HowTo: Setup Darik’s Boot and Nuke (DBAN) to automatically erase storage devices via PXE boot
Darik’s Boot and Nuke (abbreviated as DBAN) is a popular tool used by many organisations and individuals to securely erase hard-drives prior to disposal, or perhaps just to fix Windows problems . It typically comprises a small 15MB ISO image that you can burn to CD or make a bootable USB stick from so you can boot up a PC on it and set about erasing all detected storage devices.
When you’re doing a lot of machines, however, booting a CD is tedious, especially when you accidentally scratch the disc and need to burn a new one. Using a USB stick and either misplacing it, or forgetting to remove it before erasing starts means you lose the content of the boot stick too.
Wouldn’t it be nice to be able to simply boot DBAN from the network so it’s always available whenever you need it and have it automatically use your preferred options instead of being manually run each time?
Pre-requisites
- A copy of DBAN. You can get it from the project site here. I will be using version 2.2.8 in this article.
- A working Linux PXE server. If you’ve not built one before, you can use my previous guide here.
- A sacrificial hard-drive or a virtual machine to test with. You will be completely destroying the data on the drive. When this exercise is over, there will be nothing recognisable on the drive so operating systems will typically recognise the drive as a brand new, never-before-used drive.
- The PC housing the sacrifical drive needs to have the ability to boot from PXE. All modern computers built in the last 15 years should be able to do this.
Let’s get it going
- First up, we need to extract DBAN’s files from the ISO image since we’re not going to burn it to a disc. Open the downloaded ISO image in Archive Manager by right-clicking on it and choose “Open with Archive Manager”.
- Extract the following files: DBAN.BZI and ISOLINUX.CFG
- On your PXE server, assuming you have all your files under /srv/tftp as per my previous tutorial, make a new folder called “dban” under it:
$ mkdir /srv/tftp/dban
- Now copy over the DBAN.BZI file you extracted in Step 1 to the /srv/tftp/dban directory. You don’t need to copy ISOLINUX.CFG because we’re simply using that for boot command reference.
- Now rename the file so that it’s all in lowercase:
$ mv /srv/tftp/dban/DBAN.BZI /srv/tftp/dban/dban.bzi
(We don’t actually need to do this, but since everything else in the Linux world is typically in lower-case, we may as well do the same here) - Now make sure that the permissions are set for TFTP correctly:
$ sudo chmod 777 -R /srv/tftp
- Now let’s setup a simple PXE menu boot option that is simply going to write zeros across all detected storage devices when you boot up on it (which is the fastest method of wiping while remaining secure). Open your PXE boot menu config file. If using my previous tutorial, then that will be:
$ nano /srv/tftp/mybootmenu.cfg
- Scroll to the bottom (or insert where you’d like to have it) and add the following lines:
LABEL Auto ^Nuke EVERYTHING With Zeros NOW! No Questions Asked!
KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method zero" silent - Press CTRL+X, then Y and then Enter to save your changes.
- Boot up your sacrificial system into PXE. When your menu appears, you should see a new entry called “Auto Nuke EVERYTHING With Zeros NOW! No Questions Asked!” and the “N” character will be highlighted to indicate the keyboard shortcut for it.
- Use the arrow keys or the keyboard shortcut to launch DBAN. It should boot quite quickly since it’s such a small application.
- You will see a lot of text appear while the system boots up, enumerating hardware and searching for storage devices. At this time, any attached direct-writable storage mediums such as hard-drives and USB sticks will become targets for DBAN. Network drives/shares and other PC’s on your network will not become targets.
- Once the system has detected everything it can find, DBAN will begin. All detected storage devices will be listed on their own line and will show their erasure status. You will notice that all this starts automatically and with no further interaction from you.
- Once the system has completed erasing all devices, it will advise accordingly and halt the system. Your drives are now securely erased!
Additional Options
So you might be wondering, what did we need the ISOLINUX.CFG file for if we weren’t going to use it? Will, this is just for your reference – it contains all the command line parameters for all of the other options that DBAN offers you for the truly paranoid data hoarder. Please note that these additional options are superfluous – hard-drives are magnetic devices that can only hold one set of ones and zeros. Overwriting the drive multiple times with sequential or random ones and zeros is not going to make the erasure any more or less secure. Once a drive is wiped with just one pass of ones or zeros or a random combo, it is impossible to recover any data from it, and you certainly cannot “unformat” it or “unwipe” it.
To save you some time, here’s a complete list of the extra options presented as a sub-menu for your PXE boot menu. Simply copy and paste it into your boot menu configuration, or pick and choose the options you want.
Note: To prevent accidental erasing of a system from PXE boot, the default menu option is set to run DBAN in manual mode where you are asked to choose which drives you wish to erase, which gives you a chance to back out.
# ================================================================ # BEGIN: SECURE HDD ERASE OPTIONS # ================================================================ menu begin Secure HDD erase options menu title ^Secure HDD erase options label mainmenu menu label ^Back.. menu exit LABEL Auto ^Nuke EVERYTHING With Zeros NOW! No Questions Asked! KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method zero" silent LABEL ^Manual Setup of Wipe Options MENU default KERNEL dban/dban.bzi APPEND nuke="dwipe" LABEL ^Default 3-Pass Random Wipe (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke" silent LABEL US Dept Defence ^Standard Wipe Method (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method dod522022m" silent LABEL US Dept Defence ^3-Pass Wipe Method (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method dod3pass" silent LABEL US Dept Defence Short Wipe Method (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method dodshort" silent LABEL Peter ^Gutmann Wipe Method (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method gutmann" silent LABEL ^RCMP TSSIT OPS-II Wipe Method (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method ops2" silent LABEL ^Paranoid 8x Wipe with Full Verify (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method prng --rounds 8 --verify all" silent LABEL PRNG Stream ^8x Wipe Method (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method prng --rounds 8" silent LABEL ^Quick Wipe - Not 100% Secure (AUTO) KERNEL dban/dban.bzi APPEND nuke="dwipe --autonuke --method quick" silent menu end # ================================================================ # END: SECURE HDD ERASE OPTIONS # ================================================================
Happy erasing!
Leave a Reply