While the evolution of memory media such as SSD is remarkable, the standards of
AR380-19, DoD5220.22-M, etc. are becoming older. In addition, since there
are many parts that are not sufficiently described in the standard, it is
necessary for each company to establish an erasure policy and perform erasure.
Points to consider about erasing method
Consideration of "Reallocated sector"
In a hard disk, when an error occurs frequently at a certain place (sector) due
to a defect on the disk surface, the bad sector is detached by allocating an
area that the disk has as a spare as a substitute for the bad sector
(reallocation). Detached bad sectors will not be accessible in software
processing from outside the disk. Therefore, it is unlikely that it will be
a serious problem for normal level erasure, but in cases where strict security
is required, "Reallocated sectors" should be considered.
Erasing reallocated sectors requires Enhanced Secure
erase/Sanitize processing.
Consideration of "Wear Leveling" in flash drive media
such as SSD
Since flash drive has a finite limit on the number of rewrites, SSDs and the
like often have a built-in mechanism that averages the writing locations
(Wear Leveling), so that writing does not concentrate on the same
location. (See "About Secure Erase/Sanitize")
Therefore, in normal overwrite processing, the allocation of the memory cell to
be erased may be changed and may not be erased. To avoid Wear Leveling and
erase the entire area, Enhanced Secure Erase / Sanitize processing is required.
However, for USB memory that does not process ATA commands, and SSDs that do
not support secure erase / sanitize, it is possible to reduce the risk of data
remaining by erasing three or more times.
Consideration of unallocated space in flash drive media
such as SSD
In addition to the above "Wear Leveling",
many flash memories frequently change the memory area allocation in order to
shorten the erase processing time. As a result, memory in unallocated space
cannot be accessed in the usual way, and data may remain. Erasing
unallocated space requires Enhanced Secure erase/Sanitize processing.
Consideration of RAID drive
Many disks are RAID-configured in the server system. From "Green Pepper PRO",
RAID-configured disks are accessed in units of logical disks, and erasing
processing is also performed in units of logical disks. If it is RAID1
(mirror), write the same value to two disks. Strictly speaking, RAID5 / 6 etc.
are not cleared by the specified value for all physical disks. There is a
physical disk to which the parity value is written. It is practically impossible
to restore the original data from that value, but if you request strict value
writing, change the setting to 1 logical disk = 1 physical disk and perform
erasing processing.
Spare drives should also be considered. Spare drives are not assigned to logical
disks and are not erased.
Consideration of HPA, DCO, Recovery area
A recovery area may be provided for desktops / laptops. The mechanism of the
recovery area varies depending on the manufacturer, but when erasing the disk,
it is necessary to consider how much the user has accessed and written to the
area, whether the recovery area can be erased, etc. ..
As one method of configuring the recovery area, HPA (Host Protected Area) in the
ATA (PATA, SATA) disk standard may be set. When HPA is set, the part after the
set capacity of the disk becomes inaccessible from the software, and the
software recognizes it as a disk with a smaller capacity than the actual
capacity. Recovery information is stored in an inaccessible area (Protected
Area), and recovery is performed with the HPA setting disabled.
Therefore, user data will not be written to that area unless the user changes
the settings related to HPA. The normal erase process is limited to areas other
than the protected area unless HPA is disabled. * However, with secure
erase/Sanitize, the HPA setting is ignored and the entire disk area is erased.
"Green Pepper PRO" has an option to disable HPA. Specify this option if you want
to erase the entire disk area, including the protected area.
There is another setting on the hard disk that makes the disk capacity smaller
than it actually is. A method called Device Configuration Overlay (DCO) is used
to set the disk size, data transfer speed, and other settings below the original
disk performance. DCOs are mainly used by PC manufacturers for limited purposes
when the discs are shipped, such as by unifying the specifications of discs with
different model numbers. Therefore, even if the disk capacity is set smaller
than it should be by the DCO, it is unlikely that any data will be written to
and left in an inaccessible area.
* Enhanced Secure Erase/Sanitize erases the entire area including the DCO.
Normal secure erase does not erase the DCO settings area.
"Green Pepper PRO" provides a function to display information on whether the
disk size is set small by DCO and to cancel the DCO setting. Removing the DCO
also disables the HPA.
DCO is a higher level limit than HPA, and HPA is a DCO-limited internal capacity
limit mechanism.
Example:
All capacity 100,0000 DCO-limited capacity
900,000
In this state, HPA is set to the internal 900,000 or less
limited by DCO.
All capacity 100,0000 DCO-limited capacity
900,000 HPA-limited capacity 800,000
reference:
"Boot
from CD/USB flash drive" "gph" boot
"Common options" Disable HPA, erase entire
disk
If the recovery area exists in an area that can be accessed normally (such as
another partition), the entire disk including that area will be erased even with
normal erasing.
Consideration of READ/WRITE error
If there is a disk failure, READ and WRITE errors will occur during erasure and
verification. A WRITE error occurs when the overwrite process results in an
error during erasure. The error part (sector) may not be overwritten, and data
may remain in that part. A READ error occurs when reading data during read
validation and the data cannot be read. The value of that part cannot be
verified, and it cannot be confirmed whether it has been erased. If the
WRITE cache is enabled, writing to a failed sector can be completed without
error, but an error can occur when reading. The read verification process is
also an important step for its detection. Also, in the error part, retry
processing is performed many times, so the progress of processing becomes very
slow.
Depending on the number of errors and the importance of the
contents of the disk, it is necessary to consider how to handle the disk with
many errors. Since errors are unstable, the number of errors often changes with
each process. Therefore, one method is to repeat the process many times for the
disk with the error to reduce the possibility of data remaining. Physical
destruction is also an option if possible.
Confirmation screen of "Reallocated sector", "HPA", and "Secure erase" in the
"Startup Erase Program"
Confirmation screen of "Reallocated sector", "HPA", and
"Secure erase" in the "Windows Erase Program"
Consideration of the number of erasures
According to the "NIST SP 800-88" standard, write once is "adequate". But, of
course, it's still better to write more times. In addition, when a write error
occurs, it is more desirable to write several times because the possibility of
completing the write increases. For error-free disks, a single erase is
sufficient. However, if you have time to spare, we recommend that you write at
least twice. Especially for the disk where the error occurs, it is necessary to
write more times such as 4 times. * "Green Pepper PRO" has a mechanism to
perform detailed retries on a sector-by-sector basis in the event of an error.
Read verification is an important step in each case. The "write process" to the
disk is a process that "write command is completed without returning an error"
in terms of software, and it does not mean that the physical write is completed.
Therefore, even if there is no error when writing, it cannot be said that it is
100% certain that it was written reliably. Read verification allows you to see
the actual disk status.
In Secure erase, "Green Pepper PRO" has a menu of 2-times erases (secure erase +
00 normal write) and 3-times erases (secure erase + random + 00 normal write).
The write error cannot be grasped by the Secure erase, so added normal write
step. In the Enhanced Secure erase, the value to be written is not always zero,
so added zero write step to make it easier to verify. In addition, secure
erase / sanitize is implemented by the manufacturer's own method, its substance
is unknown, and it is a function that is not usually used often, so there is a
possibility that it may be defective. Read verification is also an important
step in Secure erase.
Enhanced Secure Erase also writes to reallocated sectors that have been
detached, but the second and subsequent writes do not write to detached sectors.
However, detached bad sectors are "bad", it is not possible to know exactly how
much they have been "erased" by the Secure erase process. In addition, when HPA
(Host Protected Area) is set, HPA is ignored in Secure erase, and the entire
disk is processed. But the second and subsequent writes, and verification are
performed only in the restricted area, excluding HPA.
* Note) HPA (HostProtected Area) HPA is a setting that limits the
range that can be accessed by software for an disk from the beginning to a
certain area. An HPA-configured disk is perceived by the software as a small
disk, only part of the capacity from the beginning, rather than the entire disk.
HPA may be set by the manufacturer as a recovery area. In that case, please note
that the recovery area will also be erased by the process of disabling
HPA/secure erase.
Recommended processing policy for each media
In addition to the method listed in "NIST SP 800-88" standard, we will
summarize the recommended method (recommended by us). * If many Read / Write
errors occur, physical destruction may be required depending on the number of
errors.
Recommended processing method for each media
Media Type
|
Method in "Green Pepper
PRO"
|
Comment
|
Hard
Disk Drive ATA(SATA)/SCSI(SAS) |
*When executable
[Secure Erase/Sanitize(1-time)]+Verify or [Secure
Erase/Sanitize(2-times)]+Verify
*Other [Erase
disks(1-time)] +Verify
|
If there is no Reallocated Sectors
count, There is no problem with "[Erase
disks(1-time)]" + verify.
"[Secure erase / sanitize (2-times)]"
is also an option for detecting write errors.
Verification processing should always
be performed to verify error sectors. |
SSD
ATA(SATA),NVMe,eMMC |
*When executable
[Secure Erase/Sanitize(1-time)]+Verify or [Secure
Erase/Sanitize(2-times)]+Verify
*Other [Erase
disks(4-times)] +Verify
|
In SSD, there are many unallocated
areas, and "Secure Erase / Sanitize" is recommended.
"[Secure erase / sanitize (2-times)]" is also an option for
detecting write errors.
If it is not feasible, erase as many
unallocated areas as possible by increasing the number of
erases.
Verification processing should always be
performed to verify error sectors. |
USB
Flash drive, ,etc., Flash memory media |
[Erase
disks(3-times)] +Verify or [Erase disks(4-times)]
+Verify |
erase as many unallocated areas as
possible by increasing the number of erases. Since the
capacity is relatively small compared to SSD, it is described
to be "[erase disk (3-times)]", but if the capacity is large,
use "[erase disk (4-times)]".
Verification processing
should always be performed to verify error sectors. |
|
|