Re: [Fed-Talk] Secure erase of SSD drives?
Re: [Fed-Talk] Secure erase of SSD drives?
- Subject: Re: [Fed-Talk] Secure erase of SSD drives?
- From: "Kolasinski, Brent D." <email@hidden>
- Date: Tue, 19 Mar 2013 16:28:31 +0000
- Thread-topic: [Fed-Talk] Secure erase of SSD drives?
I don't know if this would work, but has anyone looked into the security of the ATA Secure Erase command? This command is part of the ATA spec, and was avoided in the past because it only does a single pass on magnetic media. Is a single pass good enough for SSDs?
My understanding is that the command zeroes out all usable space on the SSD, and the "slac" space that most SSDs use for caching. Of course you will need to use a linux live CD to issue the command, as I do not believe OSX has the ability to issue this command.
I have used this many times on personal SSDs, but I am not sure if it meets DoD specifications for a secure erase.
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
https://en.wikipedia.org/wiki/AT_Attachment#HDD_passwords_and_security
----------
Brent Kolasinski
Cyber Security Program Office
Argonne National Laboratory
Phone: 630-252-2546
From: <Neely>, Lee <email@hidden<mailto:email@hidden>>
Date: Tuesday, March 19, 2013 10:42 AM
To: "Link, Peter R." <email@hidden<mailto:email@hidden>>, "Danziger, Alan D." <email@hidden<mailto:email@hidden>>
Cc: "email@hidden<mailto:email@hidden>" <email@hidden<mailto:email@hidden>>
Subject: Re: [Fed-Talk] Secure erase of SSD drives?
Peter is right. Look to the revised SP 800-88 R1.
Use of cryptographic erase is the best path forward. That is essentially the use FV, then destroy the cryptographic key, leaving AES 256 Cipher Text.
If you really want to go crazy, do the above, then write random gunk to the drive, corrupting the Cipher Text – E.g. Dd bs=512 if=/dev/random of=/dev/rdisk2 count=1000
Lee
From: <Link>, Peter Link <email@hidden<mailto:email@hidden>>
Date: Tuesday, March 19, 2013 7:54 AM
To: "Danziger, Alan D." <email@hidden<mailto:email@hidden>>
Cc: "fed-talk@lists. Talk" <email@hidden<mailto:email@hidden>>
Subject: Re: [Fed-Talk] Secure erase of SSD drives?
Start here, sp800_88_r1_draft.pdf<http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-88-Rev. 1> and see what the recommended sanitization technique is. I also remember some articles discussing how SSDs work. I'll try and find them.
As for returning media to the vendor, we (LLNL) have a purchasing agreement that says they don't get the drives back no matter what.
On Mar 19, 2013, at 7:39 AM, "Danziger, Alan D." <email@hidden<mailto:email@hidden>> wrote:
I'm not sure how helpful this is but my solution is to use FileVault 2 on the SSD. If it needs to be swapped out, I erase (remove the key), and all the data on the drive is (in theory, which I believe) irretrievable without "sufficiently advanced technology (= magic)" Certainly sufficient for my personal data.
"This does not reflect my employer's policies or preferences."
-=Alan
-----Original Message-----
From: fed-talk-bounces+aland=email@hidden<mailto:fed-talk-bounces+aland=email@hidden> [mailto:fed-talk-bounces+aland=email@hidden<mailto:talk-bounces+aland=email@hidden>] On Behalf Of Dr. Brad Cox
Sent: Tuesday, March 19, 2013 10:21 AM
To: Dyson, Jennifer L CIV SPAWARSYSCEN-PACIFIC, 53521
Cc: Fed Talk
Subject: Re: [Fed-Talk] Secure erase of SSD drives?
Ran into that with a personal hard drive that needed warranty replacement. Apple INSISTED that I return the old drive undamaged or pay an exorbitant fee. Something about needing to monitor failure causes before tossing in a dumpster. A secure one they claimed ;)
Resolved that (to my satisfaction; probably not govt's) with a honking big drive erase magnet. Apple never objected. My next choice would be a hammer, tree chipper or the like.
Apple's not your friend in such cases.
On Mar 19, 2013, at 10:03 AM, "Dyson, Jennifer L CIV SPAWARSYSCEN-PACIFIC, 53521" <email@hidden<mailto:email@hidden>> wrote:
We have a Mac SSD drive that will be put in for a warranty claim, but
when we went to do the secure DoD erase from Disk Utility, lo and
behold...it was greyed out. Further googling on the topic revealed that
there appears to be no secure way to wipe SSD drives...Seems to be a way
to recover data no matter what...and even if you do some of the
overwrite methods, you will degrade the performance terribly (not a big
deal in this case since we are sending it back to the manufacturer)
What?!?!?!? How did I miss this little tidbit of information! I then
saw that the only possible way would be to use something specifically
from the hardware manufacturer (in this case it was Samsung...and I see
no way to use their tool on the MAC) Does anyone have any suggestions?
What would be the DoD approved method? Haha...probably destruction
only! Although I am worried about this for home computers as well....
https://discussions.apple.com/docs/DOC-3191
/Jen
Jennifer Dyson
SSC-PACIFIC Code 53521
email@hidden<mailto:email@hidden>
DCO Jabber - jennifer.dyson
"Let food be thy medicine and medicine be thy food" - Hippocrates
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
Dr. Brad J. Cox Cell: 703-594-1883 Blog: http://bradjcox.blogspot.com http://virtualschool.edu
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden<mailto:email@hidden>
The contents of this message are mine personally and do not reflect the views or position of the U.S. Department of Energy, Federal Government, National Nuclear Security Administration, Lawrence Livermore National Security, or Lawrence Livermore National Laboratory.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden