disk sda, /dev/sda2 is the second partition, etc. /dev/sdb1 is the first partition on a different disk (/dev/sdb in this case). You may also be able to glean some info about which identifier is for your external HDD by running

sudo dmesg | grep sd

This will dump the kernel message buffer to the console, search through it for lines containing "sd", and only display those lines. Look for a disk ID related to your external drive in that output. You can also replace "sd" with the search term of your choice.

Once you have the device ID of your external drive (say it's /dev/sdb for this example), you're ready to overwrite it with random data. Note that you do not include the partition number in this command because you want to overwrite the whole drive, not just a single partition.

sudo dd if=/dev/urandom of=/dev/sdb bs=1M

The dd command copies data from an input file ("if") to an output file ("of"). In this case, we are copying pseudorandom data from the pseudorandom device /dev/urandom and using it to overwrite everyhting on the external disk that we identified as /dev/sdb. This is why getting the device identifier is so important. If you picked the wrong one, such as /dev/sda, you could end up overwriting the internal system storage for your Linux system. dd will not give you a chance to confirm before it starts writing, so make sure you get the right device identifier before running this command.

This command will simply overwrite everything on the disk with random data 1 time. On a traditional HDD, this is probably good enough. While you could be paranoid and run this command again once it's finished, it's not clear that multiple passes accomplish much in the way of security. Finally, on a SSD, it is better to issue a secure erase command to the controller that will clear all the data held in the storage cells than to try overwriting it.

great, that was explained beautifully. thanks!

1)Is this as good as Dban?

2)You seem to understand about security, will it be better to encrypt the HDD after doing this as an extra measure?

3)how will I know if the processes has ended since I am doing this over SSH and probably will shut the terminal/connection.

I wish linux had a way to read HDD names like in Windows and Mac so we understand which drive are we dealing with instead of letters+numbers

 

[2984839]

great, that was explained beautifully. thanks!

1)Is this as good as Dban?

2)You seem to understand about security, will it be better to encrypt the HDD after doing this as an extra measure?

3)how will I know if the processes has ended since I am doing this over SSH and probably will shut the terminal/connection.

I wish linux had a way to read HDD names like in Windows and Mac so we understand which drive are we dealing with instead of letters+numbers

DBAN will overwrite the drive multiple times, since many different standards bodies have different recommendations. The thinking on this has shifted over the years. It seems that you don't gain much with multiple passes. This article goes through the history of government standards regarding data erasure, most of which now just require 1 or 2 passes:

How Many Times Must You Overwrite a Hard Disk? - Blancco

Want to be sure your data is removed completely from HDDs? Here's the latest on how many times you should overwrite a hard disk for complete data erasure.

www.blancco.com

Yes, encrypting the HDD will make it much harder to recover data. You could encrypt it either before or after overwriting and it will help. If you wanted to save some time, you could encrypt it before overwriting and then just overwrite enough to wipe out the header. The rest of the drive is then just encrypted bytes and your attacker would have to either piece the header back together and guess your password, or brute force your cipher.

I'd put the dd job in the background if you're going to close the terminal. Just add a "&" to the end of the command to run it in the background so you can exit your SSH session.

sudo dd if=/dev/urandom of=/dev/sdb bs=1M &

You won't know when it's done, but you can log back in later and check if dd is still running by doing

ps -aux | grep dd

This dumps all running processes and searches for the lines containing "dd"

 

[MacUser2525]

great, that was explained beautifully. thanks!


3)how will I know if the processes has ended since I am doing this over SSH and probably will shut the terminal/connection.

You will know when the process completes and you are able to use the terminal again. Unless you use a program like screen or backround command when doing it as has been mentioned. When you close a terminal window with a command executing it kills off that command and stops the operation. The previously mentioned methods allow you to close the window and have the process continue to operate.

I wish linux had a way to read HDD names like in Windows and Mac so we understand which drive are we dealing with instead of letters+numbers

Those are user friendly aliases that are displayed by the operating system. It is easy enough for you to tell the drive it will be shown like this most likely. It should show up at the very end of the command as it is the last kernel task done.

root@haswell:/home/seeder1# dmesg

.... snip
[1287033.715174] systemd[1]: apt-daily-upgrade.timer: Adding 28min 37.613367s random time.


[1287033.994372] systemd[1]: apt-daily-upgrade.timer: Adding 58min 24.706868s random time.


[1287034.048109] systemd[1]: apt-daily-upgrade.timer: Adding 2min 46.044295s random time.


[1287035.447607] systemd[1]: apt-daily-upgrade.timer: Adding 31min 53.783620s random time.


[1287036.258749] systemd[1]: apt-daily-upgrade.timer: Adding 52min 27.915376s random time.


[1287036.312143] systemd[1]: apt-daily-upgrade.timer: Adding 5min 59.960077s random time.


[1287036.418789] systemd[1]: apt-daily-upgrade.timer: Adding 6min 20.121330s random time.


[2187954.085655] usb 3-11: new high-speed USB device number 2 using xhci_hcd


[2187954.230661] usb 3-11: New USB device found, idVendor=0930, idProduct=6545


[2187954.230667] usb 3-11: New USB device strings: Mfr=1, Product=2, SerialNumber=3


[2187954.230671] usb 3-11: Product: DT 101 G2


[2187954.230675] usb 3-11: Manufacturer: Kingston


[2187954.230678] usb 3-11: SerialNumber: 001372982B41EBA0A51C0112


[2187954.255513] usb-storage 3-11:1.0: USB Mass Storage device detected


[2187954.256102] scsi host6: usb-storage 3-11:1.0


[2187954.256252] usbcore: registered new interface driver usb-storage


[2187954.259130] usbcore: registered new interface driver uas


[2187955.346745] scsi 6:0:0:0: Direct-Access     Kingston DT 101 G2        PMAP PQ: 0 ANSI: 0 CCS


[2187955.347603] sd 6:0:0:0: Attached scsi generic sg3 type 0


[2187956.549226] sd 6:0:0:0: [sdd] 15240576 512-byte logical blocks: (7.80 GB/7.27 GiB)


[2187956.549360] sd 6:0:0:0: [sdd] Write Protect is off


[2187956.549363] sd 6:0:0:0: [sdd] Mode Sense: 23 00 00 00


[2187956.549498] sd 6:0:0:0: [sdd] No Caching mode page found


[2187956.549541] sd 6:0:0:0: [sdd] Assuming drive cache: write through


[2187956.579899]  sdd: sdd1 sdd2


[2187956.581819] sd 6:0:0:0: [sdd] Attached SCSI removable disk

Oh the way macOS sees your drives.

MacUser2525:~$ diskutil list


/dev/disk0 (internal):


   #:                       TYPE NAME                    SIZE       IDENTIFIER


   0:      GUID_partition_scheme                         128.0 GB   disk0


   1:                        EFI EFI                     209.7 MB   disk0s1


   2:                  Apple_HFS HighSierraNVMe          127.0 GB   disk0s2


   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3

See them same letters and numbers as in Linux.


Edit: Now I think I do not have example of windows but if you have ever had a kernel panic on it where it shows the device it is on it shown in text the GPT://nieroworu0384 or similar type of format not a C: or D: in the error. They same method of determining the drive location on the system bus with numbers and letter in non-users friendly format is used by the underlying OS.

 

[MacBH928]

sudo dd if=/dev/urandom of=/dev/sdb bs=1M &

You won't know when it's done, but you can log back in later and check if dd is still running by doing

ps -aux | grep dd

This dumps all running processes and searches for the lines containing "dd"

I did what you told me and I got this output: [2] 14363
did it work? I dont see anything that show progress or anything like that

1-Can I add something to that command so to repeat it(like repeat 2 or 7 times) and verify that information has been overwritten?

2-is the data from /dev/urandom constantly changing(randomized) or is it the same gibberish data replicated?

 

[2984839]

I did what you told me and I got this output: [2] 14363
did it work? I dont see anything that show progress or anything like that

1-Can I add something to that command so to repeat it(like repeat 2 or 7 times) and verify that information has been overwritten?

2-is the data from /dev/urandom constantly changing(randomized) or is it the same gibberish data replicated?

You could repeat it 3 times by doing this:

for i in {1..3}; do dd if=/dev/urandom of=/dev/sdb bs=1M; done

Change the 3 to whatever number of repetitions you want.

However, since you want to exit your SSH session and still have this running, I personally would put this in a script. Make a text file (we'll call it disk_overwrite.sh here) containing the following lines:

#!/bin/sh

for i in {1..3}; do dd if=/dev/urandom of=/dev/sdb bs=1M; done

#!/bin/sh must be the first line. This means to execute the lines in the file with the Bourne shell, which is located at /bin/sh. Now make it executable:

chmod +x disk_overwrite.sh

Then change to the root user:

su

And execute the script in the background:

./disk_overwrite.sh &

/dev/urandom is cryptographically secure pseudorandom data. It is high quality random data and is way overkill for this use case.

 

[MacBH928]

You could repeat it 3 times by doing this:

for i in {1..3}; do dd if=/dev/urandom of=/dev/sdb bs=1M; done

Change the 3 to whatever number of repetitions you want.

However, since you want to exit your SSH session and still have this running, I personally would put this in a script. Make a text file (we'll call it disk_overwrite.sh here) containing the following lines:

#!/bin/sh

for i in {1..3}; do dd if=/dev/urandom of=/dev/sdb bs=1M; done

#!/bin/sh must be the first line. This means to execute the lines in the file with the Bourne shell, which is located at /bin/sh. Now make it executable:

chmod +x disk_overwrite.sh

Then change to the root user:

su

And execute the script in the background:

./disk_overwrite.sh &

/dev/urandom is cryptographically secure pseudorandom data. It is high quality random data and is way overkill for this use case.

awesome man! they should turn your post into a tutorial somewhere like on OSXdaily.com or something.