Forgot your password?
typodupeerror
Encryption Data Storage Government IT

Ask Slashdot: Data Remanence Solutions? 209

Posted by samzenpus
from the disintegration-ray dept.
MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Data Remanence Solutions?

Comments Filter:
  • by quanticle (843097) on Wednesday November 23, 2011 @03:42PM (#38151370) Homepage
    There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?
    • +1 on D-BAN.
      One of the best uses of the Linux kernel ever!
      Not to mention on hell of a fine piece of software.
    • by 1729 (581437) <slashdot1729.gmail@com> on Wednesday November 23, 2011 @04:00PM (#38151582)

      There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?

      How do you verify that the software does this correctly, and that it hasn't been tampered with? What if a drive is mishandled and doesn't get wiped? And if there's a process to do this correctly and with no chance of failure, is it worth that effort to recycle some old hard drives?

      Where I work, hard drives with less-sensitive data can be reused; other ones are ground up into little bits. Data cannot be recovered(*) from a thoroughly destroyed hard drive. What assurance is there for a software solution?

      (*) To the best of my knowledge. Maybe NSA can piece together the dust of a hard drive, but I highly doubt it.

      • by Anonymous Coward on Wednesday November 23, 2011 @04:10PM (#38151690)

        How much checking could a checker check if a checker checkering checked checks to check the checks that checked the checkering checker?

      • by SnarfQuest (469614) on Wednesday November 23, 2011 @04:49PM (#38152138)

        A lot of disks have "bad sector" replacement. When a sector starts to be unreadable, it replaces that sector with a spare one set aside for that purpose. Does the software wipe out these revectored sectors, or can someone read those old sectors after software overwrite?

        It depends on the security threat on how serious you need to be about wiping data off drives. Sometimes just 'rm'ing files is enough. Sometimes dropping them in a volcano isn't enough.

      • by quanticle (843097)

        Well, DBAN is open source. If you have suspicions, you're welcome to review the source compile your own version with a trusted compiler. If that isn't to your liking, there are commercial tools that do the same thing.

        As for, "What if a drive is mishandled and doesn't get wiped," well, isn't that a concern with physical destruction too?

        • by 1729 (581437)

          Well, DBAN is open source. If you have suspicions, you're welcome to review the source compile your own version with a trusted compiler. If that isn't to your liking, there are commercial tools that do the same thing.

          This requires a) proving that the software is correct and b) verifying that the compiled result hasn't been tampered with. For the latter, I'll refer you to http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com].

          As for, "What if a drive is mishandled and doesn't get wiped," well, isn't that a concern with physical destruction too?

          Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed (along with inventory checks on all hard drives being removed from a facility) than it is to verify that a hard drive has been properly wiped.

          • by nabsltd (1313397) on Wednesday November 23, 2011 @06:03PM (#38153024)

            Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed

            Imagine, if you will, someone who wanted your data and could intercept the drive for long enough to swap the platters on a drive (thus taking the important data with them). How do you verify that your data was destroyed?

            One way would be to send a backup (or SHA1 hash) of the data on the drive to the data destruction facility and have them verify that the data on drive serial number 123456789 is what it is expected to be before destruction. If you aren't doing something like this, then you have no way of knowing whether your data is really gone or not. If you think this sort of thing can't happen, read some of the stories about how people get back the wrong ashes from cremations.

            • by 1729 (581437)

              Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed

              Imagine, if you will, someone who wanted your data and could intercept the drive for long enough to swap the platters on a drive (thus taking the important data with them).

              If someone wants your data and they have enough access that they can actually swap platters and smuggle the data out, then you're already in trouble. Destroying a hard drive makes it a lot less likely that data will be inadvertently leaked.

              • by SomePgmr (2021234)
                Yeah that's some seriously paranoid international espionage shit. If the stuff is that dangerous and valuable, I'd think you could have the shredding hw brought to you and watch the things go in... or ask the NSA or CIA to deal with the drives for you.
    • by msauve (701917)
      dd if=/dev/random of=/dev/sdx

      is free, and just as good.
      • by Calos (2281322)

        shred -n# -v /dev/sdx where # is the number of passes to make.

      • by Shatrat (855151)
        If you actually try this, it will take forever to finish due to the /dev/random seeds being quickly exhausted. The computer will have to wait for new seeds from mouse inputs et cetera.
        pseudo-random is also slow.
        /dev/zero or /dev/one is as fast as the i/o can work and just as non-recoverable for all practical purposes, urban legends aside.
    • by Joce640k (829181) on Wednesday November 23, 2011 @04:04PM (#38151628) Homepage

      The old "You can recover data even after it's overwritten" thing is a myth [wikipedia.org].

      Today's bit densities are so high that it simply isn't going to happen.

      Format them. Run a small program to write a file (can be the output of a RNG if you want) until the disk is full. Job done.

      Or, as mentioned, use one of the many programs available for this.

      Take the "repeatedly overwrite" thing with a pinch of salt unless you really enjoy sitting there watching hard drive lights blinking.

      • by Sancho (17056) * on Wednesday November 23, 2011 @04:32PM (#38151940) Homepage

        Yes, but this is a government contract with specific destruction requirements. Go complain to the feds if you don't like the myth. Or maybe the government knows something we don't. Who knows?

        • Re: (Score:2, Informative)

          by Anonymous Coward

          The contract has explicit instructions, which your company knew when bidding the job. So, you've been paid to destroy those drives, whether your accounted it that way or not.

          Do not put your company at risk of defrauding the government.

      • by LordLimecat (1103839) on Thursday November 24, 2011 @03:10AM (#38155890)

        Its not a myth, its a theoretical possibility that either noone has the current capability to do, or they do and its simply too cost prohibitive, or else we simply dont know about it. Thats not terribly reassuring if youre dealing with data whose leak might cause jail time.

        As for formatting, depending on how you format the drive, it may or may not overwrite the data at all and may leave it ripe for the picking.

        Honestly, if youre dealing with government and they say "we want the drives shredded", DBAN set to a DoD approved setting MIGHT be a reasonable suggestion, as would encryption (as we can actually quantify the risk there, and it is vanishingly small), but saying "ah, just zero it once or format it, it doesnt make a difference" sounds incredibly foolhardy.

    • Do it the "right" way. Use the Secure Erase command added to the ATA and SCSI interface specs. http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml. Funded by the NSA until recently.
      • by Moryath (553296)

        That's great IF your motherboard actually supports the command. A surprising number of SATA controllers will refuse to transmit the command (something about NSA involvement there too)...

    • by mlts (1038732) * on Wednesday November 23, 2011 @04:14PM (#38151740)

      I like combining DBAN with HDDErase.

      HDDErase will do an ATA low-level secure erase that tells the controller to zero out all sectors. Even though that are on the relocated table which would be inaccessible via normal software solutions.

      After HDDErase does its job (which it does in a pretty quick amount of time since there is no I/O involved, but just the write head laying down zeros), running DBAN on the drive adds further insurance. Realistically, this will remove all data.

      Of course, prevention is a good idea as well. This is why I have some type of FDE software on my drives. This way, a simple zeroing out of the drive will be enough. In fact, the format command in Windows will check to see if a disk is BitLocker protected and zero out the places where the volume key resides, so even if someone knew the password to the drive, it will do them no good.

    • by Anonymous Coward on Wednesday November 23, 2011 @04:18PM (#38151784)

      There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?

      Some classifications of data require destruction of media. See NIST SP 800-88:

      http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

      In NIST/DoD parlance, what DBAN is cleaning/purging; i.e., either overwrite, or invoke the SATA Secure Erase command. Degaussing is also classified as purging (though the disk becomes unusable AFAIK); degaussing is better suited towards tapes IMHO.

      You also need to Validate that it has been done, and document that fact for each drive that has been sanitised.

      The OP will have to ask the contract manager at what level the information is considered at (low, medium, high) and then make plans accordingly. If it's high security, one can simply purge the media if you want to re-use the media with-in an organization, but if you ever want to toss the disk (or even if it's in a RAID array and you need to replace because it died), you need to destroy it and record that fact.

      So if your EMC/NetApp/Dell array has sensitive information, you can't send it back to the OEM if sensitive data ever touched it: you have to make arrangements with the OEM so that you can destroy it. Ditto for your laptop/desktop drives: if Lenovo/HP want/s the drive back, they can't have it as otherwise you'll be breaking your contract with the government.

    • by EdZ (755139) on Wednesday November 23, 2011 @04:24PM (#38151840)
      No need even for DBAN. Unless you're using truly ancient decade-old HDDs, use the ATA SECURE ERASE command built into the HDD controller. Much faster than DBAN, and wipes not only the accessible sectors but sectors in the G-list. Plus it's NIST and NSA approved, so it should be complaint with any government requirements for data destruction.

      It also effectively returns non-TRIM SSDs to a factory state. Remember: when used on SATA drives, set your bios to IDE compatibility mode, not AHCI.
    • by nahdude812 (88157) *

      Yep, this is better than encrypting the drive in that it's possible to secret away a copy of the encryption key and later unlock all the data, or perhaps the algorithm used for encryption gets broken, so suddenly the data is readable again, and so forth.

      Encryption offers no advantage over a strict drive wipe, particularly with random data. Realistically multiple passes are not needed because modern bit densities make it improbable that magnetic memory can be meaningfully recovered. Thinking it does demons

    • by Local ID10T (790134) <ID10T.L.USER@gmail.com> on Wednesday November 23, 2011 @04:30PM (#38151916) Homepage

      D-BAN is great... but if the contract says "Thou shalt turn over thy hard drives for destruction..." then its already been agreed on, and the cost was factored into the bid. Deal with it.

    • by DragonHawk (21256) on Wednesday November 23, 2011 @09:03PM (#38154562) Homepage Journal

      It really depends on the terms of the contract. That's what controls. You can theorize and speculate and pontificate all you want, that contract is what they agreed to, and what the government agreed to pay for.

      Now, the phrases "sent to an appropriately recognized facility" and "data remanence" make me suspect this is classified information, which would mean the contract is under NISP (National Industrial Security Program) jurisdiction. There are four possible CSAs (Cognizant Security Authorities) -- DoD, DoE, CIA, and NRC. I'm really only familiar with DoD, but I believe the rest follow suit on this. To wit:

      Since Oct 2007, when ISL 2007-01 [dss.mil] (Industrial Security Letter) was issued, overwrite methods are not acceptable for fixed disks. Degaussing or physical destruction are the only acceptable methods.

      Degaussing has to be done using a deguasser which is on the NSA EPL (Evaluated Products List). This generally renders the hard disk inoperable. (Modern hard disks have their servo tracks encoded at the factory, and generally don't have field low-level format capability.)

      Physical destruction has to cover the entire recording media. (e.g., "target practice" isn't acceptable.) They generally want the entire recording surface ground off, melted down, shredded to dust, and/or raised above the curie point. You can't just toss it in any old shredder.

      You have to provide a certificate of destruction, saying you've done this. Failure to do so results in loss of Security Clearance, loss of contract, loss of future contract opportunities, fines, and/or jail. I wouldn't recommend it.

      Now, submitter mentions they're going on to a new contract. If this is DoD, they should check the DD254 to see if it's the same classification derivation. If it is, they should be able to get approval to continue using the old systems. They should have a formal ATO (Approval To Operate) that identifies who to contact.

      Now, if I'm way off base, and this isn't classified, then it's still up to what the contract says. There are various government standards that might be called out. NIST 800-88 [nist.gov] is one; it allows for sanitization by overwrite, IIRC.

  • by WhitePanther5000 (766529) on Wednesday November 23, 2011 @03:43PM (#38151376)
    ...burn it to an optical disc, then shred the disc! :)
    • by PhilHibbs (4537) <snarks@gmail.com> on Wednesday November 23, 2011 @04:15PM (#38151744) Homepage Journal

      You've said it better than I could - and I'd go further to say that the fact that he considered encrypting the data and then destroying the key indicates that the OP is incompetent to be doing this kind of work. You don't destroy data by making an unreadable copy of it. You destroy it by destroying it, which could mean physical destruction, or could mean multiple overwrites (but the face that the government requirements state physical destruction implies that they have already considered and rejected this option).

      • by Chelloveck (14643)

        This. Think about it. The data's on the disk in the clear. You're either going to overwrite it with random bits, or with an encrypted version of itself. Magnetically there's not a lot of difference there. If the original data can be retrieved in one scenario it can be retrieved in the other one. What's more, if you're encrypting rather than overwriting with garbage, now you have the encrypted data that can be attacked. (Obviously if the cleartext never hits the hard drive in the first place it's a co

  • DBAN (Score:5, Informative)

    by jd142 (129673) on Wednesday November 23, 2011 @03:43PM (#38151386) Homepage

    DBAN, Darik's Boot and Nuke, will wipe a hard drive to any of several government standards. If they are fine with mere software disposal of data, then DBAN is the way to go. http://www.dban.org/.

    If they insist on physical destruction, I'm sure there are companies in your area that will handle that for you.

    • by whoever57 (658626)

      What about re-mapped sectors? Writing to the drive only destroys data on sectors that have not been re-mapped.

      This may not be an issue because it might be a good idea to not reuse any drives with remapped sectors so those could go for shredding.

  • Your Problem (Score:2, Insightful)

    by CanHasDIY (1672858)
    ... is that your idea is logical, rational, and sensible, and therefore will not be considered an acceptable solution.

    I recommend inventing some bloated bureaucratic process that involves miles of red tape, and doesn't actually address the issue at hand.

    Hell, they might give you a fucking medal for that.
  • Depends..... (Score:2, Insightful)

    by Anonymous Coward

    Assuming it a Federal gov contract, there are different standards depending on the Department. Also depends on the classification of the drive. I would go with the standards of the Department you are contracted to.

  • If you just need to destroy the data then why not write random garbage to the entirety of each drive several times?

    That's more certain for not being able to recover the data than using some encryption, which still has some structure and so with the application of sufficient time and resources might be recoverable.

    There must be some sort of government/military specification for data disposal along the "write random garbage" lines which would satisfy your clients.

    • by tippe (1136385)

      Why not do both? Write encrypted random garbage to the hard disks. Everyone is happy!

      • by greg1104 (461138)

        Writing random garbage to disk is the one place that ROT-13 encryption is actually good enough for.

      • by Guspaz (556486)

        Encrypting truly random data does not make it more random... You could argue that getting enough entropy to do that without an external random number generator would be hard, although Intel's upcoming chips have a DRNG that can pump out good quality entropy to go into the system RNG at speeds faster than an HDD can write sequentially.

  • why don't you just set them to random bits, if that is the goal.

    don't go writing that report, you'd sound silly. unless your superiors are really, really dumb.

  • It used to be that there were several ways to recover data from a wiped drive even after wiping the data and writing over it, but from what I understand that due to the size of a bit on a modern hard drive that it is impossible to read something that has been overwritten.

  • Easy Peasy (Score:5, Insightful)

    by danwesnor (896499) on Wednesday November 23, 2011 @03:48PM (#38151434)
    If you believe the data shouldn't be destroyed, have your contracting office send the government contracting officer letter requesting the requirement be deffered until the end of the new contract.
    • Re:Easy Peasy (Score:4, Informative)

      by rjstott (209851) on Wednesday November 23, 2011 @04:12PM (#38151718)

      Totally agree, if the contract is renewed the destruction can't be necessary until termination of the extension UNLESS this is not a renewal but a NEW contract. THEN you need to ask for a WAIVER

    • by malx (7723) on Wednesday November 23, 2011 @07:29PM (#38153852)

      I agree. You're trying to solve a commercial issue (and possible mistake) with a (poor) technical solution.

      As you describe it, the original contract wanted the data destroyed at the end of the contract term. You've just had the contract *renewed*, which is another word for "extended". Why exactly would anyone want the data destroyed in mid-contract?

      Your contact negotiators ought to have realised that the government didn't need you to destroy the data until the end of the new contract, and written that into the new contract, thereby over-riding the old one. More than saving you the money, it was one of your advantages as the incumbent contractor: compared with a competitor, you could perform the second contract term at lower cost simply because you could off-set the data destruction cost for which you were already contracted simply by writing into the new contract permission to defer that destruction! This would allow you to underbid any potential competitor - or if there is no likely competitor, writing deferral in would be a straight profit to you at no cost to the customer. That kind of win-win is *exactly* what your contract negotiators are paid to spot and capitalise on.

      As poster above says, your contract office can still possibly rescue this by simply writing and asking for permission to not destroy the data until the end of the renewed contract term. All the same, missing this at contract negotiation time is something that should come up in somebody's annual performance assessment.

  • See here:

    http://en.wikipedia.org/wiki/Data_remanence#Feasibility_of_recovering_overwritten_data [wikipedia.org]
    http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf [nist.gov]

    Zero-fill (full disk, including bad sectors) is good enough unless there's some top-secret spy tech that you need to protect against (SQUID transducers is one thing I heard?)

  • The contract... (Score:5, Insightful)

    by Taelron (1046946) on Wednesday November 23, 2011 @03:49PM (#38151454)
    The contract states that it must be physically destroyed. Depending on what kind of business you are in, the government will only accept physical destruction of a drive if classified data was ever on it.
    You will need to adhere to the contract and destroy and replace drives or the Government will rake your company over the coals during an audit. They will also then demand monies paid back, tack on a huge fine, and possibly criminal charges on anyone that failed to properly dispose of and destroy the data per the contract.
    • Pretty much. Next time read the friggin' contract, subby. If you don't adhere to the terms of the contract and the government finds out, this could well be your company's last government contract. If you're lucky.

  • by sirwired (27582) on Wednesday November 23, 2011 @03:50PM (#38151462)

    Your old contract requires the destruction of the equipment. Your new contract failed to price in its replacement. Why is this the agency's problem? If I were the client, I'm not going to go out of my way to evaluate your data destruction ideas and instead would simply request you perform the contract as agreed.

    Make sure your negotiators don't foul this up for future contracts.

    • by tlhIngan (30335) <(ten.frow) (ta) (todhsals)> on Wednesday November 23, 2011 @04:17PM (#38151780)

      Exactly. They'll want certificates proving the drives were destroyed per the contract.

      Part of your contract bottom line includes the cost of replacing those drives. If your company bid too low and won't make a profit, that's really a shame, but that's something you'll have to take up with the salesperson who wrote the proposal.

      Also, realize that hard drives are only expensive *NOW*. Remember what happened in Japan that was supposed to kill the electronics market until the end of the year? In 6 month's time, the prices of hard drives will come back down. Unless your contract is only a month long, the destruction probably won't happen until then, which is probably a year or more down the road (unless it gets renewed again). In the mean time, you only destroy hard drives of PCs that are being decomissioned, so they've already been replaced and no issue at all.

      Also - why are you trying to find ways around it? It's in the contract and you wouldn't have gotten it if you didn't agree to the requirement. Is it really to save the company a few bucks? Or is it the inner geek who can't see the sight of tossing a 500GB drive away?

      • by Thing 1 (178996)

        Or is it the inner geek who can't see the sight of tossing a 500GB drive away?

        Or more likely, the inner somethingelse, who can't see the sight of tossing 500GB of mineable data away?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I think you're looking at it the wrong way.

      If the original contract requires the destruction of equipment, then the original contract price covers that. Not destroying the hard drives means you should give some money back to the government since you're not completing the work you were paid for.

      If they allow old equipment to be used for the new contract there should be a discount on the new contract to account for this.

  • Why are you destroying the disks? Do you not need any of that data?

    Why not request an addendum to the contract that postpones the destruction until a time when the contract is not renewed, or the disks fail (whichever comes first)?

    As suggested by others, DBAN is good, or my preferred method is:
    write garbage

    dd if=/dev/urandom of=/dev/disk

    then write zeros

    dd if=/dev/zero of=/dev/disk

  • The problem isn't destroying the data. The problem is demonstrating that you've destroyed the data. If you hand over all the media that the data is on for shredding, and it gets cataloged and then shredded, any bean counter can look and say "see? here's the certificate that says it was destroyed." If you erase it and promise "I erased it! I swear! Honest!", there's not much to look at when they do their audit.
    • by qw(name) (718245)

      ...and when they don't find the proof of destruction, your company loses the contract, you get fired for not following process resulting loss of contract or the company folds due to loss of revenue because of the loss of the contract.

      • Exactly. (I'm suggesting that they destroy the media per contract, not try to find some cute way around it to save a dollar.)

        If the contract in future can be negotiated to have the drives wiped instead of shredded, blessings.

    • by mlts (1038732) *

      That is why you do a two tier destruction process in these situations:

      Tier 1 consists of a software erase, a physical degaussing and damaging the drive physically (but still keeping it in one piece). This can be accomplished either by drilling holes in the platters, or having a hydraulic ram bend the drive.

      Tier 2 consists of handing the stack of bent drives to Iron Mountain or the shredding place who has the shredder online, who will hand back a certificate of destruction.

      This way, the auditors are happy b

  • 1) When it comes to classified data, physical destruction is typically required
    2) When it's a "new contract" the only way around the requirement is to amend the contract. Much easier said than done.

    Your company likely doesn't have the political pull to amend the contract and/or it will be more expensive to do so than to buy new drives.

    But if you CAN change the contract, then just change it to allow DoD-wiping or similar.

    I think there may be a political reason to require destroying the drives and buying new

  • Don't try to find ways to cut costs or save money by skirting around your contractual obligations. You contract says to destroy the hard drives. You MUST destroy them. You WILL lose your contract if you do not.

    If you have a Security department, take you concern to them or your Contracts Manager for this contract. They will tell you the same thing...especially if it's a classified program.

  • Replacing the drives might not be a bad idea.

    If the drives are a couple of years old, you might be better off destroying the drives and buying new ones. The cost of certified drive destruction is pretty cheap, new drives can be had for not much ($60 to 200 depending on whether desktop or workstation).

    The lifespan of drives isn't infinite so this would be a good opportunity to replace the 3 or 4 or 5 year old drives with new ones. The incremental labor of removing the drive, putting it in the send out for s

  • by Saint Aardvark (159009) on Wednesday November 23, 2011 @03:58PM (#38151564) Homepage Journal

    I think that what you want is The Ephemerizer, by Radia Perlman (she of OSPF fame). I heard about this a few years ago at the LISA conference, and a bit of digging turned it up. From the abstract [mendeley.com]:

    This paper is about how to keep data for a finite time, and then make it unrecoverable after that. It is difficult to ensure that data is completely destroyed. To be available before expiration it is desirable to create backup copies. Then absolute deletion becomes difficult, because even after explicitly deleting it, copies might remain on backup media, or in swap space, or be forensically recoverable. The obvious solution is to store the data encrypted, and then delete the key after expiration.

    Google turns up this copy in PDF [filibeto.org].

    Hope that helps!

  • > I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed

    How do you destroy the key? You encrypt it and destroy the second key that you used to encrypt the first one? That's convenient, now you just have to repeat the process in a recursive manner and it should be completed in NaN years.

    • by gweihir (88907)

      Simple: Key on usb-key, destroy that. Or use passphrases that unlock the key and destroy the master-key. For example, LUKS is implemented that way with explicit anti-forensic splitting of the master-key, i.e. if you successfully wipe just a few bytes of the master key blown up to about 100kB, you are quite secure.

  • by Rinisari (521266) on Wednesday November 23, 2011 @04:02PM (#38151608) Homepage Journal

    I came here expecting an eye-opening discussion regarding some some emerging theory of systems administration regarding "data romance".

    Son, I am disappointed.

  • As to secure destruction, encryption is quite fine, if it is modern encryption done right. (I have seen some commercial things that were just stupid....) Overwriting, as some here suggested unfortunately does not do the job, because of defect management. For sectors still in use, it is likely just as secure as encryption, but it does exactly noting for reallocated blocks. (Even more so for SSDs and flash-drives).

    For Windows, TrueCrypt is a good solution. For Linux LUKS with defaults or AES in XTS mode.

    But t

    • by PhilHibbs (4537)

      Er... if overwriting is not sufficient due to defective sectors, then how does encrypting the data deal with those defective sectors? And how does writing an encrypted version to a SSD do a better job than writing random data to a SSD? It's worse, because you can write data to the entire SSD whereas encrypting will only write as much as you encrypt, leaving some blocks unwritten.

  • by Alex (342) on Wednesday November 23, 2011 @04:08PM (#38151672)

    There are a number of good posts on here, and a lot of people saying "use DBAN".

    99.99% of the problem space here is the process that proves the drive was wiped and the processes supporting that, 0.01% is doing the wiping.

  • What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high.

    It should have been part of the contract negotiations that the cost of the HDDs is paid for by the government. If it wasn't your company should still have padded their fee to include this cost. If it wasn't, someone should be fired. You can then destroy the drives as required by the contract and use the salary savings to pay for new drives.

  • The only person that can resolve this for you is the government contracting officer. They will have to review the requirements and decide what is an acceptable solution. You can offer up solutions, including keeping the drives in place since the equipment is staying there anyway, but they must make the call.

    There hands may be tied by regulations that require physical destruction; in which case you have no choice. They may be able to approve keeping the drives. In the end, they will do whatever keeps them

  • So people have already said use DBAN. So I'll point out Symantec Ghost also wipes drives drives using the GDisk utility. Both Ghost and DBAN can wipe a drive with a DoD standard 5220.22-M wipe. Surely if it's good enough for national defense...

    L8r

    • by Firethorn (177587)

      Just because a wipe utility says it can do a DoD wipe, doesn't mean it does. Even if it does(likely), doesn't mean that the NSA&DoD has tested/audited said program to ensure that it meets the required standards(suprisingly unlikely).

  • If you've got stiff data remanence requirements in your existing contract, it sounds like you'll need to ask for a contract modification. Not knowing exactly what sort of data you're working with, I'll just say it sounds like the customer really wanted to make sure their data didn't end up on eBay by accident.

    The time to have provided for an non-destructive alternative would have been when the original contract was being negotiated. That said, ask your PM to ask the customer contracts officer about it. Keep

  • Where I work (non-govermental) they are required by law to ensure data is not recoverable from surplus or decomissioned systems, even desktops and notebooks. 'Ensure' means to guarantee upon legal and regulatory penalties up to and including forfeiture of profits and punitive damages in excess of the company's net worth and revenue. In other words, the penalty is bankruptcy and dissolution.

    We wish to avoid that.

    There is, sadly, only one absolutely guaranteed method of preventing data recovery, and that is

  • Drive destruction requirements should have been forseen and incorporated into the budget.

    So what if it's "expensive"? It's a cost of doing business, like toilet paper. The fetish for saving hard disks is silly.

  • Slashdotters rightfully complain about poor government security, but for some reason snivel about destroying hard disks.

    Hard disks aren't "expensive" nowadays. Classified data loss OTOH can be VERY expensive.

    Shred the fucking drives.

Programmers do it bit by bit.

Working...