Slashdot Mirror
New Toshiba Drives Wipe Data When Turned Off
CWmike writes "Toshiba on Tuesday introduced a new hard drive feature that can wipe out data after the storage devices are powered down. The Wipe feature in Toshiba's SED (Self-Encrypting Drives) will allow for deletion of secure data prior to disposing or re-purposing hard drives, Toshiba said. The technology invalidates a hard-drive security key when a system's power supply is turned off. The new Wipe capability will go into future versions of the SED drives, for which no timeframe was given. Beyond use in PCs, Toshiba wants to put this feature on storage devices in copiers and printers."
I can see this used not just in copiers where temporary files need to be zapped for privacy reasons, but in a number of other places:
1: Photo kiosks. /tmp. If one thinks about it, this type of HDD is absolutely perfect for the /tmp filesystem in the classic sense of it being zeroed out on reboot.
2: Documents stored on public access computers.
3: Medical terminals used for X-ray viewing.
4: Cash register terminals for storing CC data.
5: CCTV DVRs. If a video time frame needs flagged for long term copying, it is.
6: Proxy/sendmail log servers where logs don't have to be kept for longer than it takes to check if there is an intrusion.
7: Temporary scratch space for a database server, say to pack and unpack normally encrypted BLOB/CLOB data.
8: A special hard disk just for
9: Temporary scratch space when unarchiving data and putting it on a secure partition or tape drive. For example, getting data from tape or another site, storing it temporarly to get a machine to restore locally.
10: A machine set up and automatically imaged for guests to browse the Web.
11: A machine set up and autoimaged in a student computer lab. This way, a power cycle ensures that private data is not recoverable from the previous student.
12: Drives set up for swap. This way, a power cycle removes all traces of a virtual machine's paging.
13: Community clouds, where a VM is cloned to the drive, used to give better capacity, then shut down and the drive cycled so the next user on that drive doesn't have access to the previous user's data.
14: A place to decode encryption keys temporarly pulled out of a HSM to be copied to another source.
15: Airport X-day machines so the private pictures of people stay private.
Isn't this standard Windows behavior?
Table-ized A.I.
You invented random-access memory. Good job!
Sounds like a good idea, but I'm almost positive there will be instances where important data is going to be screwed with by mistake. I personally would rather not have my hard drive erasing my data without my express approval, but I'm not the average Joe.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
In other news today, a company under investigation by authorities claimed all the data was wiped from their servers following an unexpected power outage.
Presumably, no data is actually 'deleted' upon power-down, just the key is lost. Presumably this works by keeping the entire HDD encrypted - no wipe is needed when the drive is repurposed.
As the Microsoft trials taught us data is hard to delete permanently.
"Maybe this world is another planet's hell"
Aldous Huxley
Remember RAM disks? Kind of an eighties thing I guess..
Never email donotemail@WeAreSpammers.com
The RamDisk in my PC did that everytime I powered off the system. Big deal....
via virus or other stealth works, YOUR hard drive will be wiped remotely by ANOTHER user or worse, government? I will not put any nickel into this kind of technology.
The Computer Word story is light on details. No surprise there.
How is your data protected against accidental deletion - hardware failure, power outages, etc?
When they cops raid your place and yank all your drives for evidence they would be in for a rude surprise.
Their laptop hard drives have been self erasing for years via head crashes and other catastrophic malfunctions. Absolutely horrible laptop hard drives.
Lawyers, MBA's, RIAA? A jedi fears not these things!
I spilled water into a power bar back in 95 and achieved exactly the same effect!
I used to call that "hammer & magnet"...
I've always thought SED stood for "Smoke Emitting Diode"
It's my favorite electronic component, but the only problem is that they only work once.
deep freeze is better then reimage on boot as it is much faster. You need a fast sever + good network + a fast HDD on the pc to make autoimaga on boot not be a big slow down and this also makes it so each windows update that needs reboot a new images. Deep Freeze can be set up to go into a mode there you can install updates and keep them after reboot and then go back to the reset on reboot mode + you can have a user area that does not get wiped out as well.
what if the head is in sleep mode so no momentum and then power is lost?
My bet is on the usual baked-in drive encryption, very badly described.
Lacking <sarcasm> tags,
Pfft. Western Digital and Maxtor have had this feature for years....
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
This isn't "reimage on boot". This is encrypted storage whereby the key is volatile. There is not performance problem here.
/tmp, but there's really no point. Cleaning /tmp with software can be done pretty quickly - why buy expensive hardware?
and to reply to OP, this tech really doesn't have as many uses are you say. It is really only useful for sensitive data. You can use it for
AccountKiller
It doesn't wipe data. The data is encrypted and when the drive is powered down, it intentionally loses the key. The data can be recovered if the key can be recovered.
From the scant details in the article and summary, it appears that the drives are encrypted, and the "wipe" consists of getting rid of the encryption key.
Calling that a "wipe" is rather misleading in my opinion. Toshiba's in for one hell of a liability issue if their encryption is ever cracked -- though I'm sure they'll take care of all that in the fine print.
Well, the local copy, anyway...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Aren't we tired of hearing of simple-sounding solutions that appear unattainable?
See recent /. stories stating our computer-level "private browsing" of the web is everything except "private." One problem I already see with any data wipe is that it takes a lot of time, like the article mentioned for Eraser.
The article had too few specifics, so let's sit on the what-if armchair for a bit: short of a strong explosion, the FBI could just not power the drive before removing the circuit board and replacing with one lacking wipe logic.
I've never had a drive that did ANYTHING after it was powered down.
This is a tremendous advance. And I RTFA, and it doesn't offer me much of an explanation.
deleting the extra space after periods so i can stay relevant, yeah.
or PXE boot, then have /home be a tmpfs. That can be nice and fast if you have the rest of the OS on NFS or ISCSI, plus you remove one more part that can fail.
One thing that has always irritated me about tmpfs is that it will page out into swap if memory pressure dictates.
Using ramfs as an alternative to tmpfs means that you lose the ability to stipulate a maximum size, and it can grow to exhaust all available memory in the system. Because ramfs won't page out, I presume it is quite possible to take down the entire machine in such circumstances.
It's sad that MacOS (pre-X) had the problem solved 15 years ago by allowing the creation of a fixed size RAM disk that would not page out, but this capability has apparently been lost in modern OS's. Unrelated aside: it was quite fun to load a stripped down version of the MacOS System Folder into a RAM disk and watch how fast the machine would boot (MacOS RAM disks would persist between reboots but would naturally be obliterated if power was cut).
If the description is accurate, I can imagine that there will be an outcry from the forensics people, or at least their masters. Isn't SOP to remove power immediately, pull the drive, and copy it? Then I guess we know there'll be some sort of "key escrow" or back door for LE.
it is called a cryptographic erase.
http://seagate.custkb.com/seagate/crm/selfservice/portalhome.jsp?DocId=205983&Hilite=#14
However, your assessment is accurate, the data is still there, just nearly impossible to recover.
Heck most of us won't trust our collection to anything short of RAID6!
My porn collection, along with all my other documents and media is on a RAID-6 array.
...Along with my massive collection of confiscated geek cards.
Boot Windows, Linux, and ESX over the network for free.
Now that's real progress!
The first hard drives were flaky and prone to data loss, now they want to engineer it into drives?
Yes, what could possibly go wrong, besides power failures.
The key could be stored in static RAM, which does lose data instantly when power is lost (downside is that it's more expensive, but for a single encryption key that's not a problem). Alternately, you could just stick a capacitor on the board with enough power to erase the RAM. Or just bury the RAM cells inside the CPU, so it's impractical to access them (and make the CPU erase them on next power-on).
On further research, some static RAM chips do retain data (though not all of them). If you really need the data blanked out, storing it in a D-type flip flop might be better then.
I tested shred against XFS, and found that it writes to the journal, rather than to the file data in-place. So shred is not safe to use on XFS.
Drives with the option to destroy all data for a transition in use and to protect all data when not attached to their built-in system should have been ubiquitous features of computing systems since day 1 of the first HDD. And what year is this? Maybe next year's headlines will read, "New Technology Discovered: Fire"
In the UK we have a special law when we're 'made' to give up encryption keys when asked by whoever arrested you. But what if the encryption keys have been destroyed, can they still make you give up what you do not have?
This is a good step forward for general security.
How could you trust this 100%? Without the firmware (and some way to verify it), this likely could / does contain backdoors.
For the children, you see.
I don't see a major improvement over well set up truecrypt partitions.
..don't panic
Frags your drive on power loss, eh? Yeah, nothing could go wrong there.
How about this. It sounds like all you're really killing is the stored key. Instead of fooling around with what amounts to a RAM chip, why not take a lesson from floppy disks? Back in the day, when you were done writing to a disk there was a little tab you would break and then the disk would be permanently read-only (unless someone used tape). Why not store the key in a little thing that you break off? If you wanted to get really fancy, you could even make it into a "security fuse" which can also be destroyed electrically if certain conditions are met (apparent unauthorized access, external trigger from chassis intrusion, planned obsolescence, et cetera).
[Put] /tmp/ on tmpfs [and] enlarge the default swap size by what is expected for /tmp/, to make sure max virtual memory capacity doesn't suffer.
Once you start using tmpfs, sensitive information will accumulate in the swap file. This makes pseudo-volatile drives like these even more suited for item 12 (swap).
I just write all of my data to /dev/null. Take that, toshiba!
Facts have a liberal bias.
So work with me here...
A police raid occurs, and either shuts down power to the house, or just comes in to confiscate the computer equipment.
Just how are they going to transfer the equipment and data without unplugging or pulling power?
Will they be afraid of plugging it in, because the 1st action will be to erase the data? How will they get a forensic copy without power?
If it's truly an encryption, then I'm sure there will be a back door for law enforcement, lest it be excluded from being sold in certain countries (ohhh.. like Saudi Arabia)
On my piece-of-shit Fujitsu laptop, before it died, I was doing this with swap. I had an init script that would grab from /dev/random and use that as the key for an encrypted (blowfish, and there was some good(?) reason for using that instead of AES but I don't remember) partition, and then mkswap and swapon it. Turn off the machine, then the key was lost and that partition's contents became useless.
I can see using this kind of drive for swap and /tmp, but guys, you already have this capability. I suppose moving the crypto from the CPU to the drive is pretty neat, but that just raises the same issue that hardware RAID has: it's fine if you want to use the whole disk in one particular way, but if you want to treat different partitions differently, then you need to use software (your OS) instead. The market for this drive, where you want to lose whole disks on power down, seems pretty niche.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Sure, if a ram disk is several hundred gig, then yeah, they're the same.
h4rr4r wrote:
You need to buy more ram, if you ever find swap in use that is just a sign to buy more ram. Stuff is dirt cheap these days.
Since when is a quarter terabyte of RAM "dirt cheap"? A better strategy is to encrypt the swap file and erase the key on power loss, which appears to be exactly what these drives do.
For more than 10 years, schmantzy photocopiers haven't just had a photoresist drum (cadmium sulphide, amorphous silicon or similar), instead they have had digital scanning technology, which would store the image to a hard drive (for later re-use). Millions of images are "still there" when the photocopier is old and needs to be recycled. I've heard of stories where people get photocopiers from the CIA/NSA as part of a surplus/liquidation. They pay 30 bucks for the old copier, and get 5 years worth of photocopied, top-secret documents. Kewel! Occasionally these old machines are shipped overseas for recycling. There are thousands of drives with literally millions of images of classified, secret and top-secret information on them. Why spy when you can just raid the recycling facilities? What's even better: have these agencies pick up the tab for both shipping and recycling.
With a keyboard macro, or a recessed kill switch, we might actually maintain some semblance of privacy, "oops, was that what that switch did?" or "sorry, you did it yourself when you unplugged the system".
I killed da wabbit -Elmer Fudd
I am having a hard time installing windows to this new expensive secure drive. It gives me an operating system not found error after the first reboot.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
"If you're SUPER paranoid, dd the drive twice and yank the platters, play frisbee, build a tesla turbine [instructables.com] or simply scratch the hell out of them and chuck them in the recycle bin."
I do this. I blame it on paranoia, but to be honest, I just like ripping open hard drives to see what's changed since the last time I did it.
I remember when the platters used to be solid metal that was nigh on unbreakable; I remember years later opening a drive up and finding some chintzy crap that shatters, scattering shiny dust and sharp fragments everywhere if you so much look at it the wrong way.
Meh. I also took apart my last non-functional DVD player. Mostly for the copper screws. They were awesome. And shiny.
Shiny.
Crap, I think I'm actually a ferret.
But somehow I don't think that the global market for tmp/swap drives is the Next Big Thing.
Lacking <sarcasm> tags,
In a situation like Microsoft, the problem is that erasing a file is not enough. An organization has to be pretty naive to think that it can control the spread or lifetime of its data files, due to normal processes like backups, offsite backups, removable media, laptops, users making "personal backups" due to any number of IT failures (technical, social, or imaginary), etc. After all, if this were easy, wikileaks would not exist!
Secret data files are just like secrets in general: if you really need it to stay secret, you cannot tell anyone, not even a data storage device.
Also, scrubbing a file extent is not enough, if the filename in the directory entry is also revealing, or even a checksum of the file content anywhere in a backup/recovery/intrusion detection system. If you really must store things and make them go poof later, Toshiba's approach is the wisest: never store the plaintext, and make the encryption key volatile. However, you may want to do it yourself using software whole-disk encryption, rather than trusting the hardware algorithm or key storage. If you are worried about the long-term vulnerability of all crypto algorithms, you really have needs best addressed by the first rule: do not record secrets in the first place!
[ 12.145436] Running /etc/init.d/spindown start ... oh shit!
I commented a bit about it on my FB wall: http://www.facebook.com/wingedpower
But here's a quick synopsis:
Given a hard drive...
- Create X number of zero'd files to be mounted on loopback (losetup) and then to be encrypted individually(cryptsetup) using 256bit encryption(different key per loopback) [this is done on the data hard drive)
- Create Y number of zero'd ramdisk devices to be cryptsetup'd using 256bit encrption(cryptsetup).
- Create a striped array(LVM tools) using both the encrypted loopbacks and the encrypted ramdisks.
- Use cryptsetup to encrypt this resulting LVM volume and mount it as your "quick wipe drive"
- Store all luks keys, if need be, in a ramdisk.
When you power off, what happens is:
- luks keys go away with loss of power(barring UPS, memory freeze, etc)
- ramdisk slices of the RAID-0 striped array vanish... and take their encrypted bits with them.
- what survives on the physical drive are encrypted volumes containing parts and slices of a larger encrypted volume with slices missing.
Cost to implement: normal cost of equipment. :)
Special equipment or specialty hard drives required: none.
Security: 256bit encryption via cryptsetup at two levels AND some of the data goes missing.
Useful situation:
- xerox/copy machine storage... they can actually implement this with standard drives... just update software and repartition their drive!
- protection against identity theft when home computer stolen... pulled power cable... oops. all data now not accessible.
- protection from illegal seizure of computers (no key to give... it is inaccessible)
- protection against foreign government raids(and local government raids, I suppose) (power loss=data not accessible)
The cool factor is... the slices you divide up the drive into... the more unique keys that will need to be found/brute-forced/decrypted before any amount of useful data is regained. And once they do have all the individual files decrypted, only then will they discover that there are pieces of the RAID0 missing... and the RAID0 itself is encrypted.
Enjoy.
Winged Power Photography
Also noted on FB wall is the potential to replace the RAMDISKS with:
- external HD or flash drive to allow for powerdown, data retained, so long as the KEY drive, which also contains slices of the RAID 0 data, is intact. Lose/destroy it and the whole of the data is inacessible.
- internal PCI/PCIe battery backed RAMDISK. (you have X minutes or X hours between power cycles before keys and data slices are lost and access to the whole is lost)
In all cases, the goal is to protect against unwanted access of the data in question, or to render the data effectively inaccessible for a long enough time.
This can already be done with currently available open source technology and a little scripting. :)
One can even make the system switch between modes of operation by migrating volumes to/from an external drive unit and the ramdisks.
Winged Power Photography
For storing the high scores on the Frogger machine at Mario's Pizza.
So, a dead power supply means that if I don't have a backup encryption key, I loose all my data? Thanks, but no thanks!
"Maybe you are holding it wrong"
"Have you tried turning it off and on again?"
for instance, multiple projects of mine back to the mid-70s had write-only RAM.
if this is supposed to be a new economy, how come they still want my old fashioned money?
---
Data StorageFeed @ Feed Distiller
Linux still has fixed sized ramdisks if you need them.
Boot with ramdisk_size=size where size is measured in KB, and your /dev/ram? devices will each be up to that large.
The default is 4096.
Here's a simple recipe for implementing this on your own:
1. Set up a script to create a TrueCrypt volume at boot time with a randomly generated key
2. ???
3. Profit!
You're done. When the system reboots the old key which wasn't stored anywhere is gone, the data is inaccessible, and a new volume is ready for use.
- For the complete works of Shakespeare: cat
I think we'll call it RAM.
This puts us one step closer to the long sought after write only drive.
I'm sure it's just stored in the RAM of the drive controller and it generates a new key on each reboot.
No sig today...
It's for machines where data is supposed to be very temporary - ie. photocopiers, etc.
No sig today...
Perhaps creating a combination drive that uses read-only SSD and a smaller section of this for the temporary directories? Booting from the SSD would be swift, everything written to the SED portion, and then save anything important to flash drives, network storage, or another option.
This seems like a great way to maintain a secure operating system for Joe and Jane Public. Or... imagine the near future where computers are sold with MS's OS du jour irrevocably installed, and the only way to upgrade is to bring the machine to a "certified upgrade specialist". I also fear the day when our cable or satellite providers install these into DVRs.
This new option does seem like a very useful tool, but also a very dangerous asset to the already dangerous.
One of my classmates in microprocessor lab back in college managed to make a LEEPROM. For those too young to remember, EPROMS have a window on them into which one shines UV light to erase it before reprogramming. With enough voltage between Vcc and Ground, the same EPROM can be made to emit light. Hence, LEEPROM. It was quite amusing at the time....
-- "This world is a comedy to those who think, a tragedy to those who feel."
Simply using one of these will eventually get someone convicted of destroying evidence; assuming Toshiba doesn't have a master key for law enforcement.
Oh no! I always thought that was a myth..
They've invented RAM