Secure wiping of tapes on Linux

At one client site, we’ve recently moved from tape to disk for our offline backup storage medium.  We debated what to do with the old tape loader and tapes, and concluded that we would never go back and so should get rid of them entirely.  I was given the task of working out how to securely wipe the old tapes.

My first choice was to try ‘wipe‘, the usual Linux utility for wiping files and hard disks on a live Linux system.  (I generally use Darik’s Boot and Nuke, a.k.a. DBAN, as an offline wiper.)  To my surprise, wipe did not function at all with /dev/st0 as its target device.  After some brief searching of Google, i concluded that i was not likely to find a pre-existing utility.  I ended up hacking up a quick little script:

#!/bin/sh
DEVICE=/dev/st0
for i in $(seq 1 7) ; do
        mtx load $i
        for j in $(seq 1 4); do
                dd if=/dev/urandom of=random.block bs=1k count=1
                for k in $(seq 1 10240); do
                        cat random.block
                done > big.random.block
                while true; do cat big.random.block; done | dd of=$DEVICE bs=1024k
        done
        mt -f $DEVICE erase
        mtx unload $i
done

A rundown of some salient points:

  • We have a 7-slot SCSI tape autoloader, hence the $(seq 1 7); they’re loaded and unloaded via mtx.
  • I wanted multi-pass wiping using random data, but didn’t want to keep pulling more and more pseudo-random data from /dev/urandom.  The system i was using had only 30 bytes of entropy available in /dev/random, so my data block was probably not highly-random anyway.
  • I started with using just the same 1KB file of random data, but found that the bash loop to cat the file was a performance bottleneck, so the innermost loop is used to repeat the same random block 10K times to make the wipe more efficient.
  • At the end of 4 passes of random data, we do a normal erase.  I assume this writes zeroes to the tape, but i’m not sure.  (The script is still working through our 7 tapes at about 25 GB/hour, so it will be several days before it’s finished.)

Hope this helps someone.  I was surprised that i couldn’t find a better alternative easily.  Suggestions for improvement gratefully accepted.


Source: libertysys.com.au

2 Replies to “Secure wiping of tapes on Linux”

  1. Dear Paul,
    thank you very much for the script. However, dd ends with “dd: error writing ‘/dev/st2’: No space left on device”. The shell just sits there and I have to Ctrl+C to get back.

    I thought because I have to rewind after the device is full, but this doesn’t work either.

    My script (I have an 8 slot HP autoloader G2):

    #!/bin/sh
    DEVICE=/dev/st2
    AUTOCHANGER=/dev/sg5
    echo “loading first: 1”
    for i in $(seq 1 8); do
    mtx -f $AUTOCHANGER unload
    mtx -f $AUTOCHANGER load $i 0
    echo “erasing $i”
    for j in $(seq 1 2); do
    echo “erasing round $j”
    dd if=/dev/urandom of=random.block bs=1k count=1
    for k in $(seq 1 10240); do
    cat random.block
    done > big.random.block
    while true; do cat big.random.block ; done | dd of=$DEVICE bs=1024k
    mt -f $DEVICE rewind #<– rewind before next round
    done
    mt -f $DEVICE erase
    done

    I don't think it helps changing the while true condition because dd throws the error which is after the while loop. But how do I say the script to continue after the device is fully written?

    thanks!
    Tim

    1. Hi Tim,

      The error is normal when dd reaches the end of a tape; however, at that point dd should exit and the rewind should begin. Can you see dd still running in the output of ps? If so, we can set a timeout on the dd. Do you have a feel for how long each pass of the tape will take? If so, try changing dd of=$DEVICE bs=1024k to timeout NNN dd of=$DEVICE bs=1024k, where NNN is the number of seconds after which to kill dd.

      Regards,
      Paul

Leave a Reply