DBAN is obsolete. NIST 800-88 for some time now says to use secure erase or enhanced security erase or crypto erase if supported. Other options do not erase data in remapped sectors. Chris Murphy
Chris Murphy wrote:> DBAN is obsolete. NIST 800-88 for some time now says to use secure erase > or enhanced security erase or crypto erase if supported. > > Other options do not erase data in remapped sectors.dban doesn't? What F/OSS does "secure erase"? And does it do what dban's DoD 5220.22-M does? mark, overkill
On 2/8/2016 2:14 PM, Chris Murphy wrote:> DBAN is obsolete. NIST 800-88 for some time now says to use secure erase or > enhanced security erase or crypto erase if supported. > > Other options do not erase data in remapped sectors.the only truly safe way to destroy data on magnetic media is to grind the media up into filings or melt it down in a furnace. -- john r pierce, recycling bits in santa cruz
John R Pierce wrote:> On 2/8/2016 2:14 PM, Chris Murphy wrote: >> DBAN is obsolete. NIST 800-88 for some time now says to use secure erase >> or >> enhanced security erase or crypto erase if supported. >> >> Other options do not erase data in remapped sectors. > > the only truly safe way to destroy data on magnetic media is to grind > the media up into filings or melt it down in a furnace. >Well, no. DeGaussing works, also. Plus, with current storage techniques, I've heard that one pass of whatever will make it unreadable. That was why I jokingly referred to DoD 5220.22-M as overkill, since it does 7 passes. mark
On 2/8/2016 2:18 PM, m.roth at 5-cent.us wrote:> dban doesn't? What F/OSS does "secure erase"? And does it do what dban's > DoD 5220.22-M does?do you even know what NISP Operating Manual 5220.22-M is? One thing it does NOT have is ANY specifications of methods of data erasure (it mentions data erasure in 2 short paragraphs, out of a 140 page book on security). The Defense Security Service C&S-M (clearing and sanitization matrix) procedures state that magnetic disks will be degaussed or physically destroyed. http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-005_Exhibit_B.pdf note that degaussing a hard drive made since the early 80s will erase its servo tracks and render it scrap. there is no such thing as secure erasure. the whole silly 3 passes of random data followed by zeroing thing has been debunked numerous times. It MIGHT have worked in the days of MFM disks, when block sparing was an OS function, and the drives just provided a stream of 1s and 0s without recognizing 'sectors' (sectoring was done in the MFM disk controller board). With any modern storage device writing a single pass of zeros will do virtually the same thing, and is adequate to remove casual data but by no means good enough for any sort of government mandated security. -- john r pierce, recycling bits in santa cruz
On Mon, February 8, 2016 4:22 pm, John R Pierce wrote:> On 2/8/2016 2:14 PM, Chris Murphy wrote: >> DBAN is obsolete. NIST 800-88 for some time now says to use secure erase >> or >> enhanced security erase or crypto erase if supported. >> >> Other options do not erase data in remapped sectors. > > the only truly safe way to destroy data on magnetic media is to grind > the media up into filings or melt it down in a furnace.Without any intent to contradict... This article I found to be very instructive reading: https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html As far as hard drives are concerned, it changed my mind about magnetic media (hard drives): from "you never will be able to securely destroy data" to "one pass of writing zeroes is sufficient for modern drives. Bringing platters over 1000 times deep into hysteresis back and forth is enough to destroy even residual magnetization related to magnetic domain aging... On modern drives though... No, I decided to not spoil it for those who decides to read that article. One thing I learned from there: DRAM had more persistent imprint of information that was sitting in it, which appears much harder to destroy than information on hard drive. I hope I intrigued you enough to go and read that article. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Mon, 2016-02-08 at 14:22 -0800, John R Pierce wrote:> the only truly safe way to destroy data on magnetic media is to grind > the media up into filings or melt it down in a furnace.I unscrew the casing, extract the disk platter(s), slide a very strong magnet over both sides of the platter surface then bend the platter in half. How secure is that ? I can't afford a machine that grinds everything into dust particles. -- Regards, Paul. England, EU. England's place is in the European Union.
On Mon, Feb 8, 2016 at 3:18 PM, <m.roth at 5-cent.us> wrote:> Chris Murphy wrote: >> DBAN is obsolete. NIST 800-88 for some time now says to use secure erase >> or enhanced security erase or crypto erase if supported. >> >> Other options do not erase data in remapped sectors. > > dban doesn't? What F/OSS does "secure erase"? And does it do what dban's > DoD 5220.22-M does?http://dban.org/download That DoD standard is also obsolete per NIST 800-88. There's zero evidence provided that 2 passes makes any difference compared to 1, let alone doing 7. hdparm --security-help This takes the form of something like: hdparm --user-master u --set-security-pass chickens /dev/sdX hdparm --user-master u --security-erase-enhanced chickens /dev/sdX The 2nd command doesn't return until completion. hdparm -I can give an estimate of how long it will take. For HDDs I've found it slightly overestimates how long it will take, but is generally pretty close. For SSD's it can be way off. It says 8 minutes for my SSD, but the command returns in 5 seconds and the SSD spits back all zeros. Secure erase is really the only thing to use on SSDs. Writing a pile of zeros just increases wear (minor negative) but also doesn't actually set the cells to the state required to accept a new write, so you've just added a lot more work for the SSD's garbage collector and wear leveling, so it's going to be slower than before you did the zeroing. Secure erase on an SSD erases the cells so they're ready to accept writes. -- Chris Murphy