This page is a Systems Administration Procedure controlled by SecurityManual#Retirement (wip) policy.

Critical data drives

The following procedure should be used to secure all sensitive data on a hard disk drive used for CAcert critical purposes. Notes:

Part 0 -- Zero -- CAcert Systems Administrator

While still on-site (inside the server room at BIT) and before taking out the old drive, zero the data on it by:

        # dd if=/dev/zero of=/dev/hdX1 bs=1024k conv=notrunc,noerror
        # dd if=/dev/zero of=/dev/hdX5 bs=1024k conv=notrunc,noerror

Part 1 -- Shred -- CAcert Systems Administrator

Two CAcert Systems Administrators are to do the following:

  1. Connect the drive to a standalone PC, preferably without any other connected hard drives (in order to minimize the danger of shredding the wrong drive).
  2. Boot the PC from a CD or DVD with Knoppix v5 or later.
  3. Start a terminal and become root with the "su" command.
  4. Invoke the shred command on each partition of the hard drive like this:

      # shred -v /dev/hda1
      # shred -v /dev/hda5

The above assumes that the hard drive is connected as /dev/hda to the PC, and contains two data partitions: 1 (boot) and 5 (encrypted data), as would be the case for a critical drive setup (as described elsewhere).

  1. Once done, label the drive as shredded, signed by System Administrator, and date.
  2. Deliver securely to secure-u (below).
  3. Post a report in the log (or sysadm mail list).
  4. Second Assurer is to sign-off on the report.

Notes:

Part 2 -- Destruction -- secure-u Administrator

Because of automatic block mapping and the solid state capabilities in modern drives, simply zeroing the data is not enough. The physical drive must also be secured.

Do either of:

  1. physical destruction meeting SM requirements, or
  2. secure storage for 5 years.

Notes

Suggested simplified procedure (not agreed as yet)

Wytze suggests: the process of decommissioning a drive from an operational critical server could probably be three steps:

  1. While still on-site (inside the server room at BIT) and before taking out the old drive, zero the data on it by:

        # dd if=/dev/zero of=/dev/hdX1 bs=1024k
        # dd if=/dev/zero of=/dev/hdX5 bs=1024k
  1. Perform the shredding procedure as originally described, with the output of the shredding process recorded in a logfile to be submitted with the 'shredding completed' report.
    • with one CACert System Administrator present
  2. Physically destruct drive or transfer it to secure storage, as per Part 2 above.

Physical Destruction

tbd.

Non-Critical data drives

If the Systems Administration officer declares a drive to be non-critical, then it should be:

  1. Connected to a machine. (Preferably with no other drives, but this is to protect the other drives from a mistake, not the target one.)
  2. Shred the drive using 7 passes.
  3. Mark the drive as non-critical, shredded, and date.
  4. Then, either
    1. deliver the drive to secure-u for physical retirement, as above Part 2, or
    2. use the drive in another CAcert secured location (critical or non-critical). If so re-used then retired, the drive must be retired as depending on the higher of the uses.
  5. Post a report in the log (or sysadm mail list).

Notes:

Further research

Physical


CategoryProcedures

SystemAdministration/Procedures/DriveRetirement (last edited 2013-08-28 08:05:08 by WytzevanderRaay)