Slashdot Mirror
New Toshiba Drives Wipe Data When Turned Off
CWmike writes "Toshiba on Tuesday introduced a new hard drive feature that can wipe out data after the storage devices are powered down. The Wipe feature in Toshiba's SED (Self-Encrypting Drives) will allow for deletion of secure data prior to disposing or re-purposing hard drives, Toshiba said. The technology invalidates a hard-drive security key when a system's power supply is turned off. The new Wipe capability will go into future versions of the SED drives, for which no timeframe was given. Beyond use in PCs, Toshiba wants to put this feature on storage devices in copiers and printers."
According to the article, it uses this "Opal" storage spec. (didn't find it on wikipedia..)
Below from: http://www.trustedcomputinggroup.org/resources/storage_application_note_encrypting_drives_compliant_with_opal_ssc
Storage Application Note: Encrypting Drives Compliant with Opal SSC
This document provides examples of the communication between a host and a storage device implementing the TCG Storage Security Subsystem Class: Opal SSC and the TCG Storage Architecture Core Specification.
Examples are provided for the following scenarios:.
* Discovering whether a storage device supports Opal SSC
* Taking ownership of the storage device
* Activating the Locking SP
* Changing the Admin1 PIN in the Locking SP and adding users
* Configuring Locking Objects (LBA ranges) *
* Unlocking ranges
* Erasing a range
* Enabling the MBR shadow
* Un-shadowing the MBR
* Reverting the TPer
* Reverting the Locking SP
* Using the DataStore table
For further reading, here's what looks like the spec:
http://www.trustedcomputinggroup.org/files/static_page_files/9FE14508-1D09-3519-AD7D21A695E9B8EE/Opal_SSC_1.00_rev3.00-Final.pdf
dban is great, but is slow. Wiping a 500gb drive takes several hours at least.
Shred and the like are only useful when you don't have a journaling filesystem. So that means anything but ext2 (including ext3) defeats it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Not a problem with a tmpfs on a beefy server.
This has been covered to death here on slashdot, but basically one pass of /dev/random will pretty much take care of wiping a drive. Drive recovery companies will tell you that the hypothetical bit-by-bit recovery is possible, but is so ungodly costly that it's not worth doing unless there's something REALLY important on the drive (like pictures of your mom). If you're really paranoid, don't waste your time with shred, just dd if=/dev/urandom of=/dev/hda twice and call it a day. Shred takes F O R E V E R and really provides nothing more than a nifty status bar. If you're SUPER paranoid, dd the drive twice and yank the platters, play frisbee, build a tesla turbine or simply scratch the hell out of them and chuck them in the recycle bin.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
Using shred, with an ext3 file system presents the user with the problem of secure deletion because it can only really be effectively used with ordered and writeback journals. a journal on ext3 is a separate file and not touched by a shredding of the actual file itself. the journal file also needs to be shredded or filesystem converted to ext2 to be effective.
>Wiping a 500gb drive takes several hours at least.
Not really. The problem is that everyone picks some zany wiping scheme. Those Gutmann patterns don't even make sense with any modern drive. All you really need to do is zero the drive once. It doesn't take that long. I have yet to see a recovery from a drive that's been zero'd out. Anything past one pass of zeros is just extra credit.
All the articles are pretty poorly written, and the Computer World article misquotes the Toshiba press release
Computer World
Drives with the technology will go into hard drives for laptops and desktops.
Toshiba
But lost or stolen notebooks are not the only security risk that IT departments must address. Today, most office copier and printing systems utilize HDD capacity and performance to deliver a highly productive document imaging environment. Many organizations are now realizing the critical importance of maintaining the security of document image data stored within copier and printer systems.
Toshiba is selling these drives as a method for securing scanning copiers. Many of the current copiers hold onto everything that is copied or scanned indefinitely leaving a gaping security hole. The new SED drives encrypt their contents and then wipe the key when the drive powers down leaving the data intact, but no meaningful method for recovering it. If a thief tries to yank a SED drive out of a copier, it automagically wipes it. If part of your security procedure is to shut down the copiers each night, your daily load of potentially secure documents and copies of Bob's butt are also automagically wiped.
Clearly, this type of technology would be worthless in a notebook or any other type of PC. You'd always be running from outlet to outlet to save your data. It'd be an IT version of that terrible Jason Statham movie Crank 2: High Voltage. Shudder.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
Shred also works on drives. I shredded a Deskstar with a 25-pass wipe, which took over 16 hours. (And in a stroke of good timing, it started making the Deskstar "click of death" sounds less than 10 minutes after it finished.)
But about file system journals. It's a bit much to say "any file system" besides ext2 defeats shred. The concern is this: If file data is committed to the journal first, rather than the filesystem proper, the only way shredding is secure is to shred a file that's larger than the journal. Otherwise, multiple overwrites of file data are actually going to the journal, where they'll be analyzed, all but the last overwrite will be canceled, and the file data in the filesystem ends up with only a single overwrite.
Part of the purpose of shredding a file, is to overwrite the residual magnetic flux between tracks on a platter. Multiple overwrites on the platter will do this; shred used to do 25 overwrites by default, which was good enough for DoD secure erasure requirements. However, a FS journal would defeat this on a file that was less than 1/25 the size of the journal.
Ext3/4 can do this, but not by default; the default is "ordered" mode, where file data goes directly to the FS, and then its metadata goes to the journal. A mount option can change this temporarily, and "tune2fs" can change the mode persistently.
XFS and JFS journal only metadata, so shredding a file on those FS's is safe. You can verify this with an external journal on a different drive, then watch where the activity is during a shred. It isn't in the journal.
OTOH, log-structured file systems like Btrfs may or may not erase the data in place; if the data is part of a snapshot, then later overwrites don't remove the snapshot.
Yes, this is a lot to think about.
it is called a cryptographic erase.
http://seagate.custkb.com/seagate/crm/selfservice/portalhome.jsp?DocId=205983&Hilite=#14
However, your assessment is accurate, the data is still there, just nearly impossible to recover.
Most of modern filesystems don't put the new data into the old place. This is most prominent on JFFS (which is mostly the entire reason for it), then, in a decreasing order: btrfs, reiserfs, jfs, ext[34]. And on old filesystems on flash, you'll often have an underlying layer that does wear-levelling. Also, if there's any copy-on-write, tail packing, snapshots, etc, involved, shred will most likely be defeated as well.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
A bether solution would be this automated self destructing HD that can be remotely destroyed :D
"The Enhanced Hard Drive solves the problem of computers that are lost or stolen. A new hard drive feature will become the last word in data protection. A destruction technology is imbedded in the hard drive casing and can be initiated by as many as 17 remote triggers. Once deployed, the data stored on the disks is destroyed beyond forensic recovery. The process is non-toxic, non-combustible and does not cause any collateral damage to the other parts of the computer. The process is self-powered. In other words, the drive does not need to be in the computer for the system to operate." http://www.deadondemand.com/products/enhancedhdd/
Always mount a scratch cat.
No, in fact they posess all manner of equipment to keep machines powered up in transit, and devices that simulate mouse / keyboard activity to prevent locking screensavers coming on. Sorry I don't have a link handy for you.
The key only known to the drive, the owner doesn't know it.
No sig today...
Are you defending against someone with a magnetic force microsocope?
Yes, see Overwriting Hard Drive Data: The Great Wiping Controversy. Even with a magnetic force microscope, one pass is plenty. You can correctly identify a bit overwritten once with a probability of 0.56, up from 0.50 when randomly guessing. That's a 1% chance of correctly identifying any given byte.