Secure disk erasing - BSD

This is a discussion on Secure disk erasing - BSD ; I was looking at wiping a disk and found the following: http://blogs.zdnet.com/storage/?p=129 in particular Secure Erase http://cmrr.ucsd.edu/Hughes/SecureErase.html Which talks about using a function built into modern drives. from the readme: "It offers the option to run the drive internal secure ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Secure disk erasing

  1. Secure disk erasing

    I was looking at wiping a disk and found the following:
    http://blogs.zdnet.com/storage/?p=129

    in particular Secure Erase
    http://cmrr.ucsd.edu/Hughes/SecureErase.html

    Which talks about using a function built into modern drives.

    from the readme:
    "It offers the option to run the drive internal secure erase command,
    security erase unit, based on the ATA specification by the T13 technical
    committee."

    Is this function available via OpenBSD?

    Cheers

    R.

  2. Re: Secure disk erasing

    Ryoko wrote:
    > I was looking at wiping a disk and found the following:
    > http://blogs.zdnet.com/storage/?p=129
    >
    > in particular Secure Erase
    > http://cmrr.ucsd.edu/Hughes/SecureErase.html
    >
    > Which talks about using a function built into modern drives.
    >
    > from the readme:
    > "It offers the option to run the drive internal secure erase command,
    > security erase unit, based on the ATA specification by the T13 technical
    > committee."
    >
    > Is this function available via OpenBSD?
    >

    Assuming that manufacturers support this function (at least some of the
    Secure Erase stuff is optional) most drives will ignore this function if
    the Freeze Lock command has been invoke. This is typically done by the
    system BIOS.

    Can host operating systems actually get access to these functions now?

    Note that this built-in Secure Erase functionality may not meet or
    exceed some levels of security, since the specification states that
    secure erase simply has to write binary zeros over the user data
    portions of the drive.
    --
    clvrmnky

    Direct replies will be blacklisted. Replace "spamtrap" with my name to
    contact me directly.

  3. Re: Secure disk erasing

    On Tue, 10 Jul 2007 21:05:05 +0100 in Ryoko wrote:
    > I was looking at wiping a disk and found the following:
    > http://blogs.zdnet.com/storage/?p=129
    >
    > in particular Secure Erase
    > http://cmrr.ucsd.edu/Hughes/SecureErase.html
    >
    > Which talks about using a function built into modern drives.
    >
    > from the readme:
    > "It offers the option to run the drive internal secure erase command,
    > security erase unit, based on the ATA specification by the T13 technical
    > committee."
    >
    > Is this function available via OpenBSD?


    If you truly need a secure erase, consider thermite
    followed by shredding the drive followed by running the
    pieces through a ball mill with ceramic ball media
    with the finale being to slowly spread the remains
    into a fast flowing river.

    Oh and to ratchet your paranoia another level... there
    are more law enforcement types than spook types on the
    ATA technical committees these days...
    --
    Chris Dukes
    < elfick> willg: you can't use dell to beat people, it wouldn't stand up
    to the strain... much like attacking a tank with a wiffle bat

  4. Re: Secure disk erasing

    ? wrote:
    > On Tue, 10 Jul 2007 21:05:05 +0100 in Ryoko wrote:
    >> I was looking at wiping a disk and found the following:
    >> http://blogs.zdnet.com/storage/?p=129
    >>
    >> in particular Secure Erase
    >> http://cmrr.ucsd.edu/Hughes/SecureErase.html
    >>
    >> Which talks about using a function built into modern drives.
    >>
    >> from the readme:
    >> "It offers the option to run the drive internal secure erase command,
    >> security erase unit, based on the ATA specification by the T13 technical
    >> committee."
    >>
    >> Is this function available via OpenBSD?

    >
    > If you truly need a secure erase, consider thermite
    > followed by shredding the drive followed by running the
    > pieces through a ball mill with ceramic ball media
    > with the finale being to slowly spread the remains
    > into a fast flowing river.
    >

    Or, we can make Good Enough security easy to access when discarding old
    media. Most of us do not need to protect ourselves against the
    techniques affordable only to countries. Taking reasonable steps to
    keep private data from getting into the wrong hands is not paranoia.

    It's sensible.
    --
    clvrmnky

    Direct replies will be blacklisted. Replace "spamtrap" with my name to
    contact me directly.

  5. Re: Secure disk erasing

    Ryoko wrote:
    > I was looking at wiping a disk and found the following:
    > http://blogs.zdnet.com/storage/?p=129
    >
    > in particular Secure Erase
    > http://cmrr.ucsd.edu/Hughes/SecureErase.html
    >
    > Which talks about using a function built into modern drives.
    >
    > from the readme:
    > "It offers the option to run the drive internal secure erase command,
    > security erase unit, based on the ATA specification by the T13 technical
    > committee."
    >
    > Is this function available via OpenBSD?


    No. Unless you have very rich and persistent enemies, just zeroing the
    drive works fine; if you do have such enemies, consider just dd'ing from
    /dev/arandom a couple of times. Or, better yet,physically distructing
    the drive as suggested before.

    Joachim

  6. Re: Secure disk erasing

    On 11 Jul 2007 14:58:50 GMT in <4694f02a$0$89003$dbd4f001@news.wanadoo.nl> Joachim Schipper wrote:
    > Ryoko wrote:
    >> I was looking at wiping a disk and found the following:
    >> http://blogs.zdnet.com/storage/?p=129
    >>
    >> in particular Secure Erase
    >> http://cmrr.ucsd.edu/Hughes/SecureErase.html
    >>
    >> Which talks about using a function built into modern drives.
    >>
    >> from the readme:
    >> "It offers the option to run the drive internal secure erase command,
    >> security erase unit, based on the ATA specification by the T13 technical
    >> committee."
    >>
    >> Is this function available via OpenBSD?

    >
    > No. Unless you have very rich and persistent enemies, just zeroing the
    > drive works fine; if you do have such enemies, consider just dd'ing from
    > /dev/arandom a couple of times. Or, better yet,physically distructing
    > the drive as suggested before.


    If you think you'll end up wiping a drive by zeroing or random data
    wipe it with random data a few times before putting the real data on for
    the first time.


    --
    Chris Dukes
    < elfick> willg: you can't use dell to beat people, it wouldn't stand up
    to the strain... much like attacking a tank with a wiffle bat

  7. Re: Secure disk erasing

    On Wed, 11 Jul 2007 15:26:29 +0000, ? wrote:

    > On 11 Jul 2007 14:58:50 GMT in <4694f02a$0$89003$dbd4f001@news.wanadoo.nl> Joachim Schipper wrote:
    >> Ryoko wrote:
    >>> I was looking at wiping a disk and found the following:
    >>> http://blogs.zdnet.com/storage/?p=129
    >>>
    >>> in particular Secure Erase
    >>> http://cmrr.ucsd.edu/Hughes/SecureErase.html
    >>>
    >>> Which talks about using a function built into modern drives.
    >>>
    >>> from the readme:
    >>> "It offers the option to run the drive internal secure erase command,
    >>> security erase unit, based on the ATA specification by the T13 technical
    >>> committee."
    >>>
    >>> Is this function available via OpenBSD?

    >>
    >> No. Unless you have very rich and persistent enemies, just zeroing the
    >> drive works fine; if you do have such enemies, consider just dd'ing from
    >> /dev/arandom a couple of times. Or, better yet,physically distructing
    >> the drive as suggested before.

    >
    > If you think you'll end up wiping a drive by zeroing or random data
    > wipe it with random data a few times before putting the real data on for
    > the first time.


    To kick in a suggestion, DBAN (Darik's Boot And Nuke - googleable) can be
    slow, but claims to be effective against most reasonable attempts to
    recover data.

    Note that erasing a disk pretty much mandates not running an OS off it at
    the same time....

  8. Re: Secure disk erasing

    msm wrote:
    > To kick in a suggestion, DBAN (Darik's Boot And Nuke - googleable) can be
    > slow, but claims to be effective against most reasonable attempts to
    > recover data.


    I've heard that recommended before.

    > Note that erasing a disk pretty much mandates not running an OS off it at
    > the same time....


    Why? This is UNIX; it will run just fine [1] if the machine it is on
    suddenly goes diskless. Just compile yourself a program that writes
    random data into whatever file is named on the command line, repeats
    this a couple of times, and then zeroes the drive for good measure, and
    run it.

    Of course, you'll want to shut down by turning off the computer.

    Joachim

    [1] As long as you don't access the disk, do not need swap, etc, at
    least. But that's not too difficult to arrange on a quiet system.

  9. Re: Secure disk erasing

    On Wed, 11 Jul 2007 16:52:36 +0000, Joachim Schipper wrote:

    > msm wrote:
    >> To kick in a suggestion, DBAN (Darik's Boot And Nuke - googleable) can be
    >> slow, but claims to be effective against most reasonable attempts to
    >> recover data.

    >
    > I've heard that recommended before.


    I've used it before myself. The caveats are that (a) it can take long
    time, especially if you configure it for the recommended 17 or more
    erasure passes, and (b) very few people have the technology to verify
    whether the disk is sufficiently erased - mostly the people who do are the
    people one is trying to keep from the data in the first place.

    >> Note that erasing a disk pretty much mandates not running an OS off it at
    >> the same time....

    >
    > Why? This is UNIX; it will run just fine [1] if the machine it is on
    > suddenly goes diskless.


    Fair enough.

    > Just compile yourself a program that writes
    > random data into whatever file is named on the command line, repeats
    > this a couple of times, and then zeroes the drive for good measure, and
    > run it.


    If you were feeling devious, you might then install a fresh OS and
    populate the system with copious logfiles and some totally uninteresting
    data and user accounts.

    > Of course, you'll want to shut down by turning off the computer.


    ;-)

    > [1] As long as you don't access the disk, do not need swap, etc, at
    > least. But that's not too difficult to arrange on a quiet system.


    True. It may still be easiest to do the erase from a liveCD of some sort.

  10. Re: Secure disk erasing

    msm wrote:
    > On Wed, 11 Jul 2007 16:52:36 +0000, Joachim Schipper wrote:
    >
    >> msm wrote:
    >>> To kick in a suggestion, DBAN (Darik's Boot And Nuke - googleable) can be
    >>> slow, but claims to be effective against most reasonable attempts to
    >>> recover data.

    >> I've heard that recommended before.

    >
    > I've used it before myself. The caveats are that (a) it can take long
    > time, especially if you configure it for the recommended 17 or more
    > erasure passes, and (b) very few people have the technology to verify
    > whether the disk is sufficiently erased - mostly the people who do are the
    > people one is trying to keep from the data in the first place.
    >

    I've used DBAN myself as well and it takes a long time, depending mostly on the
    size, and a little on the RPM speed of the hard drive. However, if using enough
    passes and DOD compliant procedures, it will totally erase the drive. I asked
    this question on a form a few days ago: has anyone ever recovered data from a
    drive after it has been DBANed or Secure Erased. And the answer was; the people
    that may/are able to, probably won't tell...

    So if you want to reuse the drive and the adversary is not "big
    government/corporation" you are probably safe using DBAN or secure eraser. If
    your adversary is that well funded, presumably you will have enough planning and
    resources to afford another hard drive and physically destroy the one in danger.

    David

    >>> Note that erasing a disk pretty much mandates not running an OS off it at
    >>> the same time....

    >> Why? This is UNIX; it will run just fine [1] if the machine it is on
    >> suddenly goes diskless.

    >
    > Fair enough.
    >
    >> Just compile yourself a program that writes
    >> random data into whatever file is named on the command line, repeats
    >> this a couple of times, and then zeroes the drive for good measure, and
    >> run it.

    >
    > If you were feeling devious, you might then install a fresh OS and
    > populate the system with copious logfiles and some totally uninteresting
    > data and user accounts.
    >
    >> Of course, you'll want to shut down by turning off the computer.

    >
    > ;-)
    >
    >> [1] As long as you don't access the disk, do not need swap, etc, at
    >> least. But that's not too difficult to arrange on a quiet system.

    >
    > True. It may still be easiest to do the erase from a liveCD of some sort.


  11. Re: Secure disk erasing

    In article ,
    Clever Monkey wrote:
    > Assuming that manufacturers support this function (at least some of the
    > Secure Erase stuff is optional) most drives will ignore this function if
    > the Freeze Lock command has been invoke. This is typically done by the
    > system BIOS.
    >
    > Can host operating systems actually get access to these functions now?
    >
    > Note that this built-in Secure Erase functionality may not meet or
    > exceed some levels of security, since the specification states that
    > secure erase simply has to write binary zeros over the user data
    > portions of the drive.


    What I particularly like about a drive based command is that for a
    simple zero it could be quicker as the drive can do the operation
    regardless of bus speed.

    The last time a did a dd from /dev/random, it took ages (but it was
    attached via USB)

    Thanks everyone for your thoughts on this topic.

    Cheers

    R.

+ Reply to Thread