I am looking for a possibility to sanitize large amounts of data on regular hard-drives and SSDs. Instead of overwriting the data several times (on regular hard-drives, which could take days and doesn't "work" on SSDs) I am thinking about using hardware-based FDE and simply performing a cryptographic disc erasure (dropping the encryption key). My main issue is now that, as far as I understand, pre-boot authentication is needed. In my case this is not feasible if the authentication has to be done manually (e.g. disks are used in servers located far away). Is there a well-working, well-adapted possibility to let the BIOS perform the authentication automatically, without any manual input or any other solution? If so, what are the drawbacks? Please note that my only goal is to perform sanitization of data in a cost-effective way.
-
possible duplicate of [Erasing a hard-disk, encrypting it as alternative?](http://security.stackexchange.com/questions/12726/erasing-a-hard-disk-encrypting-it-as-alternative) – agtoever Nov 14 '14 at 15:27
-
1The link covers software-based encryption (truecrypt etc.) which will require manual authentication. I do not want to have the overhead and need hardware-based FDE. Overwriting TBs of data, even once, is certainly slower than dropping a crypto key within milliseconds. – Malevol Nov 14 '14 at 15:30
-
1But you have to overwrite them anyway, if the data currently exists as plain text. – ch3ka Nov 14 '14 at 16:09
-
@ch3ka brings a very valid point. Malevol, you might want to look into Sophos. Not sure what your budget is. But if you are going to do this. You should do it right. Sophos is an super powerful security suite. – Cameron Does Things Nov 14 '14 at 16:13
-
The data may not exist as plain text. Bulk Data Encryption on many models of drives means that the data is already encrypted even if the encryption key is not. Using the hardware-based FDE (ATA Secure Erase command) will regenerate the key, rendering the data unreadable. This is why you can put an HDD password on such a disk and not have to wait all day for it to encrypt. – mgjk Nov 14 '14 at 17:06
-
1If you're using Linux you can use LUKS with a non-secret password hardcoded somewhere in a shell script that you'll use to mount it. The password doesn't have to be secret since it's only used to decrypt a long secret key stored on the disk and that key itself is used for encryption. When "erasing" the disk just erase the first 10 MB (the LUKS header) where that long key resides, and that's it. – Nov 14 '14 at 19:00
-
Just to clarify, the data does not exist yet. It is just an option for a future solution I am exploring. – Malevol Nov 17 '14 at 09:06
1 Answers
Disclaimer, my info is old, I haven't tried this in a while.
If the disks support hardware based FDE or Bulk Data Encryption, and you have an integrated lights out or similar capabiltiy on your server, you can try booting to this utility and executing a secure erase.
http://www.fitzenreiter.de/ata/ata_eng.htm
(not free for commercial use, etc.)
If I recall, the capabilities are not accessible after boot time by design. This makes it harder for malware to kill your disk, or somebody from being able to steal your key or making it easier to bruteforce your harddrive password.
Check the cababilities of your disks in your manuals. This might not solve your problem, but the site has a lot of information about how this ATA Security Extension stuff works.
Edit: This has a good discussion about why what you're asking to do may be very difficult:
- 7,535
- 2
- 20
- 34