Securely erase a server
13 Jan 2018I recently had to securely erase a server that I had only ssh access to. I was worried that running
rm -rf --no-root-preserver /
would cause a kernel panic and not erase the drive properly. One way to overcome this problem would be to create a ramdisk. Since ramdisks are stored in memory, it should be able to successfully erase this root filesystem.
mkdir -p /dev/shm/ramdisk/bin /dev/shm/ramdisk/dev /dev/shm/ramdisk/lib64 /dev/shm/ramdisk/usr/lib
cp /bin/dd /bin/bash /bin/ls /dev/shm/ramdisk/bin
ldd /bin/bash
and then copy all the necessary libraries to
cp /dev/shm/ramdisk/lib
or the appropriate directory like lib64
or usr/lib
. Then mount bind your dev directory
mount -o bind /dev/ /dev/shm/ramdisk/dev
Chroot into the ramdisk
chroot /dev/shm/ramdisk/dev
Then simply run
dd if=/dev/zero of=/dev/sda bs=1M
pv is usually faster than dd, so you can use that instead.
Some people say that its necessary to go over old hardware with bytes other than zeros, and that you would have to make multiple passes. But I do not think it is necessary. See this article
https://security.stackexchange.com/questions/10464/why-is-writing-zeros-or-random-data-over-a-hard-drive-multiple-times-better-th
The article just simply says “just write it with zeros and forget it. Some storage media have a secure erase feature that you could activate using
hdparm --security-erase
On ssds, security erasing is a lot harder. One would have to this quite carefully, I would imagine.