I have some old paper letters I’m going to scan and store. I need to be able to create and edit personal letters securely. I’ve learned how to use encryption. Now, I need to use a secure method of deleting files.
I have a folder with all the files. So first, I zip the folder. How do I securely shred a folder with one command?
After that, I can encrypt the zip file. Then use the shred command on the zip file. To be the most secure, I store the encrypted file on a blank flash drive. So, I want to edit those files on the main hard drive and then shred all traces from the hard drive.
Which file system type should I use on the flashdrive? – opensuse uses snapshots and caches files. I have the app bleachbit to erase all cache and backup files.
Is opensuse saving any user data in snapshots? Is bleachbit enough to remove all traces of the edited files? Noting the comments about the ext3 system. I’m planning to use ext4 for the flash drive.
If your disk is an SSD, you don’t have to do anything except perhaps to make sure that the traps are cleared with something like a TRIM command. Once the trap is cleared of data, no one can recover the data, period.
If your disk is a rotating disk (HDD), then the tools described in John’s SystemRescueCD link are fine. No matter what tool you use, the space occupied by the data has to be over-written with something… zeroes or random characters, and the more often you over-write the location the less likely any remnants from the original data can be recovered. Personally, I feel over-writing 25 times is considerable overkill and likely a waste of time. I’ve tested recovering after one or two passes, and personally recommend 3-5 passes. Even if something could be recovered at that point it probably couldn’t be used to re-construct anything meaningful.
The other thing that the SystemRescueCD article doesn’t mention that is essential to forensic data recovery is to know that temporary files, caches and sometimes memory caches need to be cleared as well. If you use something like vim, there are very few additional data locations to check but if you use graphical text editors, anything is possible.
Personally, I use dd because it gives me ability to configure wiping the fastest, you just need to be careful that if you configure very large number of blocks to over-write, it can leave a very large number of blocks not over-written so you need to additionally configure over-writing smaller numbers of blocks.
Best to do things in a way that shredding is not needed.
(1) Use encrypted swap. Ask for more details if needed.
(2) Configure “/tmp” to use “tmpfs”. That means that “/tmp” exists in memory and perhaps swap. But swap is encrypted (step (1) above). And when you reboot, memory is erased.
(3) To work with the files you are encrypting, create a directory in “/tmp” and work with them there. That way, the only unencrypted copy is in “/tmp”. And, when done, just delete it all. Since “/tmp” now uses “tmpfs” and backing swap is encrypted, there is no need to shred.
(4) When that is not enough, use an encrypted directory. I use an “ecryptfs” private directory. You can also use “encfs” for encrypting a directory. Or you can set up a Plasma vault (from KDE), where “encfs” is one of the encryption choices.
In fact you can not label partitions, you can label file systems. That is file system dependent. Thus you use e.g. tune2fs for ext2/3/4/ file systems. And a different one each for other type of file system (if the file system supports it).
And as said you can not label partitions. Primary partitions may contain a file sytem, thus you may be able to label such a file system and some then will incorrectly say they labeled the partition. But extended partitions can not contain file systems (they can only contain logical partitions), thus even when using the shortcut expression partition for file system, you can not label an extended partition.
FYI, I need to understand this so I can properly format a flash drive in linux to store my data and possibility encrypt it. After, I will return to the subject matter.
Create partition (all available space) → Format that partition with a file system, add label.
New flash pre-formatted with FAT32
Partition /dev/sdb – > FAT32 file system with the label ‘brandname’
Yast-partitioner–> click sdb in system view → click delete.
That deletes the FAT32 file system and partition. Flash drive has no partitions.
Add partition → primary → maximum size → Data and ISV applications →
Formatting options → format device → select ext4 →
Choose to encrypt device or not. Click on checkbox
Encrypt → enter password
Flash drive has a partition formatted with ext4 file system. Blank label. KDE then mounts the drive showing it in the plugin icon.
I’ve done this for three flash drives. Is there a way enter a drive label here or somewhere else in KDE? Else, I have to manually label all my flash after using this.
PS, I need do some websurfing on linux extended partitions.
First FYI, I did not try to read all the posts before the post I answered (and quoted) to. I am not interested in the subject. I only saw the confusion emenating from the post I answered to and tried to provide you with information about what a file system is (the contents), what a partition is (one of the type of containers that can contain a file system), so that you see the difference and thus may understand why you can label a file system, but not a a partiotion (and certainly not an extended partition.
Now about what you post above.
I stopped reading at after the part I quote here. Because you first say that you created a (one!) partition on the device that has the maximum available size. Now when you create such a partition on say /dev/sdb, that partition will be /dev/sdb1.
Then you say you have a file system on /dev/sdb.
Those two things can NOT be true at the same time. Either you have a file system on the whole device /dev/sdb (that will then have no partitions at all), or you have a file system on a partition on the devive /dev/sdb1.
I decided it has no use to read one before this it is made clear.what you have (done).
I Took the trouble to try and understand this.
First:
Yast-partitioner–> click sdb in system view → click delete.
Normaly one would after clicking sdb at left, then see the existing partitions at right and select the partition at right before one clicks delete at right. But indeed, when there is only one partotion (sdb1) clicking Delete will delete this only partition (btw, it will only remove the entry of that partition from the new, yet to write to the device, partition table, nothing is done to the device yet).
Then you recreate the partition sdb1. I do not know why, because it was already there. You only want to create a new file system on it, which you can do with Edit. But OK, that is what you did.
Now when you reach to the Formatting Options, there is also the Mount Options panel. When you check Mount the device, you will be able to click the Fstab options. This will bring a pop-up where you can fill in the Volum Label…
I admit that it is a bit strange that you can only fill in the label when you also go for creating an fstab entry with a mount point, but as you found out you can always create/change the label with tune2fs. You are not bound to using YaST. I most of the time just use fdisk, mkfs, vi /etc/fstab, etc. YaST is only a helping program created around all these tools that by nature only covers a subset of the myriads of prossibilities. The subset that the designers assumed are the ones most often used.
I’m getting too far off track. The problem with yast should be for another topic. I’v read the website and it was helpful. I’m still learning linux file systems.
Best to do things in a way that shredding is not needed.
(1) Use encrypted swap. Ask for more details if needed.
(2) Configure “/tmp” to use “tmpfs”. That means that “/tmp” exists in memory and perhaps swap. But swap is encrypted (step (1) above). And when you reboot, memory is erased.
(3) To work with the files you are encrypting, create a directory in “/tmp” and work with them there. That way, the only unencrypted copy is in “/tmp”. And, when done, just delete it all. Since “/tmp” now uses “tmpfs” and backing swap is encrypted, there is no need to shred.
The Swap partition is used when opensuse runs out of memory space. If you have a large amount of memory, it shouldn’t use swap. If I understand correctly?
#1,#2: How do I do both?
flash drive decrypted file → ’ mp’ folder → edit file(s) → encrypt file to flash drive. I would use bleachbit to clear temp and cache files.
When you next boot, “/tmp” should be mounted as “tmpfs”. However, what is currently in “/tmp” will still be there but will be hidden beneath the mount point. Those can be removed later if you want.
As for encrypted swap – there are two ways of doing that. One method is to use LUKS encryption. You will need to provide a password at every boot. The other method is to use random encryption – you don’t need to provide a password, but you cannot use hibernation (because the hibernation image is encrypted with a random password). I’ll let you think about which of those you want to try.
First, it’s my understanding that our belief that swap is used only when you run out of physical memory is outdated and incorrect today. It’s my understanding that even under optimal conditions when there is plenty of available physical memory, the OS will swap to disk data that will be rarely used so that physical RAM will be available only for active use.
I don’t recommend using commercial products like bleachbit although you are free to do so. Commercial products won’t do a better job of wiping your free space than common tools available for free and at your fingertips.
You have three, that I’m aware of, types of hard drives. Pure magnetic, ssd/flash drive, and hybrid. Hybrids use a flash card to access data more quickly. I have all three types.
I need to want scramble the original flash drives for reuse as temporary drives. They are five years old, so i’m not taking any chances with data loss. So, I have brand new ones.
To scramble the flash drives(8gb), this command should work. However there is a commands I’m not sure I should add to it.
-x, –exact
do not round file sizes up to the next full block;
this is the default for non-regular files**
-z**, –zero
add a final overwrite with zeros to hide shredding
shred -vn 5 /dev/sdb1
sync
The dd command is faster. But, I need to do this five times. Some examples I’v found. ‘bs’ is block size
Because SSD are different from spinning rust drives you do not need to do multiple overwrites. The reason of the need on magnetic drives is that the magnetic state of the track can spread past the edge of the track and can be passible read. SSD’s use flash memory when a block is erased the data is gone no leakage.
Also heavy writing to a SSD will reduce the life some what.
I’ve read on the amazon website that samsung SSD drives drives that have multi-level bits. Not just one bit, but extra backup bits per cell. So, You DO need to do extra overwrites. Right?
On most, if not all, flash drives, there is only one bit per cell. So, only one pass is needed.
Another, question, what if you have a magnetic drive with lots of bad blocks that you need to dispose of (it). Assuming you don’t physically destroy it. You can’t write to those blocks, an “unreadable” block. A bad block is truly unrecoverable?
Next, hybrid drives are magnetic drives with flash caches(I think). Since it part magnetic, it requires multi-passes.
I think the problem is more that you have no real control over what you are overwriting.
Another, question, what if you have a magnetic drive with lots of bad blocks that you need to dispose of (it). Assuming you don’t physically destroy it. You can’t write to those blocks, an “unreadable” block. A bad block is truly unrecoverable?
This is why most of my disk is encrypted. If I “forget” the encryption key, that is sufficient. And it does not matter if some of the blocks cannot be written.