add package

[sirp]

HI, i need to do a secure delete file on FreeNAS.
On freeBSD can do it with the command Shred and is installed on /usr/ports/sysutils/fileutils as 'gshred'.

I need help to install this package or what package contains it.


thanks

 

[matthewowen01]

ZFS is COW (copy on write) there is no secure deletion method for ZFS as there is no way to overwrite data. One option is encrypting the files you want to be able to securely delete, then when you want to delete them securely, throw away the key and delete the files.

 

[ixdwhite]

You can install FreeBSD packages in FreeNAS using pkg_add, but:
1. Installing packages is not supported by the FreeNAS dev team -- you modify things at your own risk
2. You can't delete them later with pkg_delete as /var/db/pkg is not saved between reboots
3. Upgrades will erase installed packages as the upgrade process overwrites the entire disk image
4. There is limited space in the root image so things with large dependencies may not install properly

gshred should function as noted before it won't guarantee that all copies of the data on disk are overwritten, only the last file copy. A raw disk scan may be able to recover the data blocks. gshred also won't shred copies of files referred to by snapshots.

 

[sirp]

Thanks a lot for the answer.
I implemented a script to do it.

So, if someone need it just write me.

 

[Tekkie]

Can you provide the script? I am looking at having my FreeNAS double up as firewall/proxy server for the home network.

 

[sirp]

To do a secure delete i writed 2 scripts. both at /bin to execute them from execution's path

secure_delete:

#! /bin/bash
#############################################
#
# Script created by SirP & Pachuli to delete files with date larger than
# a certain number of days
#
# ver: 0.2
# date: 11/05/30
#############################################

# DEFINICION
DEL_DIR=/mnt/soporte
DEL_DAYS=2

for f in `find $DEL_DIR -type f -mtime +$DEL_DAYS`
do
akafile.sh $f
rm -f $f
done

akafile.sh:

#! /bin/bash
#############################################
#
# Script created by SirP & Pachuli to fill a file with random characters
#
# ver: 0.1
# date: 11/05/30
#############################################

file_len=`ls -la $1 | awk '{print $5}'`

dd if=/dev/urandom of=$1 bs=$file_len count=1

 

[matthewowen01]

To do a secure delete i writed 2 scripts. both at /bin to execute them from execution's path

as i already said, zfs is a copy on write operating system this will not overwrite your files.

if you want unequivocal proof, do the following:

dd if=/dev/zero of=/mnt/yourpool/disk.dat bs=1024k count=512

this will create a half gig file. now use su to raise your privileges.

zpool create -m /mnt/test test /mnt/yourpool/disk.dat

this will create a pool named test that is mounted to /mnt/test and uses the file we just created as it's 'disk'

echo "test123" > /mnt/test/file.txt

this will write 'test123' to the file.

make sure it's in there with

grep "test123" /mnt/yourpool/disk.dat

it will output "Binary file /mnt/yourpool/disk.dat matches" showing that the text exists on the raw 'disk'

now 'erase' the file.

dd if=/dev/urandom of=/mnt/test/file.txt bs=1024k count=8

now watch as the data is still there!

grep "test123" /mnt/yourpool/disk.dat

it will still output "Binary file /mnt/yourpool/disk.dat matches" showing that the text still exists on the raw 'disk'

 

[SoftDux-Rudi]

as i already said, zfs is a copy on write operating system this will not overwrite your files.

if you want unequivocal proof, do the following:

dd if=/dev/zero of=/mnt/yourpool/disk.dat bs=1024k count=512

this will create a half gig file. now use su to raise your privileges.

zpool create -m /mnt/test test /mnt/yourpool/disk.dat

this will create a pool named test that is mounted to /mnt/test and uses the file we just created as it's 'disk'

echo "test123" > /mnt/test/file.txt

this will write 'test123' to the file.

make sure it's in there with

grep "test123" /mnt/yourpool/disk.dat

it will output "Binary file /mnt/yourpool/disk.dat matches" showing that the text exists on the raw 'disk'

now 'erase' the file.

dd if=/dev/urandom of=/mnt/test/file.txt bs=1024k count=8

now watch as the data is still there!

grep "test123" /mnt/yourpool/disk.dat

it will still output "Binary file /mnt/yourpool/disk.dat matches" showing that the text still exists on the raw 'disk'

This is only really helpful if he uses ZFS.

BUT, I am also looking for a way to securely delete files, for forensics purposes, and telling the security team that ZFS is copy on write filesystem simply won't work.

 

[matthewowen01]

This is only really helpful if he uses ZFS.

BUT, I am also looking for a way to securely delete files, for forensics purposes, and telling the security team that ZFS is copy on write filesystem simply won't work.

if you're not using zfs, then it should work. if you are using zfs, then you need to use zfs version 30 or higher so it supports encryption, which is not supported by FreeBSD at this point.

i think telling the security team that zfs is copy on write so it should not be used to store sensitive information is a valid answer.

 

[matthewowen01]

BUT, I am also looking for a way to securely delete files, for forensics purposes, and telling the security team that ZFS is copy on write filesystem simply won't work.

ok i got something that can help. i would only do this with a RAIDz2 or any array that has more than one disk of redundancy. first, remove all copies of the file real and from snapshots. then remove one disk, dd it with zero's, then re-add it, let it resilver. do this for each disk one by one, all your slack space will be zero. only used space is resilvered, so the files you want to erase are not going to be copied back as they are not referenced. you could even have an extra few disks laying around to make things faster, remove and re-silver, then dd the drive.

sorry it took so long to get a decent answer for you.