sys-shred 1.0.0

A forensic-grade, multi-threaded command-line utility for secure file erasure and anti-forensics.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

//! # CLI Argument Schema
//!
//! Defines the structured inputs for the `sys-shred` application using `clap`.
//! This module ensures that all user inputs are validated and mapped to
//! actionable internal configurations.

use clap::{Parser, ValueEnum};
use std::path::PathBuf;

/// Standard algorithms for secure data erasure.
#[derive(ValueEnum, Clone, Debug, serde::Serialize)]
pub enum ShredMethod {
    /// Overwrite with zero bytes (Fastest).
    Zero,
    /// Overwrite with cryptographically secure random bytes (Balanced).
    Random,
    /// US DoD 5220.22-M (3 passes: 0x00, 0xFF, Random).
    Dod,
    /// Gutmann method (35 passes - Extreme security for older magnetic media).
    Gutmann,
}

/// Output formats for the audit log.
#[derive(ValueEnum, Clone, Debug, Default)]
pub enum AuditFormat {
    /// Human-readable text format.
    #[default]
    Text,
    /// Machine-readable JSON format.
    Json,
}

/// Secure File Erasure Utility (Anti-Forensics)
///
/// `sys-shred` is a specialized tool designed to irreversibly destroy file data.
/// It works by performing multiple cryptographic overwrite passes, randomizing
/// file metadata (name and timestamps), and finally unlinking the file from
/// the filesystem to prevent forensic recovery.
#[derive(Parser, Debug)]
#[command(
    author = "V1lleneuve",
    version = "1.0.0",
    about = "Securely shreds files using cryptographic data and metadata obfuscation",
    long_about = "A high-integrity secure deletion tool that bypasses OS file-system caching to ensure hardware-level data destruction."
)]
pub struct Args {
    /// The absolute or relative path to the target file or directory.
    #[arg(
        value_name = "PATH",
        help = "Path to the file or directory to be destroyed"
    )]
    pub path: PathBuf,

    /// Number of overwrite passes to perform.
    #[arg(
        short,
        long,
        default_value_t = 3,
        help = "Number of cryptographic overwrite passes (Ignored for DoD/Gutmann)"
    )]
    pub passes: u32,

    /// Recursively shred directories and their contents.
    #[arg(
        short,
        long,
        help = "Recursively destroy directories and their contents"
    )]
    pub recursive: bool,

    /// Algorithm to use for data destruction.
    #[arg(
        short,
        long,
        value_enum,
        default_value_t = ShredMethod::Random,
        help = "Erasure method to utilize"
    )]
    pub method: ShredMethod,

    /// Perform a trial run without modifying the filesystem.
    #[arg(
        long,
        help = "Show what would be destroyed without performing actual deletion"
    )]
    pub dry_run: bool,

    /// Verify overwrites by reading back data after writing.
    #[arg(long, help = "Enable read-back verification after each overwrite pass")]
    pub verify: bool,

    /// Exclude files matching specific glob patterns.
    #[arg(
        short,
        long,
        help = "Exclude files matching patterns (e.g. *.log, secret/*)"
    )]
    pub exclude: Vec<String>,

    /// informs the SSD to discard the blocks used by the file (TRIM).
    #[arg(
        long,
        help = "Send a TRIM/Discard command to the SSD after shredding (Linux/Windows only)"
    )]
    pub trim: bool,

    /// Force destruction without interactive confirmation.
    #[arg(short, long, help = "Skip interactive confirmation prompts")]
    pub force: bool,

    /// Path to save the forensic audit log.

    #[arg(
        long,
        value_name = "LOG_PATH",
        help = "Path to generate a forensic audit report"
    )]
    pub audit_log: Option<PathBuf>,

    /// Format of the forensic audit log.
    #[arg(
        long,
        value_enum,
        default_value_t = AuditFormat::Text,
        help = "Format of the audit report (text or json)"
    )]
    pub audit_format: AuditFormat,

    /// Enable verbose logging for granular visibility into the shredding process.
    #[arg(short, long, help = "Enable detailed debug output")]
    pub verbose: bool,

    /// Obfuscate and truncate the file but skip the final unlinking (deletion).
    #[arg(
        long,
        help = "Perform overwriting and obfuscation but do not delete the final file"
    )]
    pub keep: bool,
}