How to securely sanitize data tapes, and audit the results?

Question

I work at an electronics recycling facility and we were just presented with an offer from a client that would like to buy our used data tapes. Our problem is that we have never sanitized data tapes as we have only shredded them in the past. I need to know if data tapes have the same properties as traditional rotating magnetic media where a DOD 3-Pass wipe is sufficient to sanitize the device or if there is any hidden dangers that we must be aware of.

The only way we can move forward with the deal our client has proposed is if we can 100%, without a doubt, know that the data is unrecoverable. On top of that we must have a method to verify that the data has been successfully sanitized, and there is no remnant previous user data.

Typically we would use a hex checking program for checking our hard drives after they have been sanitized, but I'm not sure if that will reliably work for data tapes. If anyone has any experience with sanitizing data tapes (other than degassing, or shredding) please let me know how the task was completed.

dod now demands physical destruction of basically all media, but for commercial use, a 3pass should work pretty well for all but electron-microscope bit-by-bit recovery, not likely for a bulk used product... — dandavis, Nov 01 '16 at 18:56
Actually the multiple passes are not even necessary for hard disks. One is sufficient. — Andrea Lazzarotto, Nov 02 '16 at 12:18
"100%, without a doubt, know that the data is unrecoverable" that is an extremely high standard that no-one can deliver. You need to either turn down the deal, or reduce that to "make reasonable efforts to render data unrecoverable". — paj28, Nov 04 '16 at 11:13

score 2 · Answer 1 · edited Nov 04 '16 at 11:11

Regarding the reuse of recycled tape; the business may appear sound but the technical parts are not. Even apart from the issue of securely wiping data, it is hard to determine if tapes were properly stored before they were sent to you for recycling. Magnetic tape is susceptible to mold damage if stored in high humidity conditions.

Unless it is used for forensic(skim data using non-traditional method) or other research purpose, the next viable step of recycling magnetic tape material is to create counterfeit/ after market product or even "refurbished as new".

Use of research or forensic techniques to recover data means that data not recoverable by normal methods doesn't mean the data can't be recovered at all. Any method that claims safe wiping of data by today's forensic standard may also be insufficient for future forensic methodologies.

If your facility signs any sort of strict data destruction agreement with a client, reuse of the client's tapes should be avoided at all costs. Your business would risk major legal liability if someone could prove your data destruction destruction facility didn't destroy the tapes.

score 0 · Answer 2 · answered Nov 02 '16 at 10:00

For modern hard drives, 3-pass is overkill as explained here:

for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.

But for older magnetic storage media it might be nescessary.

So as this guide here explains:

To “sanitize” or “eradicate” LTO media and keep the servo tracks intact, the only method available has been to re-write over the existing data.

Conclusion: The DOD 3-pass ( zero out, random data, inverted random data) will do just fine. This will even be fairly robust against electron-microscope recovery. If you need an absolute, state-actor-with-unlimited-budget-proof 100% guarantee, physical destruction is the only option.

and my conclusion was clearly about older magnetic storage media. — J.A.K., Nov 02 '16 at 15:15

score 0 · Answer 3 · answered Nov 04 '16 at 12:36

This is primarily a legal problem, not a technical problem. You have no idea what kind of sensitive data may be on those tapes. It might be medical records, tax forms, employment records, credit card numbers, or other highly sensitive bits.

Unless your existing contract with the clients who are sending you the tapes to be recycled specifically states "used storage media sent for recycling may be resold to third parties" and "Electronics Recycling Corp is not responsible for the security of any residual data on media sent to us for recycling", you shouldn't move forward with this. Written or not, your existing clients may have an implicit or verbal expectation that their old data is secure.

Think about the risks. What if you're wrong about your technical solution, and data is recoverable anyway? Or worse, what if you are right, but the kid who unloads tapes from trucks on the receiving dock drops one in the hallway in front of the shipping dock, and it ends up going out the door unwiped?

One mistake and your company could be the subject of a destroy-the-business lawsuit. Even if it doesn't go to trial, your clients would be mad, and your reputation as a place to send stuff for recycling would be ruined.

The potential profits will likely never outweigh the potential risks.

score 0 · Answer 4 · edited Jun 16 '20 at 09:49

As everyone else has said, the legality of reselling storage media is a valid concern. But I think it is worth considering that a company serious about data security will either not be selling you tapes, or will have erased them before they left the premises since there is no reason they should trust you.

Since people are recommending using dd to overwrite, which assumes you have a drive/computer setup, the internal erase command of the drive should be worth considering. If you're on linux (your device may vary, I have a SAS drive):

mt -f /dev/nst0 erase

Since there is no data transfer involved, it's fast and you don't have to worry about ideal block sizes in order to get that speed. It will also leave the tape truly empty, if you dd then there will technically be a file on the tape, including the beginning and ending marks. If you try to read an empty tape nothing will happen, but if you try to read a dded tape, it will read the whole tape.

There is also the problem of compression, LTO drives automatically compress incoming data unless explicitly told otherwise. You may need to send a lot of zeros to actually fill it.

Edit:

I tried streaming some zeros to an LTO 3 tape I had available. The drive is a Dell (IBM) LTO 4 SAS drive. LTO 3 does ~80MB/s raw. pv < /dev/zero | dd of=/dev/nst0 bs=256k streamed at ~100MB/s with the drive spinning up to its lowest speed for less than 2 seconds at a time, with long waits between. I stopped after 3GB.

dan · Answer 5 · 2018-02-12T06:49:03.163

-1

I suggest the DOD 3 pass and a full read as a final check the 3 passes overwrote it fully. On a Unix system it is easily performed with the dd command with a bs=200k (tested as efficient on tapes, a much larger one might be tested on DLT):

dd bs=200k if=/dev/zero of=/dev/rmt0
</dev/zero tr "\000" "\377" | dd bs=200k of=/dev/rmt0
dd bs=200k if=/dev/random of=/dev/rmt0

On a Unix system a simple

dd bs=200k if=/dev/rmt0 of=/dev/null

will fit to check that the 3 passes fully wrote the tape.

If this last dd displays the correct number of writes seen in the 3 first passes, then this means that the EOT was written at the end of tape. If this last dd fails, then the tape has to be degaussed and is unusable = can't be sold.

edited Feb 12 '18 at 06:49

answered Nov 02 '16 at 10:29

dan

3,033
14
34

Are you sure the input and output are not swapped? That command does not seem to erase the tape. – Andrea Lazzarotto Nov 02 '16 at 12:19
I just gave a practical example of a way to audit that the 3 pass DOD fully covered the medium. For the 3 erasing steps, of course `of=/dev/rmt0`. – dan Nov 02 '16 at 13:06
I tried to improve my answer with the 3 passes everyone knows since… OMG :). – dan Nov 02 '16 at 13:46
There are several bad problems with this answer. Why are you reading from `/dev/random` instead of `/dev/urandom`? It would take centuries to erase a moderately-large hard drive with that. Why exactly are you setting the block size to 400 bytes? That's a very strange (and inefficient) block size. You should do `tr "\000" "\377" < /dev/zero > /dev/rmt0" instead of using `dd` twice. And finally, how in the world is reading from `/dev/rmt0` and writing it to `/dev/null` a way to check if it has fully written to the tape? – forest Feb 11 '18 at 00:31
The OQ is about erasing tapes and not hard drives. `bs=400b` doesn’t mean block size, but buffer size. This huge size was an experimental value where the writing to the tape was the fastest without using all I/O buffer for this task running for hours. – dan Feb 11 '18 at 10:53
@forest : If you read the output of any `dd` you see the number of buffers written and can check you fully erased your tape. – dan Feb 11 '18 at 10:59
It is the block size, as well as the buffer size. I know that 400 bytes is way way too small for a hard drive. Is it really more efficient on tape drives, even though it's so tiny? – forest Feb 12 '18 at 01:44
I changed my advice so as to avoid the confusin with `bytes`. On a POSIX compliant one , `man dd` : `[...] If the number ends with a ``b'', ``k'', ``m'', ``g'', or ``w'', the number is multiplied by 512, 1024 (1K), 1048576 (1M), 1073741824 (1G) or the number of bytes in an integer, respectively. [...]` – dan Feb 12 '18 at 06:47
I would test for performance `bs=20m` on modern DLT, I didn't test this procedure on this medium. – dan Feb 12 '18 at 06:55

How to securely sanitize data tapes, and audit the results?

5 Answers5

Edit: