When securely erasing disks, who are you trying to stop?
Various people, us included, periodically have the need to securely dispose of disk drives that we no longer need or want, where by 'securely' we mean that people shouldn't be able to get our data from the drives after we've gotten rid of them. Often there are questions of what you need or want to be doing in order to achieve this security. In my view, part of the answer to this is depends on who you want to stop from getting your data (and how many resources you think they have).
(I'm not sure this should be called a threat model, but it's the same sort of general idea.)
So here is my take on multiple levels of threat you might face, from the most common to the rarest (assuming that you're starting from working drives before you begin disposing them).
- Someone who gets their hands on your disks (either buying them
second hand or picking them up from somewhere), sticks them in a
computer, and tries to read them. This used to happen all of the
time; people would buy surplus disk drives (or entire computers)
from eBay, plug them in, and all sorts of sensitive data would
come flying out.
If this happens today people will be very upset at you, and for good reasons, because this is basically 'Hardware Disposal 101'. Everyone should know you can't just turn computers off then toss them out the door; you have to do something to make it so your data doesn't leak out with them.
- People who can put drives into a special factory mode
that allows access to low-level data reading commands. On SSDs
this will probably allow them access to reserved space and blocks
that have been discarded but not yet erased.
I believe that at least some data recovery services have this capability, so you're also effectively worrying about people who can send your old drives to a data recovery service and talk them into having a go at it. Thus, you should probably assume that any actual attacker is at this level (as opposed to people who just picked up some of your drives and are curious what they'll see).
In general, data recovery services go some way to making it so that an attacker mostly needs money (and your drives) instead of good technical capabilities. Attackers can to some extent outsource the technical expertise, assuming they can find a suitable firm and the firm is willing to work for them on your drives.
- People who can load custom firmware onto drives, giving them at
least as much access as the most powerful factory mode (regardless
of what the drive's normal factory mode supports). These people
can definitely read all of the raw storage (flash or spinning
rust) and otherwise exert very low level control over the drive.
Sometimes or a lot of the time the drive's standard factory mode
will make loading your own firmware unnecessary, so this may
basically be the same as the previous level.
- People who can directly read data from any intact physical storage,
either flash chips or hard drive platters. These people (probably)
don't need the controller to be intact and operable, so even
physical damage or destruction of it alone isn't enough. For
example, these people wouldn't be stopped if you drilled holes in
a SSD's PCB and snapped it apart, as long as the flash chips are
still fine.
- People who can directly read (some) data even from partially damaged physical storage, such as drilled (or snapped) hard drive platters or a partially damaged flash chip. To stop these people you need either complete physical destruction or for the data that's on the storage to be useless, for example because it's encrypted and you've destroyed the encryption keys.
(There is a related dimension of how much repair people can do to disk drives that you've deliberately damaged. A data recovery firm that's given a decent amount of money might be able to repair moderate damage, like a snapped SSD PCB, and then go on to recover data from it.)
As mentioned, not stopping the first sort of people from getting at your data is basic negligence by this point. You absolutely have to do that much. On the other extreme, against the last level of people any method of destroying a disk drive that isn't using a feature specifically designed to securely erase its data is probably not good enough. On the other hand, you're probably not going to be targeted by such people, and if you are being targeted by them the Mickens 'Mossad' rule (also) probably applies.
Modern SSDs have (S)ATA secure erase (also) and NVMe secure erase features that, if implemented properly, will normally protect you against everyone. As mentioned, the most certain approach is competent host level encryption where you do your best to totally destroy the real underlying encryption keys (which haven't always been the keys you enter yourself), and then probably you also do a SSD level secure erase. However, all of this requires the drive to be in working order; if the drive has failed already and you're worried about someone bringing it back to life and getting your data, you may have a problem (although host level encryption may still save you).
PS: As far as I know, once a SSD has erased a given flash block, the data in that block is irretrievably gone (cf, also). This is different from (some) hard drive technologies, where magnetic echos of old data could remain potentially detectable even after a sector had been rewritten.
Comments on this page:
|
|