Slashdot Mirror
New Toshiba Drives Wipe Data When Turned Off
CWmike writes "Toshiba on Tuesday introduced a new hard drive feature that can wipe out data after the storage devices are powered down. The Wipe feature in Toshiba's SED (Self-Encrypting Drives) will allow for deletion of secure data prior to disposing or re-purposing hard drives, Toshiba said. The technology invalidates a hard-drive security key when a system's power supply is turned off. The new Wipe capability will go into future versions of the SED drives, for which no timeframe was given. Beyond use in PCs, Toshiba wants to put this feature on storage devices in copiers and printers."
I can see this used not just in copiers where temporary files need to be zapped for privacy reasons, but in a number of other places:
1: Photo kiosks. /tmp. If one thinks about it, this type of HDD is absolutely perfect for the /tmp filesystem in the classic sense of it being zeroed out on reboot.
2: Documents stored on public access computers.
3: Medical terminals used for X-ray viewing.
4: Cash register terminals for storing CC data.
5: CCTV DVRs. If a video time frame needs flagged for long term copying, it is.
6: Proxy/sendmail log servers where logs don't have to be kept for longer than it takes to check if there is an intrusion.
7: Temporary scratch space for a database server, say to pack and unpack normally encrypted BLOB/CLOB data.
8: A special hard disk just for
9: Temporary scratch space when unarchiving data and putting it on a secure partition or tape drive. For example, getting data from tape or another site, storing it temporarly to get a machine to restore locally.
10: A machine set up and automatically imaged for guests to browse the Web.
11: A machine set up and autoimaged in a student computer lab. This way, a power cycle ensures that private data is not recoverable from the previous student.
12: Drives set up for swap. This way, a power cycle removes all traces of a virtual machine's paging.
13: Community clouds, where a VM is cloned to the drive, used to give better capacity, then shut down and the drive cycled so the next user on that drive doesn't have access to the previous user's data.
14: A place to decode encryption keys temporarly pulled out of a HSM to be copied to another source.
15: Airport X-day machines so the private pictures of people stay private.
You invented random-access memory. Good job!
Sounds like a good idea, but I'm almost positive there will be instances where important data is going to be screwed with by mistake. I personally would rather not have my hard drive erasing my data without my express approval, but I'm not the average Joe.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
In other news today, a company under investigation by authorities claimed all the data was wiped from their servers following an unexpected power outage.
As the Microsoft trials taught us data is hard to delete permanently.
"Maybe this world is another planet's hell"
Aldous Huxley
Remember RAM disks? Kind of an eighties thing I guess..
Never email donotemail@WeAreSpammers.com
It uses multiple passes of rot13, and the key tells how many passes are done. :-)
The Tao of math: The numbers you can count are not the real numbers.
According to the article, it uses this "Opal" storage spec. (didn't find it on wikipedia..)
Below from: http://www.trustedcomputinggroup.org/resources/storage_application_note_encrypting_drives_compliant_with_opal_ssc
Storage Application Note: Encrypting Drives Compliant with Opal SSC
This document provides examples of the communication between a host and a storage device implementing the TCG Storage Security Subsystem Class: Opal SSC and the TCG Storage Architecture Core Specification.
Examples are provided for the following scenarios:.
* Discovering whether a storage device supports Opal SSC
* Taking ownership of the storage device
* Activating the Locking SP
* Changing the Admin1 PIN in the Locking SP and adding users
* Configuring Locking Objects (LBA ranges) *
* Unlocking ranges
* Erasing a range
* Enabling the MBR shadow
* Un-shadowing the MBR
* Reverting the TPer
* Reverting the Locking SP
* Using the DataStore table
For further reading, here's what looks like the spec:
http://www.trustedcomputinggroup.org/files/static_page_files/9FE14508-1D09-3519-AD7D21A695E9B8EE/Opal_SSC_1.00_rev3.00-Final.pdf
The Computer Word story is light on details. No surprise there.
How is your data protected against accidental deletion - hardware failure, power outages, etc?
Their laptop hard drives have been self erasing for years via head crashes and other catastrophic malfunctions. Absolutely horrible laptop hard drives.
Lawyers, MBA's, RIAA? A jedi fears not these things!
I spilled water into a power bar back in 95 and achieved exactly the same effect!
I used to call that "hammer & magnet"...
Considering that there are 256 values possible for a given byte that's not quite as useless as one would think.
I've always thought SED stood for "Smoke Emitting Diode"
It's my favorite electronic component, but the only problem is that they only work once.
deep freeze is better then reimage on boot as it is much faster. You need a fast sever + good network + a fast HDD on the pc to make autoimaga on boot not be a big slow down and this also makes it so each windows update that needs reboot a new images. Deep Freeze can be set up to go into a mode there you can install updates and keep them after reboot and then go back to the reset on reboot mode + you can have a user area that does not get wiped out as well.
what if the head is in sleep mode so no momentum and then power is lost?
My bet is on the usual baked-in drive encryption, very badly described.
Lacking <sarcasm> tags,
Pfft. Western Digital and Maxtor have had this feature for years....
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
This isn't "reimage on boot". This is encrypted storage whereby the key is volatile. There is not performance problem here.
/tmp, but there's really no point. Cleaning /tmp with software can be done pretty quickly - why buy expensive hardware?
and to reply to OP, this tech really doesn't have as many uses are you say. It is really only useful for sensitive data. You can use it for
AccountKiller
From the scant details in the article and summary, it appears that the drives are encrypted, and the "wipe" consists of getting rid of the encryption key.
Calling that a "wipe" is rather misleading in my opinion. Toshiba's in for one hell of a liability issue if their encryption is ever cracked -- though I'm sure they'll take care of all that in the fine print.
Well, the local copy, anyway...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Aren't we tired of hearing of simple-sounding solutions that appear unattainable?
See recent /. stories stating our computer-level "private browsing" of the web is everything except "private." One problem I already see with any data wipe is that it takes a lot of time, like the article mentioned for Eraser.
The article had too few specifics, so let's sit on the what-if armchair for a bit: short of a strong explosion, the FBI could just not power the drive before removing the circuit board and replacing with one lacking wipe logic.
Nope, if they want your data they keep the machine one by splicing into the power outlet.
I've never had a drive that did ANYTHING after it was powered down.
This is a tremendous advance. And I RTFA, and it doesn't offer me much of an explanation.
deleting the extra space after periods so i can stay relevant, yeah.
or PXE boot, then have /home be a tmpfs. That can be nice and fast if you have the rest of the OS on NFS or ISCSI, plus you remove one more part that can fail.
One thing that has always irritated me about tmpfs is that it will page out into swap if memory pressure dictates.
Using ramfs as an alternative to tmpfs means that you lose the ability to stipulate a maximum size, and it can grow to exhaust all available memory in the system. Because ramfs won't page out, I presume it is quite possible to take down the entire machine in such circumstances.
It's sad that MacOS (pre-X) had the problem solved 15 years ago by allowing the creation of a fixed size RAM disk that would not page out, but this capability has apparently been lost in modern OS's. Unrelated aside: it was quite fun to load a stripped down version of the MacOS System Folder into a RAM disk and watch how fast the machine would boot (MacOS RAM disks would persist between reboots but would naturally be obliterated if power was cut).
it is called a cryptographic erase.
http://seagate.custkb.com/seagate/crm/selfservice/portalhome.jsp?DocId=205983&Hilite=#14
However, your assessment is accurate, the data is still there, just nearly impossible to recover.
Heck most of us won't trust our collection to anything short of RAID6!
My porn collection, along with all my other documents and media is on a RAID-6 array.
...Along with my massive collection of confiscated geek cards.
Boot Windows, Linux, and ESX over the network for free.
The key could be stored in static RAM, which does lose data instantly when power is lost (downside is that it's more expensive, but for a single encryption key that's not a problem). Alternately, you could just stick a capacitor on the board with enough power to erase the RAM. Or just bury the RAM cells inside the CPU, so it's impractical to access them (and make the CPU erase them on next power-on).
On further research, some static RAM chips do retain data (though not all of them). If you really need the data blanked out, storing it in a D-type flip flop might be better then.
I tested shred against XFS, and found that it writes to the journal, rather than to the file data in-place. So shred is not safe to use on XFS.
In the UK we have a special law when we're 'made' to give up encryption keys when asked by whoever arrested you. But what if the encryption keys have been destroyed, can they still make you give up what you do not have?
This is a good step forward for general security.
How could you trust this 100%? Without the firmware (and some way to verify it), this likely could / does contain backdoors.
For the children, you see.
I don't see a major improvement over well set up truecrypt partitions.
..don't panic
Frags your drive on power loss, eh? Yeah, nothing could go wrong there.
How about this. It sounds like all you're really killing is the stored key. Instead of fooling around with what amounts to a RAM chip, why not take a lesson from floppy disks? Back in the day, when you were done writing to a disk there was a little tab you would break and then the disk would be permanently read-only (unless someone used tape). Why not store the key in a little thing that you break off? If you wanted to get really fancy, you could even make it into a "security fuse" which can also be destroyed electrically if certain conditions are met (apparent unauthorized access, external trigger from chassis intrusion, planned obsolescence, et cetera).
[Put] /tmp/ on tmpfs [and] enlarge the default swap size by what is expected for /tmp/, to make sure max virtual memory capacity doesn't suffer.
Once you start using tmpfs, sensitive information will accumulate in the swap file. This makes pseudo-volatile drives like these even more suited for item 12 (swap).
I just write all of my data to /dev/null. Take that, toshiba!
Facts have a liberal bias.
On my piece-of-shit Fujitsu laptop, before it died, I was doing this with swap. I had an init script that would grab from /dev/random and use that as the key for an encrypted (blowfish, and there was some good(?) reason for using that instead of AES but I don't remember) partition, and then mkswap and swapon it. Turn off the machine, then the key was lost and that partition's contents became useless.
I can see using this kind of drive for swap and /tmp, but guys, you already have this capability. I suppose moving the crypto from the CPU to the drive is pretty neat, but that just raises the same issue that hardware RAID has: it's fine if you want to use the whole disk in one particular way, but if you want to treat different partitions differently, then you need to use software (your OS) instead. The market for this drive, where you want to lose whole disks on power down, seems pretty niche.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Sure, if a ram disk is several hundred gig, then yeah, they're the same.
h4rr4r wrote:
You need to buy more ram, if you ever find swap in use that is just a sign to buy more ram. Stuff is dirt cheap these days.
Since when is a quarter terabyte of RAM "dirt cheap"? A better strategy is to encrypt the swap file and erase the key on power loss, which appears to be exactly what these drives do.
With a keyboard macro, or a recessed kill switch, we might actually maintain some semblance of privacy, "oops, was that what that switch did?" or "sorry, you did it yourself when you unplugged the system".
I killed da wabbit -Elmer Fudd
I am having a hard time installing windows to this new expensive secure drive. It gives me an operating system not found error after the first reboot.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
But somehow I don't think that the global market for tmp/swap drives is the Next Big Thing.
Lacking <sarcasm> tags,
[ 12.145436] Running /etc/init.d/spindown start ... oh shit!
I commented a bit about it on my FB wall: http://www.facebook.com/wingedpower
But here's a quick synopsis:
Given a hard drive...
- Create X number of zero'd files to be mounted on loopback (losetup) and then to be encrypted individually(cryptsetup) using 256bit encryption(different key per loopback) [this is done on the data hard drive)
- Create Y number of zero'd ramdisk devices to be cryptsetup'd using 256bit encrption(cryptsetup).
- Create a striped array(LVM tools) using both the encrypted loopbacks and the encrypted ramdisks.
- Use cryptsetup to encrypt this resulting LVM volume and mount it as your "quick wipe drive"
- Store all luks keys, if need be, in a ramdisk.
When you power off, what happens is:
- luks keys go away with loss of power(barring UPS, memory freeze, etc)
- ramdisk slices of the RAID-0 striped array vanish... and take their encrypted bits with them.
- what survives on the physical drive are encrypted volumes containing parts and slices of a larger encrypted volume with slices missing.
Cost to implement: normal cost of equipment. :)
Special equipment or specialty hard drives required: none.
Security: 256bit encryption via cryptsetup at two levels AND some of the data goes missing.
Useful situation:
- xerox/copy machine storage... they can actually implement this with standard drives... just update software and repartition their drive!
- protection against identity theft when home computer stolen... pulled power cable... oops. all data now not accessible.
- protection from illegal seizure of computers (no key to give... it is inaccessible)
- protection against foreign government raids(and local government raids, I suppose) (power loss=data not accessible)
The cool factor is... the slices you divide up the drive into... the more unique keys that will need to be found/brute-forced/decrypted before any amount of useful data is regained. And once they do have all the individual files decrypted, only then will they discover that there are pieces of the RAID0 missing... and the RAID0 itself is encrypted.
Enjoy.
Winged Power Photography
Also noted on FB wall is the potential to replace the RAMDISKS with:
- external HD or flash drive to allow for powerdown, data retained, so long as the KEY drive, which also contains slices of the RAID 0 data, is intact. Lose/destroy it and the whole of the data is inacessible.
- internal PCI/PCIe battery backed RAMDISK. (you have X minutes or X hours between power cycles before keys and data slices are lost and access to the whole is lost)
In all cases, the goal is to protect against unwanted access of the data in question, or to render the data effectively inaccessible for a long enough time.
This can already be done with currently available open source technology and a little scripting. :)
One can even make the system switch between modes of operation by migrating volumes to/from an external drive unit and the ramdisks.
Winged Power Photography
For storing the high scores on the Frogger machine at Mario's Pizza.
So, a dead power supply means that if I don't have a backup encryption key, I loose all my data? Thanks, but no thanks!
"Maybe you are holding it wrong"
"Have you tried turning it off and on again?"
for instance, multiple projects of mine back to the mid-70s had write-only RAM.
if this is supposed to be a new economy, how come they still want my old fashioned money?
---
Data StorageFeed @ Feed Distiller
Here's a simple recipe for implementing this on your own:
1. Set up a script to create a TrueCrypt volume at boot time with a randomly generated key
2. ???
3. Profit!
You're done. When the system reboots the old key which wasn't stored anywhere is gone, the data is inaccessible, and a new volume is ready for use.
- For the complete works of Shakespeare: cat
No, in fact they posess all manner of equipment to keep machines powered up in transit, and devices that simulate mouse / keyboard activity to prevent locking screensavers coming on. Sorry I don't have a link handy for you.
This puts us one step closer to the long sought after write only drive.
I'm sure it's just stored in the RAM of the drive controller and it generates a new key on each reboot.
No sig today...
It's for machines where data is supposed to be very temporary - ie. photocopiers, etc.
No sig today...
Perhaps creating a combination drive that uses read-only SSD and a smaller section of this for the temporary directories? Booting from the SSD would be swift, everything written to the SED portion, and then save anything important to flash drives, network storage, or another option.
This seems like a great way to maintain a secure operating system for Joe and Jane Public. Or... imagine the near future where computers are sold with MS's OS du jour irrevocably installed, and the only way to upgrade is to bring the machine to a "certified upgrade specialist". I also fear the day when our cable or satellite providers install these into DVRs.
This new option does seem like a very useful tool, but also a very dangerous asset to the already dangerous.
It appears that I might be the first to say, "Whoooosh!"
One of my classmates in microprocessor lab back in college managed to make a LEEPROM. For those too young to remember, EPROMS have a window on them into which one shines UV light to erase it before reprogramming. With enough voltage between Vcc and Ground, the same EPROM can be made to emit light. Hence, LEEPROM. It was quite amusing at the time....
-- "This world is a comedy to those who think, a tragedy to those who feel."
Simply using one of these will eventually get someone convicted of destroying evidence; assuming Toshiba doesn't have a master key for law enforcement.
Just how are they going to transfer the equipment and data without unplugging or pulling power?
http://www.wiebetech.com/products/HotPlug.php
Oh no! I always thought that was a myth..
Considering that there are 256 values possible for a given byte that's not quite as useless as one would think.
But rot13 only affects 52 of them.
The Tao of math: The numbers you can count are not the real numbers.