Security experts have known for some time that simply deleting a key is not sufficient. As Blom states, “cryptographic keys have a way of hanging around long after they are no longer needed.” The problem is that while the key itself may be a small amount of data, it is used to unlock a much larger store of encrypted information, usually the entire contents of the hard drive. Whether the key is stored on the drive itself or on some other storage media, merely erasing it does not make the encrypted data inaccessible. This is because when data is encrypted, all that is changed is it is transformed into unreadable ciphertext, with the same data in encrypted form being stored in the same place it was originally located. To effectively make the encrypted data unrecoverable, the key must be destroyed after which the ciphertext may be randomly overwritten with garbage data.
It is a simple matter to securely erase data from a hard drive to the extent that the information cannot be recovered. However, the same is not true for the cryptographic keys.
Importance of Secure Hard Drive Destruction
In today’s world of identity theft and corporate espionage, the improper disposal of end-of-life storage devices can lead to serious data breaches. Consumer dumping and second-hand IT equipment markets in countries with low environmental and safety standards can see hard drives with sensitive data end up in the hands of attackers. To protect against this, the only effective method is to physically destroy the media. However, traditional methods of data destruction involving the use of acids, degaussing, and shredding can render some types of data unrecoverable but are not suitable as a first instance method of data destruction due to environmental and health concerns. A more secure and environmentally friendly solution is to use cryptographic techniques to render the data unrecoverable and then follow up with physical destruction of the media.
When end-of-life storage devices are to be disposed of or recycled, overwriting the media with standard data is not sufficient to guarantee that the data is sanitized. In the case of hard disk drives, the read/write heads can detect residual magnetic signals even after the data has been overwritten. Similarly, there are devices and techniques for reading what has been stored in the past on certain types of EEPROM and Flash memory. In these cases, it is necessary to use a technique that will remove all traces of data and is known as data destruction. An example of this is shown in the US Department of Defense media sanitization standard [1].
Today’s data centers face a number of statutory and regulatory requirements regarding data erasure. One of the more troublesome requirements involves the complete destruction of data.
Overview of Cryptographic Key Erasure and Physical Key Removal Techniques
There are two chief types of cryptographic key erasure, with variations: clearing, which removes the plaintext key from storage, and sanitization, which renders the plaintext key unrecoverable by using the ciphertext. First, the purpose of key erasure should be examined. In an article written by the respected Peter Gutmann in 1996 [4], it was commonly believed that the goal of erasing cryptographic keys was to make the key as difficult to recover as possible, using the analogy that “if the only cost of the recovery is $10,000,000 of CPU time, then the old key is not truly destroyed”. This may have been true 15 years ago, however, the cost of recovering cryptographic keys and disk data has not kept pace with increasing key strengths and the ability to quickly access a large amount of data. An example would be using a simple function to encrypt a large dataset where one encrypts a secret key with the dataset’s key and then uses the same function to destroy the large dataset. The function of encryption would be a low-cost, high-value operation, and the data owner would have the ability to quickly regenerate the large dataset key and attempt to recover the old dataset key and ciphertext. It is quite clear that erasing the old dataset key and ciphertext using the same encryption destruction function would be adequate because the comparative value and low cost of destroying it, and this is what most likely occurs in modern storage scenarios. Due to the high costs and complexity in user training and providing a method to erase specified keys data, data centers would most likely either erase all encrypted data when the value of the data or re-encryption is proportional or discard the entire storage media for a replacement.
Cryptographic Key Erasure Techniques
Some encryption systems commit new encryption keys before overwriting the older version of the record. This implementation is to prevent the loss of data if the system fails before the record can be rewritten. Secure Erase does not provide a way to remove the key without erasing the entire disk. Data that must stay encrypted does not get decrypted, however, the unencrypted data is exposed by a new encryption and the key for this unencrypted data is still present. This unencrypted data is often in the form of file system metadata, and the new encryption is exposed when the new metadata is committed. The net effect is a compromise in data security. Secure Erase for ATA disks specifies a method for requesting that a drive erase data sectors. It is part of the ATA specification and thus supported by all drives. Unfortunately, it is known that Secure Erase methods do not actually erase all the data from the disk, and in some cases, it may be possible to reconstruct original data from an erased disk by using a method known as magnetic force microscopy. This method is, however, entirely impractical for the average attacker.
Secure Erase
On the downside, Secure Erase is known to have vulnerabilities where certain pieces of data have time-based retention, and thus the data may still be recoverable in the future. In an attempt to counter this problem, the enhanced secure erase feature was added to overwrite the entire disk with a zero pattern, which is also not fail-safe.
With Secure Erase, a hard drive is reset to a factory state by overwriting and erasing all the data on the drive. The drive is then tested and checked for any errors. If errors are found, the drive will be marked as failed. This method provides good security in that it assures data is completely and securely erased. It is also very efficient compared to other methods because it works at the hardware level, and no software needs to be installed on the drive it sanitizes.
Secure Erase is a standard for securely erasing data from a hard drive. It is defined by the American National Standards Institute (ANSI) and utilizes commands built into the firmware of ATA hard drives. Recent revisions of the standard also allow it to work with SATA interface drives.
Cryptographic Erase
The effectiveness of crypto erase facilities can vary. In some cases, only the key is purged, leaving all data still intact and unencrypted on the drive. Host-based software encryption can be performed again on the drive where static data may exist. If the expectation is that all data be purged, encryption should be done with a unique key on acquisition of the drive and never rely on static keys embedded in software, operating systems, or user-created keys. If the SED supports it, the best way to ensure the data is purged is to crypto erase all drives and delete any stored keys. A less secure option is to apply a secure erase command. This will remove the key and effectively make the data irretrievable but does not actually erase the data. Static CSR keys should again be deleted to make future data retrieval impossible. Static data should never be stored on a drive that may require deletion. An effective method to remove non-cryptographically erased data is to physically destroy the media.
When using off-the-shelf hardware encryption, critical data is scrambled to make it unreadable only using the original platform or with a knowledge of the encryption algorithm and cipher key. By eliminating the key, the data is effectively destroyed. The entire drive can be securely erased in an instant by erasing the media encryption key. SES-3 provides a standard out command to invoke a rapid key purge. This cryptoerase feature is typically supported by SEDs. Some SEDs offer a crypto-erase pin on the drive. This may be a button or a small keypad on the drive. When the Crypto Erase pin is applied, power cycling the drive is all that is required to erase the drive’s media and regenerate a new media encryption key. This will make the drive unusable until a new encryption key is applied.
Data Sanitization
In the recent years, a great contribution has emerged that falls under the vast playground of data sanitization. The term data sanitization is used generically to describe any process where data gets deleted or overwritten in some way, so that it is not accessible in its original form. This includes wiping data from the free space on a disk where it can have previously been deleted, moving data to ensure that it cannot be retrieved in its original location or format, and where need be, destroying the media on which the data is stored, i.e., shredding a hard disk. Data sanitization techniques can be broken down into three groups: physical destruction, cryptographic erasure, and logical file destruction. The key to cryptographic erasure is to make data unreadable by using advanced algorithms to scramble the contents of a storage device so that it is impossible to retrieve the data. When a cryptographic key is erased, only the key used to encrypt the data is destroyed, making the encrypted data unreadable and the storage device is still usable. On the other hand, crypto shredding is the process of shredding a file after it has been encrypted, so in theory, the file is already unreadable, but shredding the data is said to add a second layer of security to ensure the data cannot be reconstructed. This has been used successfully in the past with various US government agencies for storing extremely sensitive data. Safe hdd destruction in data center One common method of data sanitization is to use data sanitization techniques can be broken down into “using physical destruction, cryptographic erasure, and logical file destruction.”
Physical Key Removal Techniques
Crushing is a technique that is commonly used by large IT organizations with a great deal of hard drives to dispose of. This may include data centers or large corporate offices. The method involves a large press that will crush the entire hard drive to the point where the platters are physically cracked and broken. Depending on the nature of the press, the hard drive may be mangled to the point where it is unrecognizable as being a hard drive. This method is quite practical when a large volume of hard drives needs to be disposed of and is relatively inexpensive. The key to success with this method is ensuring that the platters are broken to the point where they cannot be physically restored. This is necessary to ensure that there is no possible way to retrieve the key from the damaged platters.
Degaussing is an electromagnetic method of destroying data that is performed on a large scale. It is often used for the destruction of tapes and has been more recently adapted to work with hard drives. A hard drive contains a disk with platters covered in a magnetic data storage layer. The degausser works by applying a very strong magnetic field to these platters, effectively magnetizing them to the point where the stored data is erased and the platters are left in a demagnetized state.
The first technique of key removal discussed is “shredding”. Shredding is the process of mechanically “pulverizing” the hard drive into small bits. This method is more often than not carried out externally by a third-party hard destruction service. Due to the delicacy of the operation, the hard drive would have to be dismantled and the platters removed. This is a key advantage for this and the following methods; the likelihood of 100% key destruction is far greater once the platters are removed. The actual method of shredding can vary from service to service, with some using hammer mills or slice and dice type methods. Whilst this method is quick and the most certain of success rate, the downside is that it can be quite an expensive method, particularly for one or two hard drives.
Shredding
This method of damaging media involves the use of machines designed to physically mangle the storage medium. These range from stand-alone units for use on small to medium-sized projects, to larger units that can be used on a continuous basis by operators being trained to dismantle storage devices. There are a number of manufacturers offering smaller machines intended for use by system administrators on-site. The most appropriate machine for a given situation depends on factors like the form factor and quantity of media, and whether it will be used to generate revenue as a service to others. Stand-alone units include: Manual disintegrators, which require hand feeding with the aid of a clearing device. Disintegrator-equipped console hard drives can also be degaussed prior to disintegration, allowing the degaussing unit to be used as an effective diagnostic tool. The NSA has evaluated the use of a continuous-duty disintegrator to handle 2,000 drives per hour, with an end product of particles 2mm square. The most cost-effective option is generally a shredder which has a stated EDP durability. This allows rented units to be employed on a project as needed, not to exceed a certain cost. High EDP durability drives can be shredded a few at a time, as they are removed from service over a longer period. Shredding has been evaluated for various media in the past. A recent study shredding hard drives has provided some very great data on the efficacy of shredding with regards to subsequent physical data recovery. Shredding magnetic disks and diskettes is a very effective means of rendering the data irrecoverable, due to the random distribution and orientation of the magnetic domains. In contrast, there may be potential for some types of tape and optical media to be reconstructively mined using scanning electron microscopy and other sophisticated techniques. A symbol of the potential threat is a 16-year old boy who was able to read erased data from a CD-R using a $15,000 infrared microscope he constructed. He found that erasure left the data in a reversible state, and state of the art recovery services may be able to exploit this to recover data from some erasure methods. Successful erasure of media that may contain sensitive or classified information should be followed by a careful inspection of a sample of erasure media, and if there is any doubt it should be slated for destruction. A decision to destroy any media should take into consideration environmental impact, and recycling options should be weighed against the potential for data recovery.
Degaussing
When a magnetically charged particle is placed within a magnetic field, which it does not have to be very powerful, the particle will align itself with the field. When the field is removed, the particle will retain the same direction until a new force is applied to it. The larger the magnetic field, the more aligned the particle becomes and the stronger the force must be to change its direction. Gauss’s law states that magnetic information is stored at a density of 1000-2000 bits per inch, on a coated two-sided floppy disc, which is the equivalent to a magnetic field strength of 750-800 oersted. This is important because it defines the force necessary to remove magnetic information from a medium. To completely remove all magnetic information, the medium must be subject to a field that is greater than the field that currently holds the information, thus ensuring its total removal. This is where newer hard drives have posed problems for complete data removal. High-density disk mediums, and the ability to cram more and more data into less space, has meant that the force required to remove the data approaches dangerously close to that which will damage the medium. An example is a perpendicular recorded drive which writes 2000 bits of data in the space of 1 square micron, to remove the data from this drive would require a field so strong that it would erase the servo tracks as well. Degaussing works by passing a medium such as a tape or hard disk drive through a very strong magnetic field in order to randomize the magnetic orientation on the medium and render it unreadable. Certain types of RAM chips can also be destroyed by degaussing. Although there are software programs that claim to be able to recover data from a drive that has been degaussed, it is highly unlikely that any information would be readable if at all. High energy levels from a degausser can also erase and damage an entire drive, it is a guaranteed way to destroy data but can be costly to repair or replace the drive.
Crushing
To fully destroy the platters and make data recovery impossible, it is best to remove the hard drive and place it on a hard surface. Sequentially strike the top of the hard drive with forceful blows to the screwdriver until the outer casing is dented. With the drive still in one piece, strike it at various angles until the casing is almost cut in half. Once a secure area has been prepared, place the drive on the ground and cover it with a protective cloth. Proceed to hit the hard drive with forceful overhead blows until the “crunching” sounds cease. Now data recovery would be impossible and the drive can be disposed of in an environmentally safe way by removing the printed circuit boards and rare earth neodymium magnets for recycling. Keep in mind that this method can create an excessive amount of airborne particulate and the drive should be covered and handled carefully.
Crushing, one of the physical key removal techniques, requires no special tools and is a oft used form of hard drive destruction. It is a method for the home users or small business, although it is often insufficient for the destruction of a great deal of data. The major problems for the uninitiated are the potential re-use of the drive and the release of hazardous materials if the hard drive is not physically destroyed. This method can also be used in the destruction of a single drive on the shop floor. This is the least secure of the physical destruction methods because data can still potentially be recovered post destruction. However, we would recommend this for users who require data destruction but are looking to recycle the drive for alternative uses such as storage, in which case the nature of HDD recycling takes care of the rest.
Disintegration
Anvil or crushing: Unskilled labor could perform this method with just about any type of hard drive and has certain important impacts. Since there is likely no salvage market for hundreds of aluminum shards, this is often used for media that has become less sensitive after the declared end of life of the media, such as a medical image archiving system. There is quite a cost difference between crushing 10,000 tape cartridges and separating the media containing classified government records. So the government record media would be destroyed with a lesser impact method such as shredding.
Disintegration is the process of taking a hard drive from a whole form and turning it into pieces or granular form. This data destruction method is most valuable for highly sensitive or classified information when there is certainty that the media will not be reused or reintroduced into the market. The disintegration process can be used to destroy any type of media (i.e. optical, magnetic) and ensures that the storage media is rendered completely unusable. There are many different ways to disintegrate media, but the end state of the media being unrecoverable does not change. Some of the methods may include using an anvil to deform the hard drive or a press that places thousands of pounds of force on the media. With that in mind, we’ll just discuss a couple of different methods and their potential impacts on the market since if it’s certain that it’s not used again, it’s served its purpose.