[vox-tech] Most efficient way to wipe hard drives
Bill Broadley
bill at broadley.org
Wed Sep 9 21:20:30 PDT 2009
Short answer, one wipe is enough (At least for NIST, and one of the British
Infosec standards), wipes miss bad sectors, the ATA secure erase command is
worth checking out.
I keep this one on file and update it occasionally.
Explanation, references, justification and details to follow.
Oh, I saw the recommendation for dban, I couldn't find any reference to
erasing bad sectors, if so it likely doesn't work as well as anything that
uses secure erase (like a free util or hdparm).
==============================================================================
Basically the less you know about disks the more wipes one tends to recommend.
Usually mentioning the ridiculous 35 wipes listed by Peter Gutmann. I can't
explain it any better than Gutmann "some people have treated the 35-pass
overwrite technique described in it more as a kind of voodoo incantation to
banish evil spirits than the result of a technical analysis of drive encoding
techniques". As well as "A good scrubbing with random data will do about as
well as can be expected". While true in 1996 (where storage densities were on
the order of $0.40 per MB and 1.6GB was a big disk) it's much more true today
where TB disks are under $100 and disks commonly sell for less then $0.10 per
GB (a factor of 4000 cheaper and 1000 denser).
DoD, US Navy, Airforce, British infosec, german info security, etc all
recommend 3-4 wipes. Mostly because large organizations generate standards
slowly, often taking years, and many of those standards where published long
ago. That and for any engineering justification there's always a temptation
to add another wipe or 2 just to be sure.
Of course those in tin foil hats mention that the NSA doesn't allow wiping,
thus they must be able to recover after N wipes. Instead I suggest that it's
because normal user wipes don't wipe bad sectors, and that it's much easier to
verify a drive is destroyed visually with 100% reliability then it is to tell
if a drive has been securely wiped with 100% reliability. In practice there's
a big difference between theory and practice ;-). NSA is all about practice.
The problem with wipes is that they won't overwrite bad blocks which an
attacker might be able to read. Do you care about this? If it's sector?
10? 100? 0.1% of a disk? If you do you can use ATA Secure wipe, there are
utils/boot disks with it, NIST, DOD and others consider it better than a
normal wipe or multi-wipe. Alas hdparm supports it, only experimentally. I'd
suggest checking out:
http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
In general CMRR looks like one of the centers of such expertise, I'd listen to
their recommendations. They are cited by NIST (which recommends one wipe).
The PDF explains the myth of magnetic force microscope recovery. There are
many other research publications that support this idea and debunk the
recovering from a wipe via magnetic microscopy.
So if you don't use secure wipe and won't lose sleep at night over a few bad
blocks being potentially recovered I'd recommend something like:
dd if=/dev/urandom of=/dev/sd<whichever disk>
Above use something like /dev/sdb, NOT /dev/sdb1. Swap could potentially
contain confidential information.
If you are ultra paranoid/bored, sure a second pass with either 1's, 0's , or
the random would add additional protection in case the NSA or other well
funded organization is going to dedicate a few expensive technicians, a hugely
expensive microscope, and man months/years trying to recover your data.
Alternatively you could bulk erase, but verify the data is unreadable, I have
heard of commercial units not actually working. Especially for multiple
platter disks. Everywhere I looked seemed to be saying this is a cat and
mouse game that the bulk erasers are losing. The above PDF I believe mentions
that with the current or next generation recordings nothing external to the
drive short of a nuclear EMP blast will work. Or just destroy the disks
something like vice, big hammer, big drill, gun, and fire seem to work just
fine. Some places even sell specialized versions of the above for such purposes.
NIST says:
“Studies have shown that most of today’s media can be effectively cleared by
one overwrite.”
More details at:
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
For more info on the single wipe explanation:
http://www.anti-forensics.com/disk-wiping-one-pass-is-enough
This might be useful, it shows various standards:
http://en.wikipedia.org/wiki/Data_erasure
It mentions:
According to the Center for Magnetic Recording Research, "Secure erase does a
single on-track erasure of the data on the disk drive. The U.S. National
Security Agency published an Information Assurance Approval of single pass
overwrite, after technical testing at CMRR showed that multiple on-track
overwrite passes gave no additional erasure."[5] "Secure erase" is a function
built into modern ATA hard drives that overwrites all data on a disk,
including remapped (error) sectors.
It seems to be the general consensus of the community that as disk density
gets closer to the paramagnetic limit that recovery over previous values for a
bit are getting much harder and impractical on drives made after 2001 or so.
Thus the number of wipes needed for a given level of security is decreasing
over time.
Oh, one last thing. If you are using encrypted disk (in OS, driver, or in
drive) it's fairly secure to just change the key. You have to be careful that
the size of the key is big enough to give you the protection in time that you
want. In 10 years bigger keys will be feasible to crack, someone could
potentially stick your drive on a shelf until the key is feasible to crack.
More information about the vox-tech
mailing list