What is zero padding?
Zero padding or random padding is the practice of secure wiping of removable storage devices, such as USB sticks, SD cards and external SSDs, so they can be safely re-used within an organization. Zero padding or random padding fills the storage device with zeroes or random bytes. This over-writes existing documents and files on the storage device.
$ dd if=/dev/zero bs=1 count=16 status=none | hexdump -C
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
$ dd if=/dev/urandom bs=1 count=16 status=none | hexdump -C
00000000 24 e0 e2 a0 69 90 e4 8a 9a d4 7d b9 95 d3 60 c4 |$...i.....}...`.|
If the storage devices was just quickly re-formatted, then documents and files would be recoverable by forensic software or basic operating system utilities, because modern storage devices distribute data to new places on the storage device to ensure optimal life time.
# dd if=/dev/da0 bs=1 skip=1048576 count=512 status=none | hexdump -C
00000000 4e 1e 40 db 85 ab 9f 63 48 9d 51 e2 8f ef 6f a8 |.Pass.is.Pencil.|
Modern SSDs and larger storage devices might require specialized commands or vendor utilities. In such cases, or when the storage device was used to store highly classified documents, consider physically schredding or destroying the storage device instead.
Identifying storage device to be zero padded.
Identify the storage device. In this example, an external 32 GB USB 3.0 stick was attached and identified as da0.
$ dmesg
da0: <Generic Flash Disk 8.13> Removable Direct Access SPC-4 SCSI device
da0: Serial Number 42011337510013
da0: 40.000MB/s transfers
da0: 29600MB (60620800 512 byte sectors)
da0: quirks=0x2<NO_6_BYTE>
Unmounting file systems on storage device.
Make sure, that none of its file systems are mounted.
# umount /dev/da0*
Zero padding a storage device.
Zero padding will fill the entire storage device with zeroes and thereby defeat any attempts of casual recovery of documents of files on it. If you require an even more secure erasure, you can use random padding instead.
# dd if=/dev/zero of=/dev/da0 bs=1M status=progress
dd: /dev/da0: end of device 29 GiB) transferred 2207.307s, 14 MB/s
29601+0 records in
29600+0 records out
In this example, the zero padding of a 32 GB USB 3.0 stick took 37 min. Low write speeds are not uncommon for lower quality USB sticks, despite labeled as USB 3.0.
Random padding a storage device.
Random padding will fill the entire storage device with random data and thereby not only defeat any attempts of casual recovery of documents of files on it, but also provide stronger protection by preventing pattern detection from hardware residue. Random padding takes slightly longer time to complete.
# dd if=/dev/urandom of=/dev/da0 bs=1M status=progress
dd: /dev/da0: end of device 29 GiB) transferred 2450.009s, 13 MB/s bytes (25 GB, 24 GiB) transferred 2008.177s, 13 MB/s
29601+0 records in
29600+0 records out
31037849600 bytes transferred in 2450.640376 secs (12665200 bytes/sec)
In this example, the random padding of a 32 GB USB 3.0 stick took 41 min. This is only 4 min longer than zero padding.
If the storage medium is of magnetic type or you require an even more secure erase, you can perform the random padding several times. However, multiple passes on modern storage media has dimishing returns. In this example, the storage device is random padded 3 times. This is, however, not necessary on modern drivess.
# for i in 1 2 3; do dd if=/dev/urandom of=/dev/da0 bs=1M status=progress; done
Formatting an USB stick with EXFAT.
The storage device has now been safely erased and it can be formatted with a new file system, so it can be used again. In this example, the USB stick is formatted with the well-supported EXFAT file system. The EXFAT file system willl not have a partition scheme. This ensures compatibility.
# mkexfatfs /dev/da0
mkexfatfs 1.4.0
Creating... done.
Flushing... done.
File system created successfully.
Confirm, that it works.
# kldload fusefs
# mount.exfat /dev/da0 /mnt
FUSE exfat 1.4.0 (libfuse2)
# umount /mnt