Cryptographic Erase – Using Crypto as a Disk Sanitization Technique
By: Andy Pantelli
If like me your world is digital, from music to documents, from videos to e-books, contacts, calendars, databases, lists, charts, reports or graphs. Whatever the purpose and whatever the format, as individuals or enterprises all our data is mostly, if not entirely in digital form. Alongside this we are now consuming SaaS applications such as Spotify, OneDrive, Google Drive, Dropbox to name but a few of the leading service providers that allow us to access our digital content from any internet connected device. In using these services, and by having so much critical data in digital form this brings with it challenges such as securing data at rest, data in transit, and then finally data sanitization. With our data moving across so many different domains and security boundaries how can we be truly sure that any data that we want to be permanently deleted is gone for good to ensure confidentiality2?
NIST Special Publication SP 800-88r1 titled “Guidelines for Media Sanitization” provides information and guidance to erase data from electromagnetic media with the aim of sanitizing media so that any and all data cannot be recovered once the storage medium is decommissioned or reaches end-of-life. Whilst only being a framework NIST is widely adopted within enterprises.
Summarising with a Background Guideline:
“An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.”
File systems and sanitation overview
Operating systems use file systems including FAT32 & NTFS in the Microsoft Windows OS, with Linux having EXT2, EXT3 EXT4, & XFS. Both of which make use of disk blocks, free block lists, block tables and meta data tables. When data in the block is marked for deletion by the user the block is marked with a special character indicating to the Operating System that the block is available for data to be written to.
The actual data within the block remains until such time as new data is written to it. File system data structures may be named differently in versions of Windows, Linux & MacOS but the behaviour generally remain the same with ‘deleting’ data being simply being marked as ‘deleted’ without actually wiping the data. With modern disk drives today having immense capacities it may be some time before the ‘deleted’ block will be overwritten which exposes that data to an adversary using digital forensics. Data that is recoverable after a deletion operation is known as Data Remanence.
Multiple methods exist to permanently erase data including techniques which are preconceived to be effective, one such method is formatting a disk. The process of formatting a Disk is often misunderstood with the preconception that the process will remove all the data on the disk. By default, formatting a disk will leave most if not all of the data.
Formatting is the process of preparing a storage medium for use, and with it the creation of one or more file systems as previously discussed. The process will create a file system and mark the space free for writing data, erasing, or wiping data usually consists of marking memory as available but does not actually ‘wipe’ or ‘erase’ data. The options of sanitizing storage medium include Clear, Purge & Destroy.
Clear
This method uses logical techniques to sanitize the data in addressable storage locations to prevent against simple recovery techniques. Typically applied by using Read and Write commands, this involves overwriting data by replacing the 1’s and 0’s that represent data on the storage medium with random or fixed patterns of 1’s & 0’s. This should be done more than once using multiple passes using a standard such as the US Department for Defence (DoD) 5220.22-M, this method uses 3 passes with the first overwriting addressable locations with binary zeroes. The second pass overwrites all addressable locations with binary ones, then lastly the third pass will overwrite all addressable locations with random bit patterns. Finally, the final overwrite pass verifies the process.
Purge
This method varies depending upon the type of media that includes, Overwrite, Block Erase & Crypto Erase. Destructive techniques also render the medium Purged by using incinerations, shredding, disintegrating, pulverising & degaussing.
Destroy
Complementing the PURGE method, the destruction of storage medium is the most effective way of ensuring that the possibility of data remanence does not exist. Along with the methods already detailed exposing medium to a corrosive chemical will also render the storage unusable.
Self-encrypting drives
Self-Encrypting Drives, also known as SEDs have natively integrated encryption and access control features built in to storage mediums. This features ‘always on’ encryption which reduces the possibility of unencrypted data remaining on the medium. The feature cannot be manually controlled nor ‘turned off’ by the user of the storage. SEDs primary purpose, and in scope of the original design was to protect ‘Data at Rest’(1) which we referenced in the opening section. We are now seeing SEDs being deployed solely for their crypto erase functionality which can quickly and easily wipe a disk drive if it needs to be retired or even repurposed. Simply changing the encryption key (password) renders the data unreadable, ever. A crypto erase can be done in seconds for any size disk.
Crypto erase
Officially recommended by standards bodies NIST & ISO/IEC 27040, cryptographic erase is defined by NIST as:
A method of sanitization in which the media encryption key (MEK) for the encrypted Target Data is sanitized, making recovery of the decrypted Target Data infeasible.
The goal of data deletion is confidentiality as defined in the CIA Triad. With the use of Cryptographic Erase we can ensure that any data we wish to be permanently inaccessible cannot be recovered, retrieved or accessed in any way by deleting the encryption key. Without the encryption key used to encrypt the data we can effectively sanitize the data in a fraction of the time taken to overwrite data, and with greater confidence. The popularity of SEDs in recent times is in part due to the crypto erase feature combined with manufacturers provided tools to accomplish deletion of the encryption key crypto erase is now simple, efficient and quick way for even non-technical users to ensure that their confidential data remains just that – confidential.
