Securely Wipe a File with DD

Last updated: Apr 15, 2008

Sometimes we have sensitive data that we want to get rid of. Since deleting a file doesn’t actually prevent it from being recovered we need to do some extra steps to ensure that it can’t be recovered. In this post we will use DD to complete this task. DD is often the tool digital forensics use to duplicate hard drives we will use it for a more destructive use so that our data can’t be recovered.

If you looking for a way to wipe an entire hard drive check out, Wiping a Hard Drive with DD.

Before deleting the sensitive file we will write over top of it with random characters.

First we find out how many characters we have to write over:

$ ls -l

This will list the directory contents. Find your file and remember or write down the byte size. It might look like this:

-rw-r--r-- 1 mark mark 21 Apr 15 22:40 test.txt

In this case the we have 21 bytes

Now that we know we have 21 bytes to write over we will use this command:

dd if=/dev/urandom of=test.txt bs=21 count=1 conv=notrunc

dd Command Explanation

  • dd - This is the program that we are running. It is short for data definition and sometimes called data destroyer because it is infamous for accidental data destruction.

  • if=/dev/urandom - ‘if’ stands for In File, AKA the source. This is the file, blocks, or device that dd will read from. In this case /dev/urandom is a special device that comes with Linux and BSD that will produce an endless supply of random characters (In our example we will only need 21).

  • of=test.text - ‘of’ stands for Out File. We are writing over a file so we type our file name here.

  • count=1 - The count tells dd how many times to repeat. If set count to ‘2’ it would produce 42 bytes of data. We only want it to write over the current data not create more than what we need, so we will set this to ‘1’.

  • conv=notrunc - dd by default will stop writing and truncate (delete the rest) the file if you specify a byte size that is less than the file. You really don’t need to have this part of the command to get the job done but it will help minimize errors.

Deleting the File

Now that the file you want to securely wipe has been written over it is much harder for someone to retrieve it. As of right now it is pretty much impossible to recover the file using software. You would have to use an expensive machine and physically look through the hard drive for the data. Even then you are not guaranteed to be able to find/recover the data. The only thing left to do is actually delete it.

rm test.txt

If you want to be really sure your data is gone you will need to write over the file 7 times. This is the current Department of Defense procedure for wiping sensitive data.

for ((n=1;n<8;n++)); do COMMAND; done;

This is the standard one line for loop that will repeat a command. The above command will repeat 7 times. Just replace the COMMAND part with your dd command.

Need to print shipping labels on your site?

Checkout my product RocketShipIt for simple easy-to-use developer tools for UPS™ FedEx™ USPS™ and more.

Get notified on new posts or other things I'm working on