Re: [Fed-Talk] Secure erase of SSD drives?
Re: [Fed-Talk] Secure erase of SSD drives?
- Subject: Re: [Fed-Talk] Secure erase of SSD drives?
- From: "Marcus, Allan B" <email@hidden>
- Date: Thu, 21 Mar 2013 23:35:55 +0000
- Thread-topic: [Fed-Talk] Secure erase of SSD drives?
Yes, we have, but not for SSD drives. The UCSD research states that not
all SSD manufactures implement secure erase properly on SSDs, since there
is no way to know if it works (other than peaking at the 'sectors', which
I'm not sure you can do on an SSD.
We use WipeDrive as our official drive eraser software specifically
because it support secure erase.
--
Thanks,
Allan Marcus
Chief IT Architect
Los Alamos National Laboratory
505-667-5666
email@hidden
On 3/19/13 10:28 AM, "Kolasinski, Brent D." <email@hidden> wrote:
>I don't know if this would work, but has anyone looked into the security
>of the ATA Secure Erase command? This command is part of the ATA spec,
>and was avoided in the past because it only does a single pass on
>magnetic media. Is a single pass good enough for SSDs?
>
>My understanding is that the command zeroes out all usable space on the
>SSD, and the "slac" space that most SSDs use for caching. Of course you
>will need to use a linux live CD to issue the command, as I do not
>believe OSX has the ability to issue this command.
>
>I have used this many times on personal SSDs, but I am not sure if it
>meets DoD specifications for a secure erase.
>
>https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
>https://en.wikipedia.org/wiki/AT_Attachment#HDD_passwords_and_security
>
>----------
>Brent Kolasinski
>Cyber Security Program Office
>Argonne National Laboratory
>Phone: 630-252-2546
>
>
>From: <Neely>, Lee <email@hidden<mailto:email@hidden>>
>Date: Tuesday, March 19, 2013 10:42 AM
>To: "Link, Peter R." <email@hidden<mailto:email@hidden>>, "Danziger,
>Alan D." <email@hidden<mailto:email@hidden>>
>Cc: "email@hidden<mailto:email@hidden>"
><email@hidden<mailto:email@hidden>>
>Subject: Re: [Fed-Talk] Secure erase of SSD drives?
>
>Peter is right. Look to the revised SP 800-88 R1.
>
>Use of cryptographic erase is the best path forward. That is essentially
>the use FV, then destroy the cryptographic key, leaving AES 256 Cipher
>Text.
>
>If you really want to go crazy, do the above, then write random gunk to
>the drive, corrupting the Cipher Text E.g. Dd bs=512 if=/dev/random
>of=/dev/rdisk2 count=1000
>
>Lee
>
>
>From: <Link>, Peter Link <email@hidden<mailto:email@hidden>>
>Date: Tuesday, March 19, 2013 7:54 AM
>To: "Danziger, Alan D." <email@hidden<mailto:email@hidden>>
>Cc: "fed-talk@lists. Talk"
><email@hidden<mailto:email@hidden>>
>Subject: Re: [Fed-Talk] Secure erase of SSD drives?
>
>Start here,
>sp800_88_r1_draft.pdf<http://csrc.nist.gov/publications/PubsDrafts.html#SP
>-800-88-Rev. 1> and see what the recommended sanitization technique is.
>I also remember some articles discussing how SSDs work. I'll try and find
>them.
>
>As for returning media to the vendor, we (LLNL) have a purchasing
>agreement that says they don't get the drives back no matter what.
>
>
>On Mar 19, 2013, at 7:39 AM, "Danziger, Alan D."
><email@hidden<mailto:email@hidden>> wrote:
>
>I'm not sure how helpful this is but my solution is to use FileVault 2 on
>the SSD. If it needs to be swapped out, I erase (remove the key), and
>all the data on the drive is (in theory, which I believe) irretrievable
>without "sufficiently advanced technology (= magic)" Certainly
>sufficient for my personal data.
>
>"This does not reflect my employer's policies or preferences."
>
> -=Alan
>
>-----Original Message-----
>From:
>fed-talk-bounces+aland=email@hidden<mailto:fed-talk-bounces+a
>land=email@hidden>
>[mailto:fed-talk-bounces+aland=email@hidden<mailto:talk-bounc
>es+aland=email@hidden>] On Behalf Of Dr. Brad Cox
>Sent: Tuesday, March 19, 2013 10:21 AM
>To: Dyson, Jennifer L CIV SPAWARSYSCEN-PACIFIC, 53521
>Cc: Fed Talk
>Subject: Re: [Fed-Talk] Secure erase of SSD drives?
>
>Ran into that with a personal hard drive that needed warranty
>replacement. Apple INSISTED that I return the old drive undamaged or pay
>an exorbitant fee. Something about needing to monitor failure causes
>before tossing in a dumpster. A secure one they claimed ;)
>
>Resolved that (to my satisfaction; probably not govt's) with a honking
>big drive erase magnet. Apple never objected. My next choice would be a
>hammer, tree chipper or the like.
>
>Apple's not your friend in such cases.
>
>On Mar 19, 2013, at 10:03 AM, "Dyson, Jennifer L CIV
>SPAWARSYSCEN-PACIFIC, 53521"
><email@hidden<mailto:email@hidden>> wrote:
>
>We have a Mac SSD drive that will be put in for a warranty claim, but
>when we went to do the secure DoD erase from Disk Utility, lo and
>behold...it was greyed out. Further googling on the topic revealed that
>there appears to be no secure way to wipe SSD drives...Seems to be a way
>to recover data no matter what...and even if you do some of the
>overwrite methods, you will degrade the performance terribly (not a big
>deal in this case since we are sending it back to the manufacturer)
>What?!?!?!? How did I miss this little tidbit of information! I then
>saw that the only possible way would be to use something specifically
>from the hardware manufacturer (in this case it was Samsung...and I see
>no way to use their tool on the MAC) Does anyone have any suggestions?
>What would be the DoD approved method? Haha...probably destruction
>only! Although I am worried about this for home computers as well....
>
>https://discussions.apple.com/docs/DOC-3191
>
>
>
>
>/Jen
>Jennifer Dyson
>SSC-PACIFIC Code 53521
>email@hidden<mailto:email@hidden>
>DCO Jabber - jennifer.dyson
>
>"Let food be thy medicine and medicine be thy food" - Hippocrates
>
>_______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list
>(email@hidden<mailto:email@hidden>)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden<mailto:email@hidden>
>
>Dr. Brad J. Cox Cell: 703-594-1883 Blog: http://bradjcox.blogspot.com
>http://virtualschool.edu
>
>
>_______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list
>(email@hidden<mailto:email@hidden>)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden<mailto:email@hidden>
>
>_______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list
>(email@hidden<mailto:email@hidden>)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden<mailto:email@hidden>
>
>Peter Link
>Cyber Security Analyst
>Cyber Security Program
>Lawrence Livermore National Laboratory
>PO Box 808, L-315
>Livermore, CA 94551-0808
>email@hidden<mailto:email@hidden>
>
>The contents of this message are mine personally and do not reflect the
>views or position of the U.S. Department of Energy, Federal Government,
>National Nuclear Security Administration, Lawrence Livermore National
>Security, or Lawrence Livermore National Laboratory.
>
>
>
>
>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden