| View previous topic :: View next topic |
| Author |
Message |
crouse
Site Admin
Joined: 17 Apr 2024
Posts: 11833
Location: Iowa
|
 Posted: Tue Dec 16, 2024 8:58 am Post subject: Secure Erase- is a positive easy-to-use data destroy command |
 |
|
I thought this was very interesting......
Secure Erase
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf
http://cmrr.ucsd.edu/people/Hughes/HDDEraseReadMe.txt
http://cmrr.ucsd.edu/people/Hughes/HDDEraseWeb.zip
http://cmrr.ucsd.edu/people/Hughes/documents/QandAforwebsite10212008_000.doc
| Quote: |
Q & A on Secure Erase
Q: What is secure erase?
A: The ANSI T-13 committee which oversees the ATA (also known as IDE) interface specification and the ANSI T-10 committee which governs the SCSI interface specification have incorporated into their standards a command feature known as Secure Erase (SE). Secure erase is a positive easy-to-use data destroy command, amounting to “electronic data shredding.” It completely erases all possible user data areas by overwriting, including the so-called g-lists that contain data in reallocated disk sectors (sectors that the drive no longer uses because they have hard errors in them). SE is a simple addition to the existing “format drive” command present in computer operating systems and storage system software and adds no cost to hard disk drives. Since the Secure Erase command is carried out within a hard disk drive it doesn’t require any additional software to implement.
Q: Is secure erase approved for government security?
A: Secure erase has been approved by the U.S. National Institute for Standards and Technology (NIST), Computer Security Center . In general data erasure techniques when used alone are approved by NIST for lower security sanitization (less than secret) since the data can be recovered at least in theory. It should be noted though that a secure erased drive that is then physically destroyed would be extremely difficult if not impossible to recover data from. According to the NIST document Secure Erase as well as certain software utilities running in protected execution environments (e.g. running inside file system hardware like RAID arrays or inside secure computers) could be verified secure.
Q: Is any data left after a secure erase?
A: Investigations at CMRR at UCSD have shown that a single pass secure erase at lower frequencies results in no remaining data signals and a second erase reduces this signal only slightly more. The resulting data signal to noise ratio (SNR) at the magnetic drive head is below that required to recover data using a disk drive channel . The only recorded signal left in these experiments is a small amount of highly distorted track edge recording which is extremely difficult to recover data from even if the disk is removed from the drive and tested on a spin-stand.
Q: Is there a fast way to do secure erase?
A: an ATA disk drive user may want to do a "Fast Secure Erase" on a disk drive before disposing of it. ATA disk drives can have a user "password" that is used to access certain features of the disk drive. If a secure erase is started using a user "password" the disk drive must complete the secure erase before it accepting any other command. Even if SE is stopped before completion another user cannot acquire the drive and use the "password" to reactivate the disk drive. The SE must complete before the new user can access the drive.
Q: What is full disk encryption?
A: Recently 2.5-inch hard disk drives for laptop computer applications have been introduced that encrypt the recorded information within the hard disk drive—internal drive data encryption . Such disk drives provide protection of the data on the disk drive should the laptop or drive be lost or stolen. Data encryption provides significant protection from forensic data recovery. Use of a key-based disk drive encryption technique opens the door to a new way to effectively “erase” the data of a hard disk drive by throwing away the encryption key.
Q: How can a user access full disk encryption
A: Full Disk Encryption (FDE) SE “secure erase,” (“FDE-SE”), is done by securely changing the internal drive encryption key to render encrypted user data on the disk . This can be enabled via the Enhanced SE command in the existing ATA ANSI specs.
Q: What groups are behind full disk encryption?
A: An open industry standard for FDE is being worked on by the Trusted Computer Group (the Storage Working Group in trustedcomputinggroup.org). Drive members of the TCG include Seagate, HGST, Fujitsu and WD.
Q: What are the dangers of not sanitizing data?
A: If data is not eliminated beyond recovery on a disk drive that leaves the control of the original owner this data can and often does fall into the hands of others. Besides theft of computers and disk drives where data can be stolen data can often be recovered with little or no effort from discarded or sold disk drives. There are many reports of data being recovered from discarded disk drives . Each year hundreds of thousands of hard disk drives are retired. Some of these retired hard disk drives find their way back into the market and unless the data that they contain is eliminated securely it can be recovered.
Q: What are the various ways to sanitize data and what does each approach do?
A: UCSD CMRR has established and tested protocols for software secure erase . Their security levels vary between the levels just discussed. Four basic security levels are defined, Weak erase (deleting files), block erase (external overwrite), Normal secure erase (current SE implementation), and Enhanced secure erase (see below). Block and Normal secure erase are intended for elimination of user data up to the Confidential level, and Enhanced secure erase for higher levels. The Enhanced level has recently been implemented in drives by Seagate, Fujitsu and Hitachi. These four erasure protocols exist because users make a tradeoff between the erasure security level and the erasure time required.
Q: Some data sanitization technologies take a lot of time, is that a problem?
A: A high security protocol requiring custom software and up to days to accomplish will be avoided by most users, making it little used and therefore of limited practical value. For example, DoD 5220 calls for multiple block overwrites for Confidential data, which can take more than a day to complete in today’s drives. So users make a tradeoff between the time required to eliminate their data and the risk that the next drive user will know and use recovery techniques to access weakly erased data. For all but top-secret information and when time is critical, users will often turn to erasure that takes minutes rather than hours or days. They will select a method giving them an acceptable level of security in a reasonable time window.
Q: Does physical destruction of hard disk drives make the data unrecoverable?
A: The disks from disk drives can be removed from the disk drives, broken up and even ground to very fine pieces to prevent the data from being recovered. However, even such physical destruction is not absolute if any remaining disk pieces are larger than a single record block in size, about 1/125” in today’s drives (Note that as the linear and track density of magnetic recording increases the resulting recoverable pieces of disk must become ever smaller if all chances of data recovery after physical destruction alone are to be thwarted). Pieces of this size are found in bags of destroyed disk pieces studied at CMRR2. Physical destruction nevertheless offers the highest level of data elimination (although it is more effective if the data is first overwritten since then there is almost no potential signal to recover) because recovering any actual user data requires overcoming almost a dozen independent recording technology hurdles.
Q: Do multiple overwrites work better than a single overwrite:
A: Many commercial software packages are available using some variation of DoD 5220, some going to as many as 35 overwrite passes. Unfortunately the multiple overwrite approach is not very much more effective than a single overwrite since it does not do much to the remaining track edges where most of the very low level distorted remnant data remains after an overwrite and it takes a lot more time (even with 3 overwrites it can take more than a day to erase a large capacity hard disk drive).
Q: What are legal requirements for data elimination/sanitization?
A: There are several laws and regulations that relate to data retention and data elimination or sanitization on data storage devices such as hard disk drives. Some of the US requirements are listed below:
Health Information Portability and Accountability Act (HIPAA)
Personal Information Protection and Electronic Documents Act (PIPEDA)
Gramm-Leach-Bliley Act (GLBA)
California Senate Bill 1386
Sarbanes-Oxley Act (SBA)
SEC Rule 17a
There are several approved methods for data sanitization to satisfy these legal requirements or to meet other sometimes even more stringent corporate or government secrecy requirements. Some of these techniques will physically destroy the disk drives or prevent their being used again. Secure encryption of user data from creation to destruction is approved by some of the regulatory compliance legislation to protect sensitive information.
|
_________________
Veronica - Arch Linux 64-bit -- Kernel 2.6.33.4-1
Archie/Jughead - Arch Linux 32-bit -- Kernel 2.6.33.4-1
Betty/Reggie - Arch Linux (VBox) 32-bit -- Kernel 2.6.33.4-1
BumbleBee - OpenSolaris-SunOS 5.11
|
|
| Back to top |
|
JP
Linux Guru
Joined: 07 Jul 2024
Posts: 6670
Location: Central Montana
|
|
| Back to top |
|
fedelst
New Member
Joined: 25 Dec 2024
Posts: 1
Location: Montreal Quebec Canada
|
| Posted: Thu Dec 25, 2024 11:28 pm Post subject: |
|
|
Actually, I would like to update the information provided in the last quote.
The particle size of 1/125th of an inch is now 1/25-0th of an inch. This is due to the fact that media chemistry and recording technologies now accommodate data densities that facilitate the storage of a data block in a region smaller than 1/125th of an inch. In a conversation with Dr. Hughes this past march, he has stated that the new spec is 1/250th of an inch.
This factor is of specific concern to organizations that handle information classifications that are secret or top secret, where policy dictates that the storage media must be processed using a means whereby the information can not be recovered by any means possible. Accordingly, as a single complete data block is considered to be the smallest element from which data can be accurately recovered, any means to physically destroy the drive must render the screenings smaller than a complete block.
This change in screening size is a major concern, as those orgs that were using physical destruction practices for the processing of their end of life hard drives must now establish new practices to accomplish this task. The issue is that although many physical destruction service providers can screen to 1/125th" taking this to a smaller factor will require the use of disintegrators, a much more costly proposal.
In discussing the new factor with a party responsible for the defining federal government practice for the handling of end of life, and to be re-purposed hard drives, I had mentioned the updated spec. The news was received with a big gulp... The issue is that the cost to process drives to this spec will involve a significant additional cost to the current practice. I had proposed that the adoption of a model using a 2 stage process might be a better idea.
This model involves the use of an on-site appliance to purge the asset of all legacy data using secure erase. An appliance such as Ensconce Data Technology's Dead on Demand Digital Shredder is already an appliance known by both North American governments, and is certified by the UCSD CMRR as compliant and effective for the deployment of Secure Erase. This process assures that the data has been effectively purged from all storage regions of the drive, and that shredding to 1/125th will result in a fully effective process whereby the data will be recoverable by no means possible. This process also affords security of the asset to be processed at the source. Rather, there is no point of liability once the assert leaves the facility for transport to the point of final destruction.
This model actually accomplishes addressing 2 potential issues.
1/ how to effectively deal with the smaller screening size
2/ how to mitigate any vulnerability when providing retired storage hardware for transport to an external physical destruction facility / contractor.
Just to add a few words on Secure Erase... SE is a great technology that has a lot of potential. However, it's power and effectiveness have worked against it becoming more accessible and common practice. As it is embedded in all ATA compliant hard drives produced since 2024, and is initiated by a command sequence, the exploit of htis technology by virus or malware would be devastating. Accordingly, in order to protect user data, BIOS vendors have inhibited in most cases the ability for the system to send the Secure Erase Init commands to drives connected to the host. Likewise, host controller vendors will inhibit SE from processing data stored int he Protected service Regions of hard drives connected to the host without being Host Protected Area aware. This means that software vendors will not be able to reliably create software that will effectively purge data on hard drives connected to host systems.
Even the HDDERASE.EXE authored by the CMRR is in fact a proof of concept piece of software designed to demonstrate the abilities of SE in machines that do not have BIOS or hardware incompatibilities. In fact, HDDERASE will not natively process SATA, or any device other than on the first IDE/ATA channel. These are the reasons that EDT created the Digital Shredder, as a means to effectively invoke the Secure Erase process without the issues of hardware incompatibility.
More effective than 'clear' level overwrite technology, Secure Erase is a 'purge' level process that eliminates data with the same level of effectiveness as degaussing. Yet, with SE, the asset is reusable once processed.
I strongly recommend reviewing Special REport 800-88 from the National Institute for Science and Technology (NIST) for current guidance on data destruction technologies and their capabilities.
Alternately, if you are interested in a copy of an academic paper titled 'The Best Practices for the Destruction of Digital Data' authored by Ryk Edelstein (myself) and Gordon Hughes Phd (from the CMRR, who lead the Secure Erase development project) I would glad to offer a review copy in secure PDF format. This guide is intended for use by policy makers to reduce the amount of research time required to identify what is deemed to be acceptable practice for the sanitization of end of life hard drives. Based on thousands of pages of research, this guide provides reference to all current sources of guidance, and includes references to source information.
Please contact me at fedelst@gmail.com if you are interested in a copy of the guide.
|
|
| Back to top |
|
JP
Linux Guru
Joined: 07 Jul 2024
Posts: 6670
Location: Central Montana
|
|
| Back to top |
|
|
