Subject: Re: securely erasing a hard disk
To: Philip Jensen <email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 10/20/2005 22:23:47
On Fri, Oct 21, 2005 at 03:03:46PM +1300, Philip Jensen wrote:
> On 10/21/05, Thor Lancelot Simon <email@example.com> wrote:
> > On Fri, Oct 21, 2005 at 01:35:24PM +1300, Philip Jensen wrote:
> > >
> > > If so, then does the -P switch for the NetBSD rm command really
> > > provide the "security" of data erasure people think they are getting?
> > > Or should the man page have an addition of "If you are serious about
> > > removing all traces of this file then ......."?
> > Did you read the entire manual page? The -P option is the subject of
> > extensive text in the BUGS section
> The -P option assumes that the underlying file system is a fixed-block
> file system. UFS is a fixed-block file system, LFS is not. In addition,
> only regular files are overwritten, other types of files are not.
Before complaining that NetBSD should or shouldn't do X, you might try
looking at the latest sources -- or even the latest, or next-to-latest,
official release -- to check whether it _already_ does what you want.
I enclose the relevant part of the manual page from NetBSD 2.0. Is it
in some way insufficient? I did mistakenly refer you to the COMPATIBILITY
section before -- in addition to the discussion of this issue in BUGS, it
is also discussed not in COMPATIBILITY but rather in STANDARDS.
| The -P option assumes that the underlying file system is a fixed-block
| file system. FFS is a fixed-block file system, LFS is not. In addition,
| only regular files are overwritten, other types of files are not. Recent
| research indicates that as many as 35 overwrite passes with carefully
| chosen data patterns may be necessary to actually prevent recovery of
| data from a magnetic disk. Thus the -P option is likely both insuffi-
| cient for its design purpose and far too costly for default operation.
| However, it will at least prevent the recovery of data from FFS volumes
| with fsdb(8).
| The rm utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compati-
| ble. The -v option is an extension.
| The -P option attempts to conform to U.S. DoD 5220-22.M, "National Indus-
| trial Security Program Operating Manual" ("NISPOM") as updated by Change
| 2 and the July 23, 2003 "Clearing & Sanitization Matrix". However,
| unlike earlier revisions of NISPOM, the 2003 matrix imposes requirements
| which make it clear that the standard does not and can not apply to the
| erasure of individual files, in particular requirements relating to spare
| sector management for an entire magnetic disk. Because these
| requirements are not met, the -P option does not conform to the standard.