Tech Solvency / pub / bin / erasing-storage - storage sanitization reference

Icon  Name                    Last modified      Size  Description
[PARENTDIR] Parent Directory - [DIR] CMU/ 2021-04-27 22:32 - [DIR] NIST/ 2021-04-27 22:32 - [DIR] NSA/ 2021-04-27 22:32 - [DIR] bin/ 2021-04-27 22:32 - [DIR] gutmann/ 2021-04-27 22:32 - [DIR] hughes/ 2021-04-27 22:32 - [DIR] wikipedia/ 2021-04-27 22:32 -

Royce's rough notes on securely wiping/sanitizing storage

Yes, some people still need to wipe drives:

No, you almost always don't need multiple fancy passes:


General Tips

Scenarios and Use Cases

If the drive is too old to support the ATA Secure Erase command (less than 15-20GB or made prior to 2002):

  1. Strongly consider physically destroying the drive and not repurposing.
  2. If it must be repurposed, use DBAN to perform a 5220.22-M (7-pass) wipe. https://www.dban.org/
  3. Reformat the drive for reuse.

If it is a magnetic spinning drive, and will be repurposed, perform a low-level wipe:

  1. If the drive is part of a RAID, put the controller in a non-RAID mode (JBOD, Initiator/Target, etc.), or attach the drive to a non-RAID controller.
  2. Boot from a MS-DOS USB stick. If you do not have one and use Windows, use Rufus to create one.
  3. Run the HDDErase utility to issue the NIST 800-88-approved "ATA Secure Erase" command:
    https://cmrr.ucsd.edu/resources/secure-erase.html
  4. Follow the prompts to set a security password. Use a password so that an interrupted wiping session can be recovered. Do not relinquish control of the device until the secure erase is completed.
  5. Unless the drive is a Thinkpad (which relies on the Device Configuration Overlay (or DCO) area), follow the prompts to delete any DCO and HPA areas.
  6. Select the option to verify that the wiping completed.
  7. When wiping is complete, print out the completion page (with drive serial, etc.), sign and date it, and place in a drive disposal log folder.
  8. Wipe the drive with a single character. Zero is recommended to make it easy to visually verify.
  9. Reformat the drive for reuse.

If booting from DOS USB or using HDDErase does not appear to be possible, try:

  1. Try disabling AHCI in the BIOS and try again.
  2. Use the Parted Magic Linux live CD -> System Tools -> Erase Disk -> Internal:Secure Erase command.
  3. Boot a Linux live CD such as any Ubuntu CD, or the Gparted Live CD: https://gparted.org/livecd.php, open a Terminal, LXTerminal, or similar command-prompt window, and directly use the hdparm utility instead: https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase

    1. Manually remove HPA if it exists (or Parted Magic will do this for you)
    # hdparm -N /dev/sdX
    (If "HPA is enabled", read second value in "max sectors" line shown): # hdparm -N p[max-sectors] /dev/sdX

    2. Manually remove DCO if it exists (non-Thinkpads only):
    NOTE: DO NOT REMOVE DCO ON THINKPADS.
    a. Check the number of sectors against the number noted above.
    # hdparm --dco-identify /dev/sdX
    b. If the --dco-identify sector count does not match the second -N number, remove the DCO.
    # hdparm --dco-restore /dev/sdX # hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/sdX

    3. Check if the drive is frozen, and attempt to unfreeze it (Parted Magic will do this for you)
    # hdparm -I /dev/sdX | egrep -i frozen
    If it is, unfreeze it by temporarily suspending the system.
    # pm-suspend
    Then wake the system up (press a key, tap the power button, etc.). The drive should now be unfrozen.
    # hdparm -I /dev/sdX | egrep -i frozen

    4. Initiate the Secure Erase command:
    a. First, set a security password (required to wipe the drive).
    # hdparm --user-master u --security-set-pass password /dev/sdX
    b. Then erase the drive.
    - Option 1: simple erase (zeroes):
    # time hdparm --user-master u --security-erase password /dev/sdX
    - Option 2: enhanced erase (predetermined patterns, including bad/reallocated sectors): # time hdparm --user-master u --security-erase-enhanced password /dev/sdX - Option 2: enhanced erase (predetermined patterns, including bad/reallocated sectors): # time hdparm --user-master u --security-erase-enhanced password /dev/sdX

This simple shell script will do a lot of the hdparm work for you. Just boot from a Linux live CD, then download the script and run it.

If SAS/SCSI/HBA, ATA Secure Erase isn't available, and hdparm -I won't work ("bad/missing sense data") - because these interfaces are implemented as SCSI, not ATA. Instead:

  1. Boot a Linux live CD with the sg3-utils suite of SCSI tools installed
  2. Run sg_sanitize with the [-C|--crypto] option against the target drive(s)
  3. For older drives that don't support sg_sanitize, use sg_format to format with the SCSI "Secure Initialization" bit set (-S or --security option)
  4. Reformat the drive for reuse.

If it is an SSD, and will be repurposed, either activate full-disk encryption:

Option 1 - Encrypt the drive:

  1. Enter the system BIOS.
  2. Go to the Security area.
  3. Enable "HDD password" or "hard drive password". This enables internal hardware-based FDE (Full Disk Encryption).
  4. Set a password for the device of at least 25 random upper, lower, number, and special characters.
  5. Allow the drive to be encrypted.
  6. Disable the hard drive password.
  7. Reformat the drive for reuse.

Option 2 - Use hdparm to invoke SATA "Secure Erase":

  1. Use the SATA "Secure Erase" feature as described above. On SSD, this should be implemented under the hood as encryption of the entire drive, followed by overwriting of the key.
  2. Reformat the drive for reuse.

Option 3 - Use the SAS/SCSI sg_sanitize or sg_format options above.

  1. On SSD, sg_sanitize -C should be implemented under the hood as encryption of the entire drive, followed by overwriting of the key.
  2. With sg_format, the wipe may be slower and does not provide the same assurance; consider fallback methods.
  3. Reformat the drive for reuse.

If it is NVMe: ref (tinyapps.org)

  1. Install nvme-cli in Linux
  2. Get device path: nvme list
  3. Verify format support: nvme id-ctrl -H /dev/nvmeX
  4. Issue the Secure Erase command: nvme format /dev/nvmeX --ses=1
  5. May need to suspend/resume (systemctl -i suspend) and then retry
  6. Verify: hexdump /dev/nvme0n1

See also NVME Sanitize (tinyapps.org)


If it is a drive already using Bitlocker:

  1. Remove BitLocker. Bitlocker encrypts SMART and the Secure Erase command cannot be issued until BitLocker is removed.

If it is a cellphone or other mobile device that supports full-disk encryption:

  1. Enter the device configuration in the security area.
  2. Set a password for the device of at least 16 random upper, lower, number, and special characters.
  3. Enable encryption of the device.
  4. Perform a factory restore of the device.
  5. Reformat the external storage.

If it is a USB, MicroSD, Compact Flash, or other flash-based device not directly accessible using a PATA or SATA interface (not a hard drive):

  1. Be aware that fully erasing USB devices that do not support hardware full-disk encryption is not currently possible. This is a best-effort method.
  2. Use Disk Wipe to wipe the device. http://www.diskwipe.org/
  3. Write the entire drive with a value, and then again with its complement.
    For example, first all zeroes:
    shred -n 1 --random-source=/dev/zero -u -v /dev/mydev
    ... and then all 1s (FF):
    perl -e '$s="$s\xFF" while length($s)<512; print $s while 1' | dd of=/dev/mydev
  4. Consider physically destroying the device.

If the drive is failing and you are having problems erasing it:

  1. Use ddrescue's --fill-mode option to wipe what you can.
  2. Example: first, analyze (will create image): ddrescue -f -n /dev/bad_drive /path/to/temp.img ddrescue-logfile
  3. Then zero the good sectors: ddrescue --fill-mode=+ --force /dev/zero /dev/bad_drive ddrescue-logfile
  4. Note that under some Linuxes, ddrescue is provided by the gddrescue package.
  5. If more than a trivial amount of the drive is inaccessible, consider physically destroying the device.

If not repurposing the device:

  1. If time is available, for additional assurance, perform the appropriate procedure above.
  2. Use a commercial drive magnet system to magnetize the device.
  3. Physically destroy the device. I've seen others recommend the PureLev disk-drive crusher, which looks reasonable.

References

Supporting information

Definitive paper and tool by Gordon Hughes, whose work was funded by NSA, incorporated into the ATA standard at his request and referenced in NIST 800-88. HDDErase v3.3 detects if HPA or DCO areas exist, and prompt the user to erase them:

"Complete eradication of user data off drives can be accomplished by running data Secure Erasure utilities such as the freeware HDDErase downloadable here. It executes the Federally-approved (NIST 800-88) Secure Erase command in the ATA ANSI standard, which is implemented in all recent ATA drives greater than 15-20 GB."

https://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1

Related: Preparing a Mac for resale or donation (Sierra edition)

SANS ref: Securely Disposing of your Mobile Device

SANS Reading Room - Let's Talk About Data Recovery (Kevin Ripa)

tinyapps.org: drive-zeroing vs recoverability references
tinyapps.org: ATA SANITIZE and hdparm

Sandpaper, a sledgehammer, and/or thermite may also be expedient. ;)

$Date: 2021/03/06 00:00:21 $


Royce Williams
Tech Solvency