HPE Community
BladeSystem - General
1753784 Members
7272 Online
108799 Solutions
New Discussion

Securely wipe data from SSDs

 
chuckk281
Trusted Contributor

‎08-05-2015 08:32 AM

‎08-05-2015 08:32 AM

Securely wipe data from SSDs

James had a question form a customer regarding wiping data from Solid State Drives (SSDs)

 

*************

 

We have a customer who is in the process of buying a large order of Gen9 BL460/660 and DL360/380 based servers with onboard SSDs connected through Smart Array controllers.   The customer is interested in being able to securely wipe these SSDs for compliance reasons.  The HP Smart Storage Administrator can perform a drive erase using various patterns including the following options:  

zero|random_zero|random_random_zero|crypto|block|overwrite

 

A few questions around this-

  1. Does anyone know what the above patterns translate to in terms of DOD erasure standards? 
  2. Given that the SSD write algorithm spreads wipes across all available bits, does the traditional 7-pass DOD method still work, and are there any other nuances to consider in wiping an SSD?
  3. As the M.2 SSDs connect through the B140i Dynamic Smart Array Controller (rather than traditional P-series Smart Array Controllers) what is the procedure for wiping them?

 

Thanks in advance for any assistance.

 

**************

 

Lots of info came back:

 

************

 

From Norman: 

I suggest you enable Secure Encryption on the P244br controller to address multiple issues associated with using the old strategy of running DRIVE WIPE utilities.

 

The price for Secure Encryption license is a rounding error when compare to the combined cost for DMR services, administrative labour as well as risk to the customer’s business and reputation.

 

Planned Decommissioning Process

 

Performing 3X or better write pattern to disk takes a LONG time to complete. Plus there is whole discussion as to whether the drive wiping technique is truly effective for large capacity drives.

 

HP’s Secure Encryption’s Instant Volume Erase feature allows you to cryptographically erase volumes instantaneously.

 

Failed Embedded Drive Controller

 

In the rare case where the drive’s embedded controller fails, the use of wiping tools is not effective since it can’t see the storage media. Customer would have to resort to holding the drive for destruction, which can be very costly due to the end-to-end auditing process.

 

HP’s Secure Encryption process ensures that the volume(s) of data on the physical drive are left encrypted. Just replace the drive upon failure.

 

Degraded Drive Replacement

 

From a practical perspective, even if you immediately identify the drive has degraded (via HP pre-failure alerting), you would have to immediately coordinate the wiping of the disk (requires administrator action) and then coordinate the physical replacement of the drive ASAP to minimize the risk of outage due to the degraded status of the RAID 1 volume(s).

 

HP’s Secure Encryption process only requires you to replace the drive at the first opportunity. No utilities to run. No coordination of effort. No administrative action required… just a field technician.

 

Drive Wiping is not comprehensive enough

 

This strategy does not address the data that may be on the cache module, for those that are really paranoid/cautious about their data. FYI… we do offer enhanced Deffective Media Retention (DMR) services that cover data that is stored on ANY type of memory device, not just failed drives.

 

HP Secure Encryption architecture encrypts the data on the cache module … right down to all HDD/SSD drives. Replacing a controller or cache module will not circumvent security requirements.

 

Input from Dan: 

But seriously, the SATA SSDs SHOULD adhere to the spec which includes a command called “ATA Secure Erase”.

Basically this does a 1 pass reset of every NAND flash chunk in the entire drive.

Because NAND Flash Memory stores your data as varying levels of voltage in a cell, flooding every cell with voltage via this reset should be enough to guarantee that there is no way of retrieving data.

 

Personally, I would reach out to someone on the Fed Sales team and see what your 3 letter agencies are doing, or track down the DoD website where the specs are listed and see if they have an SSD spec yet.

 

The other option for Smart Array P series controllers would be to simply perform a full drive/array encryption, let that finish, write a bunch of data so make sure the wear leveling is being used, and then wipe out the encryption key so the data becomes gibberish.

 

*************

 

Any other comments?

 

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.