There are many tools available for Linux to securely erase data on a per file basis: shred, wipe, srm, ... you name it. Related instructions and advices typically focus on the contents of the files to be erased but rarely on these file's names, that are left untouched for undesired recovery in residual directory entries by most of these tools. One positive exception on non-journalling file systems is shred, see below.
Here is an example to illustrate the problem:
Imagine that you live in a country that severely penalizes any activity related to Fnords. So you really do not want be caught with an overseen directory entry of a file named
Frobnicating_Fnords_mini-HOWTO.htmlin your file system even if that file's contents was overwritten 32 times by
srm. If you use a non-journalling file system, you can useshred -u ..., which takes care of that problem by renaming the file several times before unlinking it.However,
shredcan not be used for directories. So what to do with the directory
Frobnicating_Fnords_mini-HOWTO_filesthat accompanies the
htmlfile in this example?
That is the background for my question:
Is there a tool for Linux—or a shell script fragment that can be used on the command line—that securely scrambles the name of a directory so that it can not be recovered any more on the file system level?
Please note: This question is not about recurring into a directory to erase a whole directory tree. It is about camouflaging the name of a single directory.
To focus the question: Let's assume that we are using a non-encrypted, non-journalling file system like Ext2.
Looking into the sources of shred, namely the function wipename, it seems that it just does simple renames (renameatu) prior unlinking the file. Unfortunately, I was not able to get the desired result by mimicking this method by mv and rename on the command line. (Why?) See the supplement below for details on that.
Of course, one possible solution would be to just conventionally delete all compromising files and directories, copy the whole file system content to a second file system, securely erase the first one, and optionally copy everything back. But I am looking for a less invasive method, something that you can do quickly as soon as you hear THEIR helicopters...
Warning
The man page of shred states a lag of effectiveness in the case of journalling Ext3 file systems only for the mount option data=journal. This is only correct with respect to the erasure of file contents, but not regarding shred's ability to scramble file names: The latter breaks on Ext3 and Ext4 no matter which mode of the data mount option is used. The reason is that file names are meta data and always journalled on these file systems. That the file names survive a shred -u ... in these cases can easily be verified with the methods shown in the supplement below.
Supplement
As Patrick Mevzek suggested in his comment, I give here the details of my trial to mimic shred's renaming strategy to scramble a directory name:
First, I set up a (new) image file to hold a test file system and mounted that file system on /mnt:
rm -f img
truncate -s 3M img
losetup /dev/loop0 img
mke2fs -m 0 -t ext2 /dev/loop0
mount /dev/loop0 /mnt/
Then, I created the directory kkkkkkkkkk in /mnt and therein created a regular file named lllllllllll with the content mmmmmmmmmm. Then I synced:
cd /mnt
mkdir kkkkkkkkkk
cd kkkkkkkkkk
echo mmmmmmmmmm > lllllllllll
sync
Inspecting the image file (in another directory), all these character patterns were visible:
# hexdump -C img | grep kkk
0001c030 d4 03 0a 02 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 00 00 |....kkkkkkkkkk..|
# hexdump -C img | grep lll
0001f820 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 00 00 00 00 00 |lllllllllll.....|
# hexdump -C img | grep mmm
00080400 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 0a 00 00 00 00 00 |mmmmmmmmmm......|
Back in /mnt/kkkkkkkkkk, I did a
shred -u lllllllllll
which yields
# hexdump -C img | grep kkk
0001c030 d4 03 0a 02 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 00 00 |....kkkkkkkkkk..|
# hexdump -C img | grep lll
# hexdump -C img | grep mmm
on a subsequent inspection of the image file. Note that the last two commands did not give any output: So shred successfully scrambled the content (mmmmmmmmmm) and the name (lllllllllll) of the regular file.
Now I wanted to overwrite the name of the (now empty) directory kkkkkkkkkk. For that I did:
cd /mnt
mv kkkkkkkkkk xxxxxxxxxx
sync
yielding
# hexdump -C img | grep kkk
0001c030 14 00 0a 02 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 00 00 |....kkkkkkkkkk..|
# hexdump -C img | grep xxx
0001c040 0c 00 00 00 c0 03 0a 02 78 78 78 78 78 78 78 78 |........xxxxxxxx|
Instead, I desired to get no output from grep kkk. Obviously, the mv made a new directory entry for the renamed directory xxxxxxxxxx rather than reusing the old slot, which in consequence still holds the old name kkkkkkkkkk.
I also tried rename(1), with a similar result: The old directory name survived.
