Home / server / Questions / 308714
Accepted
alfish
Asked: 2011-09-07 12:59:20 +0800 CST

How to clean up server's hard disks before giving it away?

  • 772

I am going to sell a Linux server to a random person. For obvious reasons I want to clean up the hard disks so that the current data on the disk can never be retrieved. What is the safest way to do so? OS re-install? rm -rf *? or something else?

The server is colocated and I don't have physical access.

security

5 Answers

  1. DBAN.

    Or, if you want something a bit more simple (but theoretically less secure), fire up a livecd and do:

    $ dd if=/dev/zero of=/dev/sdX
    • 19
  2. Best Answer
    shred -z /dev/sdX

    This will overwrite the hard disk three times with random data, and write zeros to the disk on a final fourth pass. You can adjust the number of passes with the -n option. man shred for more options.

    • 9

  3. If you don't have any out of band management of the server, and your can only access the server via SSH, then you may find wiping it pretty challenging. You could place a copy of the dban image onto your hard drive and configure the boot-loader to wipe the system on the next boot. But if you don't have physical access you won't really be able to verify this has completed.

    I suspect what you may have do is work with the techs at the collocation site, to boot a livecd and start up networking and ssh. Once the get you booted off a livecd, then use dd, or a tool like shred. Then do a base install onto it for the person you are selling it to.

    • 3

  4. As well as the suggestions for using dd, dban and shred, there are a couple of other options that may be possible, depending on your system.

    If you have disks that support full disk encryption (also known as self-encrypting disks), you can request that the disk change the encryption key it uses. This will result in the disk immediately becoming unusable, as all the encrypted data on it is now unaccessable. Modern SSDs support this, as do many modern SAS disks (eg, Seagate Constellation ES SAS / Seagate Savvio / Seagate Cheetah). All disks that support FDE/SED are always encrypting the disks, regardless of whether you have some kind of encryption infrastructure to manage keys set up over the top - so you can always securely erase these disks by requesting a key change. (I don't have any handy docs on how to do this, and I can't remember where my research led me to last time I looked at it. )

    Another option is to use the ATA Secure Erase command, which does a low-level zero write over the entire disk. This NIST Guidelines for Media Sanitization document states that the ATA Secure Erase command is good for security requirements up to purge level, which probably means it's good enough for you.

    Neither method may be available to you, and I think a single dd or shred run is probably the simplest thing for you to implement, however there are other options :)

    • 3 
  5. for i in $(seq 1 10);do time dd if=/dev/zero of=/dev/sdX bs=1M;echo "finished iteration $i";done

    will take forever, but even the most extremist security expert won't complain about that method.

    • 1