NAME
wipe - secure file deletion utility
SYNOPSIS
wipe
[-ucwsiIhfFdDnNvVzZrRtTkKaA] [-B(count)] [-S(size)] [-C(size)]
[-o[size] -O] [-l[0-2]] [-x[1-32] -X] [-p(1-32)] [-b(0-255)]
[files]
DEFAULT
wipe -ZdntVAkO -S512 -C4096 -l1 -x8 -p1
DESCRIPTION
Wipe is a secure file wiping utility. There are
some low level issues that must be taken into consideration. One of
these is that there must be some sort of write barrier between
passes. Wipe uses fdatasync(2)
(or fsync(2)) as a
write barrier, or if fsync(2) isn't
available, the file is opened with the O_DSYNC or O_SYNC flag. For
wipe to be effective, each pass must be completely written. To
ensure this, the drive must support some form of a write barrier,
write cache flush, or write cache disabling. SCSI supports ordered
command tags, has a force media access bit for commands, and write
cache can be disable on mode page 8. IDE/ATA drives support write
cache flushes and write cache disabling. Unfortunetly, not all
drives actually disable write cache when asked to. Those drives are
broken. Write caching should always be disabled, unless your system
is battery backed and always powers down cleanly
Under linux, the mount option "mand" must be used (see
linux/Documentation/mandatory.txt) for mandatory file locks to be
enabled. Wipe should make it extremely difficult for all but the
most determined person(s) to recover the original plaintext data.
Utilities such as PGP and the GNU Privacy Guard provide strong
encryption, but encryption is useless if the original plaintext can
be recovered. When using PGP and GPG, temporary files that are
disk-backed should be stored on an encrypted file system. That way,
the plaintext never hits the platters. Wipe is designed for
situations where an encrypted file system isn't practical.
Wipe uses /dev/urandom, or if unavailable, /dev/random, as a
source for entropy. The Mersenne Twister PRNG is used for speed.
The MT site is at:
For more information on the secure deletion of magnetic media
and solid state storage devices (such as DRAM) see the USENIX
article by Peter Gutmann at:
OPTIONS
- -h
- Display help screen. Shows options and what they do.
- -u
- usage - shows options
- -c
- shows copywrite information
- -w
- shows warranty
- -i
- interactive - prompt whether to remove each file explicitly
checks file permissions
- -I
- disables interaction
- -f
- forces file wiping and suppresses permission warnings
- -r or -R
- recursion - traverse subdirectories
- -s
- silent - disable percent reporting and some warnings
- -V
- verbose - shows percentage if file size is above a certain
limit (see wipe -h)
- -v
- force verbose - always show percentage
- -d and -D
- delete (-d) or keep (-D) after wiping
- -n and -N
- delete (-n) or skip (-N) fifos, sockets, sym links, and char
devices
- -k and -K
- lock (-k) or don't lock (-K) files during wiping
- -z
- zero-out file - performs a single pass of zeros
- -Z
- perform normal passes - overrides -z
- -t and -T
- enable (-t) or disable (-T) static passes
- -a and -A
- write until out of space (-a) or don't (-A)
- -o and -O
- write [size] to stdout (-o) or use files (-O)
Since wipe does not have specific support for char devs, like it
does for block devs, this is the preferred method of wiping them,
such as tape drives; eg, wipe -za -o | buffer > /dev/nst0 It can
also be used for block devs; eg wipe -To | dd count=size of=blkdev
You can also use this to create files containing pseudo-random
output from the MT PRNG; eg, wipe -To10240 -x1 > prand
For static passes, you must specify a stdout length.
- -B
- override block device sector count
- -S
- override block device sector size
- -C
- chunk size - the maximum file buffer size
- -l
- sets generic security level
level 0, the PRNG is only seeded once
level 1, the PRNG is seeded once per file
level 2, the PRNG is seeded once per random pass
- -x
- enables random passes and optionally, how many random passes to
perform - note that this option now sets the number of random
passes per wipe loop - in other words, the total number of random
passes will be random passes * wipe loops (-p)
- -X
- disable random passes
- -p
- loop passes - perform wipe sequence x times, including random
passes
- -b
- custom byte - overwrite once with a specific byte
FILES
- /dev/urandom
- Wipe uses this character device for a source of entropy
- /dev/random
- Wipe falls back to using this if /dev/urandom is not
available
DIAGNOSTICS
If an error occurs, the exit code will be the
errno value. An exit code of 2 indicates bad usage.
BUGS
Wipe does not work on log structured file systems, or
any other type of file system or block device that reallocates
sectors on write.
Some programs are vulnerable to symlink races. To avoid this
problem with wipe, only wipe files in directories that are not
writable by untrusted users.
NOTES
Other file wiping utilities
There are several other file wipers available.
Another "wipe" by Berke Durak <>
Colin Plumb's <> sterilize.
Todd Burgess's <>
srm is available on sunsite/metalab in
AUTHOR
Copyright (C) 1998-2003 by Tom Vier <>
AVAILABILITY
SEE ALSO
/usr/doc/wipe/README