This page is a Systems Administration Procedure controlled by SecurityManual#Retirement (wip) policy.
Critical data drives
The following procedure should be used to secure all sensitive data on a hard disk drive used for CAcert critical purposes. Notes:
- Critical drives are ones used in the critical systems, or have had critical data on them (passwords, root keys, user data). This includes USB/flash memory sticks and similar.
- Participants must be Assurers, which is the general qualification required for making strong claims for reliance by the Community.
Part 0 -- Zero -- CAcert Systems Administrator
While still on-site (inside the server room at BIT) and before taking out the old drive, zero the data on it by:
# dd if=/dev/zero of=/dev/hdX1 bs=1024k conv=notrunc,noerror # dd if=/dev/zero of=/dev/hdX5 bs=1024k conv=notrunc,noerror
- two CAcert System Administrators present
- both sysadms should inspect the above lines, both are responsible if you zero the wrong drive!
- After completion of this, remove the old drive and take it off-site for Phase 1.
- Note that zeroing a 40 GB drive can probably be done in 30 minutes, but a 400 GB drive would still require several hours.
- Advise all CAcert System Administrators to zero their physical copies of the passwords to the encrypted file systems on that drive. (Passwords should not be reused.)
Part 1 -- Shred -- CAcert Systems Administrator
Two CAcert Systems Administrators are to do the following:
- Connect the drive to a standalone PC, preferably without any other connected hard drives (in order to minimize the danger of shredding the wrong drive).
- Boot the PC from a CD or DVD with Knoppix v5 or later.
- Start a terminal and become root with the "su" command.
- Invoke the shred command on each partition of the hard drive like this:
# shred -v /dev/hda1 # shred -v /dev/hda5
The above assumes that the hard drive is connected as /dev/hda to the PC, and contains two data partitions: 1 (boot) and 5 (encrypted data), as would be the case for a critical drive setup (as described elsewhere).
- Once done, label the drive as shredded, signed by System Administrator, and date.
- Deliver securely to secure-u (below).
- Post a report in the log (or sysadm mail list).
- Second Assurer is to sign-off on the report.
Notes:
- Two CAcert administrators need to be present at the start and the finish, and sign-off on the completed process.
The Machine plus drive need to be in a location with reasonable security. E.g., a secured office location or a populated home location.
- if the drive to be shredded contains hard media defects which block writing of certain sectors, the above procedure may not run to completion, and another (physical) method will be required to render the remaining data on the drive inaccessible. This will mean that CAcert Systems Administrators will also need to be present in secure-u phase 2 below.
- The -v (verbose) option will show the progress of the shredding procedure, which is useful to get a good estimate of the total time needed to complete the shredding procedure. By starting with shredding the smallest partition (boot), a good prediction can be made of the time needed to shred the (large) encrypted data partition. In practice a time of close to 24 hours has been measured for a 40 GB drive.
- Investigate how good your entropy collection is on the machine. If entropy collection is slow, the shred will be slow, as some passes write random data and can block if the entropy pool empties.
Part 2 -- Destruction -- secure-u Administrator
Because of automatic block mapping and the solid state capabilities in modern drives, simply zeroing the data is not enough. The physical drive must also be secured.
Do either of:
- physical destruction meeting SM requirements, or
- secure storage for 5 years.
Notes
- Once so arranged, the action is to be reported on the log.
- secure-u could provide this service as they are the hardware specialists, but CAcert may designate others. It is CAcert's data and CAcert's responsibility.
- with either two CAcert System Administrators present or one CAcert + one secure-u Administrator
Suggested simplified procedure (not agreed as yet)
Wytze suggests: the process of decommissioning a drive from an operational critical server could probably be three steps:
- While still on-site (inside the server room at BIT) and before taking out the old drive, zero the data on it by:
# dd if=/dev/zero of=/dev/hdX1 bs=1024k # dd if=/dev/zero of=/dev/hdX5 bs=1024k
- two CAcert System Administrators present
- both sysadms should inspect the above lines, both are responsible if you zero the wrong drive!
- After completion of this, remove the old drive and take it off-site.
- Note that zero'ing a 40 GB drive can probably be done in 30 minutes, but a 400 GB drive would still require several hours.
- Perform the shredding procedure as originally described, with the output of the shredding process recorded in a logfile to be submitted with the 'shredding completed' report.
- with one CACert System Administrator present
- Physically destruct drive or transfer it to secure storage, as per Part 2 above.
Physical Destruction
tbd.
Non-Critical data drives
If the Systems Administration officer declares a drive to be non-critical, then it should be:
- Connected to a machine. (Preferably with no other drives, but this is to protect the other drives from a mistake, not the target one.)
- Shred the drive using 7 passes.
- Mark the drive as non-critical, shredded, and date.
- Then, either
- deliver the drive to secure-u for physical retirement, as above Part 2, or
- use the drive in another CAcert secured location (critical or non-critical). If so re-used then retired, the drive must be retired as depending on the higher of the uses.
- Post a report in the log (or sysadm mail list).
Notes:
- Non-critical drives can be promoted to critical use, but not the other way around.
- Hardware tools like Secure Erase and Enhanced Secure Erase must not be substituted for the above processes.
- Only reviewed FOSS tools may be used, not commercial or closed source tools.
Further research
The suggested SM 35 pass Gutmann method is interpolated from the paper Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann, 1996. There is some criticism that it is overkill. General reading from wikipedia.
Secure hard disk sanitization, especially notes on 33 pass Pfitzner method, seem to back up Gutmann method.
Heise reports on new research that says only one zeroing needed. This is a paper published at ICISS2008, also as a book chapter and this post.
- NIST 800-88 multiple overwrites is a legacy of pre 2001 hard disks with only a single overwrite or secure erase for post 2001.
Secure Erase method in ATA drives MSDOS program: "Secure Erase also overwrites reassigned blocks and can be up to eight times faster (per CMRR tests). In addition the enhanced SE command qualifies for Federal Government secret data classification erasure."
- (Daniel:) secure erase is quicker - see hdparm options. Also maybe include a hd /dev/hda (or od -h /dev/hda) as verification. It will probably be quicker than a single overwrite.
Physical
David Malone suggests chemicals do not work (although this mostly a fun project not serious research, see slide 170):
"Looks like polymer does a good job.
Without polymer, caustic soda might work.
However, might as well file it down."
Magnus suggests Thermite.
PD-4.