Securely erase a server

13 Jan 2018

I recently had to securely erase a server that I had only ssh access to. I was worried that running

rm -rf --no-root-preserver /

would cause a kernel panic and not erase the drive properly. One way to overcome this problem would be to create a ramdisk. Since ramdisks are stored in memory, it should be able to successfully erase this root filesystem.

mkdir -p /dev/shm/ramdisk/bin /dev/shm/ramdisk/dev /dev/shm/ramdisk/lib64 /dev/shm/ramdisk/usr/lib
cp /bin/dd /bin/bash /bin/ls /dev/shm/ramdisk/bin
ldd /bin/bash

and then copy all the necessary libraries to

cp /dev/shm/ramdisk/lib

or the appropriate directory like lib64 or usr/lib. Then mount bind your dev directory

mount -o bind /dev/ /dev/shm/ramdisk/dev

Chroot into the ramdisk

chroot /dev/shm/ramdisk/dev

Then simply run

dd if=/dev/zero of=/dev/sda bs=1M

pv is usually faster than dd, so you can use that instead.

Some people say that its necessary to go over old hardware with bytes other than zeros, and that you would have to make multiple passes. But I do not think it is necessary. See this article

https://security.stackexchange.com/questions/10464/why-is-writing-zeros-or-random-data-over-a-hard-drive-multiple-times-better-th

The article just simply says “just write it with zeros and forget it. Some storage media have a secure erase feature that you could activate using

hdparm --security-erase

On ssds, security erasing is a lot harder. One would have to this quite carefully, I would imagine.

Arjun Krishnan

Securely erase a server

Related Posts

Bash cd function 09 Nov 2019

The amdgpu driver on linux 05 Oct 2018

504 Final Exam Notes 23 May 2018