Although it has some important limitations, the shred command can be useful for destroying files so that their contents are very difficult or impossible to recover. shred accomplishes its destruction by repeatedly overwriting files with data patterns designed to do maximum damage so that it becomes difficult to recover data even using high-sensitivity data recovery equipment1.
Deleting a file with the rm command does not actually destroy the data; it merely destroys an index listing the location of the file and makes the file's data blocks available for reuse. Thus, a file deleted with rm can be easily recovered using special utilities or commands if its freed data blocks have not yet been reused. However, on an active system with a nearly full hard disk drive (HDD), freed space can be reused in a matter of minutes or even seconds.
shred's syntax is
When used without any options, shred will overwrite any designated files or devices 25 times, which is generally sufficient to remove all traces of the data on those files or devices. A device can be a partition (i.e., logically independent section of a HDD) or even an entire HDD, USB key drive, etc. Thus, for example, the following command could be used securely destroy the three files named file1, file2 and file3:
This default number of overwritings can be changed by using the -n option followed by an integer representing the desired number. This is useful in the case of very large and/or numerous files, large partitions, etc., as the time required for destruction can be significantly reduced, but at the expense of the thoroughness of destruction, by reducing the number of overwritings.
The effectiveness of shred relies on the very important assumption that the filesystem overwrites data in place. However, many modern filesystems do not satisfy this assumption, including journaled filesystems (such as Ext3 and ReiserFS), RAID-based filesystems, compressed filesystems, and filesystems that cache data in temporary locations2. It should also be kept in mind that copies of files can be retained in filesystem backups and on remote mirrors. This is just another reason that careful consideration should be given in advance to the most appropriate filesystems as well as backup and mirroring policies in situations in which highly sensitive data is likely to be used.
Thus, it is almost always more reliable to shred an entire partition rather than just a file. For example, the following would destroy data on the seventh partition on the first HDD:
However, even shredding entire partitions is not always completely reliable. One reason is that most HDDs map out bad sectors (i.e., sections on tracks) invisibly to application programs, including shred and other utilities. Thus, if sensitive data is contained in those sectors, shred will not be able to destroy it.
By default, shred does not delete files or partitions after overwriting them. However, overwritten files can be deleted by using the -u option. This both frees up the disk space for other data and makes it even more difficult to reconstruct the shredded data (i.e., by allowing further overwriting of it).
Among shred's other options is -f, which forces shredding by changing permissions if necessary. Also, the -v, or --verbose, option tells what is happening while shred is going about its work, and the --version option tells what version of shred is currently installed.
2If one is not certain as to how a filesystem operates, then it should be assumed that it does not overwrite data in place, and thus that shred cannot operate reliably on files in that filesystem.
Created September 12, 2006.