Supported mechanisms of data wipe-out

Category: Software Basics

The system supports two levels of data wipe-out, compliant with the document NIST Special Publication 800-88 Revision 1:    

CLEAR method SATA SATA SSD SAS
Overwriting the medium X X X
ATA SECURITY ERASE UNIT X
PURGE method
ATA SANITIZE DEVICE (BLOCK ERASE) X
ATA SANITIZE DEVICE (CRYPTO SCRAMBLE) X X
ATA SECURITY ERASE UNIT X
SCSI SANITIZE (OVERWRITE) X
SCSI SANITIZE (CRYPTOGRAPHIC ERASE) X

WIPERAPP system algorithm matching the right method of data removal operates as shown in the table above. So, for example in case of SATA drives, the system checks whether drive supports the ATA SANITIZE DEVICE (CRYPTO SCRAMBLE) method first, and if so, it will use this method for data erasing. If the method is not available, the next step for the system is to check if ATA SECURITY ERASE UNIT method can be used. If the drive does not support any of the methods stated, its status will change to PURGE UNAVAILABLE, that means it is not possible to erase data at the Purge level, recommended by NIST.

As a result, the person responsible for the data wipe-out in the organization may decide on the further allocation of the hard drive containing data impossible to erase on the required level. Particularly, such disk may be submitted for overall mechanical destruction.

In case of  SATA interface disks, before the commencement of wiping the system detects whether the drive supports Device Configuration Overlay (DCO) mechanism and follows ATA DEVICE CONFIGURATION RESTORE instruction. Additionally, the system checks whether the Host Protected Area (HPA) mechanism was used in the disk and when it’s detected, the system resets the available addressable sectors to default settings.

As for SAS disks, before data removal, a command which resets the amount of sectors available to default settings is sent to the disk.

 

Medium overwriting

This method relies on saving a chosen data pattern on all addressable hard drive sectors.

The system operator can choose among particular options of the pattern being used:

  • the pattern (only zeros, only ones, random number from the range 0x01-0xFE)

  • quantity of run (from 1 to 16)

  • reversing the sequence in subsequent runs

Detailed configuration of the way to erase data with this method, optimal for securing the required level of safety, should be established procedurally inside the organization.

 

ATA SECURITY ERASE UNIT

This command is available in the majority of SATA and SSD drives. It is also the default method for NIST CLEAR wiping in SSD disks. According to the ATA standard, to perform drive wipe-out with this method, a password must be set on the disk. After the correct completion of ATA SECURITY ERASE UNIT command, following ATA standard, drive’s firmware automatically removes the established  password.

The default password set by WIPERAPP system is single lowercase “p” letter.

The process of data wipe-out conducted with this method should not be disrupted – especially the loss of power supply will cause the drive to remain with the password set.

 

ATA SANITIZE DEVICE (CRYPTO SCRAMBLE)

This method is available in some of the SATA and SSD drives. As random data are input with this method, the drive is overwritten with a single run of 0x00 pattern to verify the process.

ATTENTION: This method cannot be disrupted. According to the ATA standard cut-off of power supply from the drive being erased with this method does not cause the interruption of wiping. After the re-connection to the power source, drive’s firmware will restore operation and continue wiping until the process is completed.

 

ATA SANITIZE DEVICE (BLOCK ERASE)

This method is available in some of SSD and SATA drives. The result expected after the completion of actions is disk’s zero fill.

ATTENTION: This method cannot be disrupted. According to the ATA standard the cut-off of power supply from the drive being erased with this method does not interrupt wiping. After the re-connection to the power source, drive’s firmware will restore operation and continue wiping until the process is completed.

SCSI SANITIZE (OVERWRITE)

This method is available in some Enterprise SAS drives. The settings concerning the pattern, number of passes, pattern’s reversal between runs are available.

 

SCSI SANITIZE (CRYPTOGRAPHIC ERASE)

This method is available in some Enterprise SAS drives. As random data are input with this method, the drive is overwritten with a single run of 0x00 pattern to verify the process.

Was this article helpful? Votes: 1