How To Securely Delete Files From Your Servers

If data isn’t securely deleted from your servers, it can be recovered by anyone who has access to the drive. We look at why ordinary deletion isn’t good enough, and two techniques for making sure that your data is gone for good.

Do you know what happens when you delete a file in a GUI or run rm file.txt on the command line? If you said the file is deleted, you are only half right. In fact, the data stays just where it was before you “deleted” it. You can’t see it because the link the operating system used to identify the file and show it to you no longer exists. But the data is untouched until the operating system uses the space for a different file.

It’s easy to restore data that has not been securely deleted. That’s bad news if the hard drive the data is on is sold, leased to someone else, or thrown in the trash. There are business, security, and legal consequences if server data is not securely deleted.

The only way to securely delete data is to overwrite it. You could also destroy the drive, but businesses typically lease servers that they don’t have physical access to or they own. They need to be able to securely delete data remotely. A quick rm doesn’t cut it.

Before I outline the best way to securely delete a file or volume, a word of warning. If you do this, the data will be gone forever — that’s the point. Before running any of these commands, make sure you really mean it.

Securely Deleting A File

As I have already said, rm removes directory entries. It does not delete data. To securely delete the data, you must use a tool that both removes the link and overwrites the data.

One such tool is shred, which will repeatedly overwrite the file’s data with random bytes.

shred -u file.txt

Shred overwrites the file three times with random data, although you can specify how many times the data is overwritten with the -n option. If you don’t use the -u option, shred will overwrite the data but it won’t remove the file.

Securely Deleting A Drive

The shred utility can securely erase drives, but we’ll explore an alternative.

Before running these commands, check that you have correctly identified the drive you want to erase. The command will run on the boot and root drives without warning.

Linux represents drives as files. For example, the file /dev/sda1 represents the “first” drive on your server. The dev directory is not a normal directory, but a collection of special files representing devices connected to the server.

To see the drives connected to a server, run this command,

`fdisk -l`

Identify the drive that you intend to erase all data from and take note of the special filename. We’re going to use dd to overwrite the data on this drive with either random data or zeroes. The dd command “converts and copies a file”.

In this case, we’re going to take data from a special file and overwrite our target drive with it. Linux provides several special files that generate a stream of data, including /dev/zero and /dev/urandom, which contain lots of zeros and pseudorandom data respectively.

dd if=/dev/urandom > /dev/ss__ # replace __ with drive number

Here, we designate /dev/random as the input file and direct its data to overwrite the drive. This will destroy all data on the drive.

For added security, you can repeat the dd command several times or alternate between random data and zeros with:

dd if=/dev/zero of=/dev/sd__ # replace __ with drive number

On modern high-density drives, multiple passes are usually not necessary, but it doesn’t hurt.

Limitations

There are some limitations to this approach that you should be aware of. If the data is being backed up to a different drive, it may remain accessible. If the drive uses a modern journaling filesystem like ext4, some data may not be erased properly. SSD wear leveling can also interfere with secure deletion.

For sensitive data, it may be best to use an encrypted volume rather than relying on secure deletion. The data from an encrypted volume cannot be recovered without the key even if it has not been securely deleted.