Do secure erase technologies available on different types of media set a status or verification flag?
Is there a industry standard to verify when a drive has gone through the process?
Asked
Active
Viewed 565 times
2 Answers
0
First question: YES and NO
- Depending on the specifications of your device (whether it has an SSD or HDD), you may have access to different erase methods (or sanitization methods). These methods can include write verification, multiple passes, and even the application of specific patterns (such as all 00s) during the final pass. An example of a sanitization method is DoD 5220.22-M and its variants. For more information on some of these sanitization methods, you can refer to: https://www.lifewire.com/data-sanitization-methods-2626133.
- Using a method that appends a distinctive pattern (such as 00 or any other chosen pattern) during the final pass is highly advantageous when desiring additional "manual" confirmation of the successful completion of secure erase (SE) process. This could be easy done via command line ( assuming a Linux shell and a SATA disk):
dd if=/dev/sda bs=1M | tr -d '\0' | read -r -d '' && echo "Disk contains non-zero data" || echo "Disk only contains zeros"
Second question: MORE or LESS (ahah sorry for that^^)
No "industry standards", but rather a NIST "guideline" (which could potentially become a standard if mandated by your specific industry). Please refer to the NIST publication at this link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
On page 20 (of NIST SP 800-88r1 document),you will find the guideline concerning the "verification of sanitization results" which explains the principles and requirements of erasure verification. This requirement can be easily satisfied by utilizing a known simple pattern for verification (refer to point 2).
However, it is worth noting the presence of CE (cryptographic erasure), another erasure technique that proves highly effective for modern SSDs featuring internal encryption mechanisms. However, it is important to consider the pros and cons of CE, as its suitability may not be readily apparent in certain cases (e.g critical industries and cybersecurity concerns), as extensively explained in the NIST SP 800-88r1 guidelines.
Hope it helps.
0
NVMe base spec does define a field in the Sanitize Status Log which indicates whether the drive has ever been sanitized. Look for SSTAT in the spec file which is publicly available.
With that said, the Sanitize command is just one of the commands defined in the spec that can be used to wipe a drive. Another example would be the Format NVM command, in which a Secure Erase Settings (SES) field is defined for the user to request a desired Secure Erase operation. The SSTAT field is most likely not changed if the drive was wiped with this command instead, regardless of the value set in the SES field. (Btw, I am not so sure in most consumer grade drive, value of the SES field actually makes a difference behind the scene.)
The Sanitize feaure set introduced in more recent ATA/ACS spec also seem to have a field in its command output to indicate whether a sanitize operation has been completed without error (i.e., it is not clearly defined whether a new drive should have the bit set).
Tom Yan
- 10,996