GNU bug report logs - #27420
Self Destruct - Self Erase of All Data On SD Card Using Shred,

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27420 in the body.
You can then email your comments to 27420 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: John Shearing <johnshearing <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: Self Destruct - Self Erase of All Data On SD Card Using Shred,
Date: Sun, 18 Jun 2017 03:22:35 -0400

[Message part 1 (text/plain, inline)]

favorite
<https://raspberrypi.stackexchange.com/questions/68635/self-destruct-self-erase-of-all-data-on-sd-card-using-shred-dd-or-some-other#>

I will be using a raspberry pi as an air-gapped computer to make secure
encrypted transactions on the Ethereum BlockChain. Once in awhile I will
want to update the software I am using which will mean taking the SD card
out of the pi and inserting it into a laptop computer which is connected to
the Internet. I would like to use some program or command line utility on
the raspberry pi to securely erase everything on the SD card before
removing it as this will eliminate all possibility of sensitive information
being read off the SD card by bad actors which may have compromised my
laptop.

The following command typed in at the pi terminal conveys the idea of what
I hope to accomplish:
shred --verbose *.*

Is this possible using shred?

Thanks, John

[Message part 2 (text/html, inline)]

Message #8 received at 27420 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: John Shearing <johnshearing <at> gmail.com>, 27420 <at> debbugs.gnu.org
Subject: Re: bug#27420: Self Destruct - Self Erase of All Data On SD Card
 Using Shred,
Date: Sun, 18 Jun 2017 11:43:22 -0700

tag 27420 notabug
close 27420
stop

On 18/06/17 00:22, John Shearing wrote:
> favorite
> <https://raspberrypi.stackexchange.com/questions/68635/self-destruct-self-erase-of-all-data-on-sd-card-using-shred-dd-or-some-other#>
> 
> I will be using a raspberry pi as an air-gapped computer to make secure
> encrypted transactions on the Ethereum BlockChain. Once in awhile I will
> want to update the software I am using which will mean taking the SD card
> out of the pi and inserting it into a laptop computer which is connected to
> the Internet. I would like to use some program or command line utility on
> the raspberry pi to securely erase everything on the SD card before
> removing it as this will eliminate all possibility of sensitive information
> being read off the SD card by bad actors which may have compromised my
> laptop.
> 
> The following command typed in at the pi terminal conveys the idea of what
> I hope to accomplish:
> shred --verbose *.*
> 
> Is this possible using shred?

shred already supports passing multiple files, however
you would be much safer shredding at the device level,
since there is all sort of reallocation etc. happening within filesystems.
I.E. something along the lines of:

  SDCARD=/dev/sdb1
  umount $SDCARD
  shred --verbose $SDCARD
  mkfs.ext4 $SDCARD

Note you can partition the SDCARD if there only a portion that
you want to destructively recreate like this.

cheers,
Pádraig.

Message #15 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ruediger Meier <sweet_f_a <at> gmx.de>
To: bug-coreutils <at> gnu.org
Cc: 27420 <at> debbugs.gnu.org, John Shearing <johnshearing <at> gmail.com>,
 Pádraig Brady <P <at> draigbrady.com>
Subject: Re: bug#27420: Self Destruct - Self Erase of All Data On SD Card
 Using Shred, 
Date: Thu, 22 Jun 2017 10:02:16 +0200

On Sunday 18 June 2017, Pádraig Brady wrote:
> tag 27420 notabug
> close 27420
> stop
>
> On 18/06/17 00:22, John Shearing wrote:
> > favorite
> > <https://raspberrypi.stackexchange.com/questions/68635/self-destruc
> >t-self-erase-of-all-data-on-sd-card-using-shred-dd-or-some-other#>
> >
> > I will be using a raspberry pi as an air-gapped computer to make
> > secure encrypted transactions on the Ethereum BlockChain. Once in
> > awhile I will want to update the software I am using which will
> > mean taking the SD card out of the pi and inserting it into a
> > laptop computer which is connected to the Internet. I would like to
> > use some program or command line utility on the raspberry pi to
> > securely erase everything on the SD card before removing it as this
> > will eliminate all possibility of sensitive information being read
> > off the SD card by bad actors which may have compromised my laptop.
> >
> > The following command typed in at the pi terminal conveys the idea
> > of what I hope to accomplish:
> > shred --verbose *.*
> >
> > Is this possible using shred?
>
> shred already supports passing multiple files, however
> you would be much safer shredding at the device level,
> since there is all sort of reallocation etc. happening within
> filesystems. I.E. something along the lines of:
>
>   SDCARD=/dev/sdb1
>   umount $SDCARD
>   shred --verbose $SDCARD
>   mkfs.ext4 $SDCARD
>
> Note you can partition the SDCARD if there only a portion that
> you want to destructively recreate like this.

Does schred support SSD on the lowlevel? I don't think you can truly 
wipe na SSD by overwriting it, especially if you would overwrite only a 
file or partition

If the drive supports "ATA Secure Erase commands" you should 
use "hdparm" like this:
https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase#Step_3:_Secure_Erase

Otherwise, and if you are not paranoid, you could also use "blkdiscard" 
(ATA TRIM).

FYI, here somebody explains the issues with erasing SSDs very well
https://superuser.com/a/856491/229214

Regarding shred, maybe it's worth to add something about SSDs in the 
CAUTION section of the man page.

cu,
Rudi

Message #21 received at 27420 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Ruediger Meier <sweet_f_a <at> gmx.de>
Cc: 27420 <at> debbugs.gnu.org, John Shearing <johnshearing <at> gmail.com>
Subject: Re: bug#27420: Self Destruct - Self Erase of All Data On SD Card
 Using Shred,
Date: Fri, 23 Jun 2017 20:09:31 -0700

On 22/06/17 01:02, Ruediger Meier wrote:
> On Sunday 18 June 2017, Pádraig Brady wrote:
>> tag 27420 notabug
>> close 27420
>> stop
>>
>> On 18/06/17 00:22, John Shearing wrote:
>>> favorite
>>> <https://raspberrypi.stackexchange.com/questions/68635/self-destruc
>>> t-self-erase-of-all-data-on-sd-card-using-shred-dd-or-some-other#>
>>>
>>> I will be using a raspberry pi as an air-gapped computer to make
>>> secure encrypted transactions on the Ethereum BlockChain. Once in
>>> awhile I will want to update the software I am using which will
>>> mean taking the SD card out of the pi and inserting it into a
>>> laptop computer which is connected to the Internet. I would like to
>>> use some program or command line utility on the raspberry pi to
>>> securely erase everything on the SD card before removing it as this
>>> will eliminate all possibility of sensitive information being read
>>> off the SD card by bad actors which may have compromised my laptop.
>>>
>>> The following command typed in at the pi terminal conveys the idea
>>> of what I hope to accomplish:
>>> shred --verbose *.*
>>>
>>> Is this possible using shred?
>>
>> shred already supports passing multiple files, however
>> you would be much safer shredding at the device level,
>> since there is all sort of reallocation etc. happening within
>> filesystems. I.E. something along the lines of:
>>
>>   SDCARD=/dev/sdb1
>>   umount $SDCARD
>>   shred --verbose $SDCARD
>>   mkfs.ext4 $SDCARD
>>
>> Note you can partition the SDCARD if there only a portion that
>> you want to destructively recreate like this.
> 
> Does schred support SSD on the lowlevel? I don't think you can truly 
> wipe na SSD by overwriting it, especially if you would overwrite only a 
> file or partition

This is a good point and already mentioned in the shred info docs.
That mainly protects against sophisticated access to the device though,
whereas the case here is for standard access (through a compromised laptop).

cheers,
Pádraig

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.