Tech Solvency / pub / bin / erasing-storage - storage sanitization reference
Name Last modified Size Description
Parent Directory -
gutmann/ 2021-04-27 22:32 -
CMU/ 2021-04-27 22:32 -
wikipedia/ 2021-04-27 22:32 -
bin/ 2021-04-27 22:32 -
NIST/ 2021-04-27 22:32 -
NSA/ 2021-04-27 22:32 -
hughes/ 2021-04-27 22:32 -
Royce's rough notes on securely wiping/sanitizing storage
Yes, some people still need to wipe drives:
- Many people and orgs still have old drives or old gear that need to be moved from one security level to another (repurposed, discarded, donated, etc.)
- Most people and tech teams often don't have the knowledge (or time) to definitively assess what data remains on their storage devices, and how it might be misused.
- If drives are leaving your control, even if you're paying a third party to wipe or destroy them, it is almost always in your best interest to do a basic wipe prior to the drives leaving your custody. You would be amazed at how often such efforts can go awry (accidentally or otherwise).
No, you almost always don't need multiple fancy passes:
- Multiple passes were recommended because of extra magnetic material that was fallow between tracks in much older hard drives (less than 15-20GB or made prior to 2002)
- You could theoretically deduce what used to be on a given track by studying the fallow magnetic material nearby, because the write heads were less precise and also affected nearby material.
- As track density increased and write heads got more precise, the amount of magnetic material affected by this issue was effectively eliminated.
- This means that if you have a modern hard drive, a single-pass wipe is sufficient for almost all use cases.
- Quoting Gutmann: "In particular the drives in use at the time that this paper was originally written are long since extinct, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 200GB of other erased traces are close to zero."
- For more information on this, see the References section at the bottom of this page.
General Tips
-
Many Linux live CDs include hdparm, but it can be hard to use.
Hands down, the best UI wrapper for hdparm is Parted Magic
(https://partedmagic.com/,
less than $20; I'm not affiliated - just a fan). It properly handles the freeze-workaround-with-sleep scenario, wipes multiple drives simultaneously, provides a time estimate, etc.
- FreeBSD can invoke ATA Secure Erase using camcontrol security -s anypass -e anypass -y adaX
-
I am not affiliated, but the free Ultimate Boot CD (https://www.ultimatebootcd.com/) includes both DBAN and HDDErase used here.
-
The general Wikipedia article on data erasure is very informative.
-
If a drive has only partially failed, wiping the non-failed parts of the drive with a tool like ddrescue may have value (see below)
-
Short of degaussing and physical destruction, each of these methods are software that may have bugs.
Match your sanitization method to your data sensitivity and threat models.
Combining methods (and OS-level wipe, followed by a controller-level wipe, followed by a degauss, etc.) can provide additional assurance when different steps in the process are handled by different parties, etc.
- These tips assume that if you are repurposing a drive, you might not be sure what data remains, or you're moving the drive to a role with different data sensitivity or different security posture. If you know exactly what's on the drive or it's going to replace a drive in a very similar role, wiping is obviously not really necessary. But it's often so hard to be sure that you're better off assuming the worst.
Scenarios and Use Cases
If the drive is too old to support the ATA Secure Erase command (less than 15-20GB or made prior to 2002):
- Strongly consider physically destroying the drive and not repurposing.
- If it must be repurposed, use DBAN to perform a 5220.22-M (7-pass) wipe.
https://www.dban.org/
- Reformat the drive for reuse.
If it is a magnetic spinning drive, and will be repurposed, perform a low-level wipe:
- If the drive is part of a RAID, put the controller in a non-RAID mode (JBOD, Initiator/Target, etc.), or attach the drive to a non-RAID controller.
- Boot from a MS-DOS USB stick. If you do not have one and use Windows, use Rufus to create one.
- Run the HDDErase utility to issue the NIST 800-88-approved "ATA Secure Erase" command:
https://cmrr.ucsd.edu/resources/secure-erase.html
- Follow the prompts to set a security password. Use a password so that an interrupted wiping session can be recovered. Do not relinquish control of the device until the secure erase is completed.
- Unless the drive is a Thinkpad (which relies on the Device Configuration Overlay (or DCO) area), follow the prompts to delete any DCO and HPA areas.
- Select the option to verify that the wiping completed.
- When wiping is complete, print out the completion page (with drive serial, etc.), sign and date it, and place in a drive disposal log folder.
- Wipe the drive with a single character. Zero is recommended to make it easy to visually verify.
- Reformat the drive for reuse.
If booting from DOS USB or using HDDErase does not appear to be possible, try:
- Try disabling AHCI in the BIOS and try again.
- Use the Parted Magic Linux live CD -> System Tools -> Erase Disk -> Internal:Secure Erase command.
- Boot a Linux live CD such as any Ubuntu CD, or the Gparted Live CD: https://gparted.org/livecd.php, open a Terminal, LXTerminal, or similar command-prompt window, and directly use the hdparm utility instead:
https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase
1. Manually remove HPA if it exists (or Parted Magic will do this for you)
# hdparm -N /dev/sdX
(If "HPA is enabled", read second value in "max sectors" line shown):
# hdparm -N p[max-sectors] /dev/sdX
2. Manually remove DCO if it exists (non-Thinkpads only):
NOTE: DO NOT REMOVE DCO ON THINKPADS.
a. Check the number of sectors against the number noted above.
# hdparm --dco-identify /dev/sdX
b. If the --dco-identify sector count does not match the second -N number, remove the DCO.
# hdparm --dco-restore /dev/sdX
# hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/sdX
3. Check if the drive is frozen, and attempt to unfreeze it (Parted Magic will do this for you)
# hdparm -I /dev/sdX | egrep -i frozen
If it is, unfreeze it by temporarily suspending the system.
# pm-suspend
Then wake the system up (press a key, tap the power button, etc.). The drive should now be unfrozen.
# hdparm -I /dev/sdX | egrep -i frozen
4. Initiate the Secure Erase command:
a. First, set a security password (required to wipe the drive).
# hdparm --user-master u --security-set-pass password /dev/sdX
b. Then erase the drive.
- Option 1: simple erase (zeroes):
# time hdparm --user-master u --security-erase password /dev/sdX
- Option 2: enhanced erase (predetermined patterns, including bad/reallocated sectors):
# time hdparm --user-master u --security-erase-enhanced password /dev/sdX
- Option 2: enhanced erase (predetermined patterns, including bad/reallocated sectors):
# time hdparm --user-master u --security-erase-enhanced password /dev/sdX
This simple shell script will do a lot of the hdparm work for you. Just boot from a Linux live CD, then download the script and run it.
If SAS/SCSI/HBA, ATA Secure Erase isn't available, and hdparm -I won't work ("bad/missing sense data") - because these interfaces are implemented as SCSI, not ATA. Instead:
- Boot a Linux live CD with the sg3-utils suite of SCSI tools installed
- Run sg_sanitize with the [-C|--crypto] option against the target drive(s)
- For older drives that don't support sg_sanitize, use sg_format to format with the SCSI "Secure Initialization" bit set (-S or --security option)
- Reformat the drive for reuse.
If it is an SSD, and will be repurposed, either activate full-disk encryption:
Option 1 - Encrypt the drive:
- Enter the system BIOS.
- Go to the Security area.
- Enable "HDD password" or "hard drive password". This enables internal hardware-based FDE (Full Disk Encryption).
- Set a password for the device of at least 25 random upper, lower, number, and special characters.
- Allow the drive to be encrypted.
- Disable the hard drive password.
- Reformat the drive for reuse.
Option 2 - Use hdparm to invoke SATA "Secure Erase":
- Use the SATA "Secure Erase" feature as described above. On SSD, this should be implemented under the hood as encryption of the entire drive, followed by overwriting of the key.
- Reformat the drive for reuse.
Option 3 - Use the SAS/SCSI sg_sanitize or sg_format options above.
- On SSD, sg_sanitize -C should be implemented under the hood as encryption of the entire drive, followed by overwriting of the key.
- With sg_format, the wipe may be slower and does not provide the same assurance; consider fallback methods.
- Reformat the drive for reuse.
If it is NVMe: ref (tinyapps.org)
- Install nvme-cli in Linux
- Get device path: nvme list
- Verify format support: nvme id-ctrl -H /dev/nvmeX
- Issue the Secure Erase command: nvme format /dev/nvmeX --ses=1
- May need to suspend/resume (systemctl -i suspend) and then retry
- Verify: hexdump /dev/nvme0n1
See also NVME Sanitize (tinyapps.org)
If it is a drive already using Bitlocker:
- Remove BitLocker. Bitlocker encrypts SMART and the Secure Erase command cannot be issued until BitLocker is removed.
If it is a cellphone or other mobile device that supports full-disk encryption:
- Enter the device configuration in the security area.
- Set a password for the device of at least 16 random upper, lower, number, and special characters.
- Enable encryption of the device.
- Perform a factory restore of the device.
- Reformat the external storage.
If it is a USB, MicroSD, Compact Flash, or other flash-based device not directly accessible using a PATA or SATA interface (not a hard drive):
- Be aware that fully erasing USB devices that do not support hardware full-disk encryption is not currently possible. This is a best-effort method.
- Use Disk Wipe to wipe the device.
http://www.diskwipe.org/
- Write the entire drive with a value, and then again with its complement.
For example, first all zeroes:
shred -n 1 --random-source=/dev/zero -u -v /dev/mydev
... and then all 1s (FF):
perl -e '$s="$s\xFF" while length($s)<512; print $s while 1' | dd of=/dev/mydev
- Consider physically destroying the device.
If the drive is failing and you are having problems erasing it:
- Use ddrescue's --fill-mode option to wipe what you can.
- Example: first, analyze (will create image): ddrescue -f -n /dev/bad_drive /path/to/temp.img ddrescue-logfile
- Then zero the good sectors: ddrescue --fill-mode=+ --force /dev/zero /dev/bad_drive ddrescue-logfile
- Note that under some Linuxes, ddrescue is provided by the gddrescue package.
- If more than a trivial amount of the drive is inaccessible, consider physically destroying the device.
If not repurposing the device:
- If time is available, for additional assurance, perform the appropriate procedure above.
- Use a commercial drive magnet system to magnetize the device.
- Physically destroy the device. I've seen others recommend the PureLev disk-drive crusher, which looks reasonable.
References
-
https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final - NIST SP800-88 Rev. 1 Guidelines for Media Sanitization
| local mirror
- https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase - lots of good info on hdparm
- https://partedmagic.com/secure-erase/ - the Secure Erase tool built into Parted Magic. Highly recommended, and a steal at $9 on CD or $16-30 on USB. (I'm not affiliated, just a big fan)
- https://www.nsa.gov/resources/everyone/media-destruction/ - NSA Media Destruction Guidance
- https://en.wikipedia.org/wiki/Data_erasure - Wikipedia
- https://spectrum.ieee.org/computing/hardware/wise-drives - "Wise Drives", Gordon Hughes, IEEE Spectrum, Aug 2002
- https://en.wikipedia.org/wiki/Device_configuration_overlay - the DCO drive area that isn't reachable by OS-level drive-wiping prcesses
-
https://en.wikipedia.org/wiki/Host_protected_area - the HPA (Host Protected Area) that also isn't reachable from the OS
-
https://www.researchgate.net/publication/228740643_Secure_erase_of_disk_drive_data - "Secure Erase of Disk Drive Data" (Hughes and Coughlin, January 2002)
- Secure Deletion of Data from Magnetic and Solid-State Memory (Gutmann, 1996)
| local copy
-
Guidelines for Data Sanitization and Disposal (CMU)
| local copy
- DiskStroyer a do-it-yourself physical hard drive destruction guide, good for the layperson, and recommended by Gutmann as thorough
- Disposal of Disk and Tape Data by Secure Sanitization (Hughes, Coughlin, Commins, IEEE Security and Privacy July-Aug 2009)
- @0xdade on why data recovery on SSDs is a hard problem
- Erasing personal data from second-hand devices (NCSC guidance, 2020-12)
Supporting information
Definitive paper and tool by Gordon Hughes, whose work was funded by NSA, incorporated into the ATA standard at his request and referenced in NIST 800-88. HDDErase v3.3 detects if HPA or DCO areas exist, and prompt the user to erase them:
"Complete eradication of user data off drives can be accomplished by running data Secure Erasure utilities such as the freeware HDDErase downloadable here. It executes the Federally-approved (NIST 800-88) Secure Erase command in the ATA ANSI standard, which is implemented in all recent ATA drives greater than 15-20 GB."
https://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1
Related: Preparing a Mac for resale or donation (Sierra edition)
SANS ref: Securely Disposing of your Mobile Device
SANS Reading Room -
Let's Talk About Data Recovery (Kevin Ripa)
tinyapps.org: drive-zeroing vs recoverability references
tinyapps.org: ATA SANITIZE and hdparm
Sandpaper, a sledgehammer, and/or thermite may also be expedient. ;)
$Date: 2021/03/06 00:00:21 $
Royce Williams
Tech Solvency