Cryptographic Erase For Modern Storage: Enhancing Data Protection

Organizations must sanitize their sensitive data-bearing media devices when they have reached their end of life or are to be repurposed, donated, resold, or disposed of. Techniques like overwriting, cryptographic erasure, degaussing, or physical destruction can be employed to ensure data is permanently removed.

Cryptographic erasure is a media sanitization method that is gaining popularity, especially with storage devices with integrated encryption and access control capabilities. Drives like SEDs (Self-Encrypting Drives) should be erased using this method.

What is a Cryptographic Erase?

Cryptographic Erase (CE) is a data sanitization technique that involves erasing the cryptographic key used to encrypt data. By erasing the key, read access to the encrypted information is prevented, leaving the encrypted data, or cipher text, on the media.

To ensure the successful implementation of cryptographic erasure, it is important for the organization to have a systematic process in place of recording the media devices that were encrypted using a strong cryptographic algorithm along with a log of MEK keys used to encrypt the media. Encryption keys must be managed securely, with access limited to authorized personnel only. When it comes to sanitizing storage media using the CE technique, it is important to use a professional data-wiping tool that supports cryptographic erasure as prescribed by NIST or IEEE. The software must be able to perform verification after CE to verify that the keys have been securely erased and the data is no longer accessible.

In case the organization does not have a log of MEK keys for devices to be sanitized using CE, it is advisable to use an alternative sanitization technique in combination with CE or in place of CE.

NIST SP 800-88 Rev. 1 media sanitization guidelines recommend CE as a NIST Purge-level media sanitization technique. They further recommend organizations consider using block erase or overwriting as an optional method along with CE for complete data wiping, providing an additional layer of security to the media sanitization process.

Types of Media That Support Cryptographic Erase

Cryptographic Erase is supported by a wide array of media devices. Here are some of the media types that support CE as per NIST guidelines:

Magnetic Media: ATA Hard Disk Drives (PATA, SATA, eSATA, etc.); SCSI Hard Disk Drives

For ATA drives, NIST Purge specifies 4 methods of media sanitization, two of which involve Cryptographic Erase.

• If encryption is supported, then the Cryptographic Erase or the CRYPTO SCRAMBLE EXT command can be used to sanitize the HDDs. Additionally, after CE has been applied, the overwrite command can be used to write zeroes or pseudorandom patterns. If there is no support for the overwrite command, then the Clear procedure or ‘Secure Erase’ can be applied. It is to be noted that this command and procedure applied post-CE are optional.
• Cryptographic Erase (CE) commands can be applied through the Enterprise SSC interface or Trusted Computing Group (TCG) Opal Security Subsystem Class (SSC) to change all the media encryption keys. The same optional step as above can be applied here as well.

Flash Memory-Based Storage Devices: ATA Solid State Drives (SSDs), SCSI Solid State Drives (SSDs)

There are three recommended methods of NIST Purge for sanitizing Flash memory-based devices, except for NVMe SSDs. Two out of the three methods employ CE; details are listed below:

• If encryption is supported, then the Cryptographic Erase or the CRYPTO SCRAMBLE EXT can be used to sanitize the SSDs. After CE has been applied, the ‘Block Erase’ command can be used to block erase the drive. If there is no support for the block erase command, then NIST Clear (1-Pass overwriting) or ‘Secure Erase’ can be applied. It is to be noted that this command and procedure applied post-CE are optional.
• Cryptographic Erase (CE) commands can be applied through the Enterprise SSC interface or Trusted Computing Group (TCG) Opal Security Subsystem Class (SSC) to change all the media encryption keys. The same optional step as above can be applied here as well.

For NVM Express SSDs, NIST Purge states two possibilities for sanitizing the media.

• If encryption is supported, then the Cryptographic Erase command can be used to sanitize the drive. After CE has been applied, the ‘User Data Erase’ command can be used to erase the drive. If there is no support for the ‘User Data Erase’ command, then the NIST Clear (1 Pass Overwrite) procedure can be applied optionally.
• CE commands can be applied through the Enterprise SSC interface or Trusted Computing Group (TCG) Opal Security Subsystem Class (SSC) to change all the media encryption keys. The same optional step can be applied here as well.

Mobile Devices: iPhones and iPads, Google Android Phones, Windows Phone OS 7.1/8/8.x, and other mobile devices

For iPhones & iPads, and under the assumption that the encryption is enabled and all the stored data has been encrypted, Apple iPhones and iPads can be sanitized using CE within a few minutes.

Android phones that have encryption enabled might also support Cryptographic Erase and can be erased using CE.

Conclusion

CE can be applied to a wide range of devices, including hybrid drives, SSDs, NVMe, mobile phones, and more. However, organizations are advised to consider their own specific sanitization requirements before using CE as a Purge mechanism. Although an effective NIST Purge method implementing CE requires technical expertise and efficient encryption key management, that makes it difficult to implement manually at scale.

BitRaser simplifies the process and offers a scalable and automated solution for executing CE efficiently across various devices simultaneously. BitRaser’s broad approach to media sanitization includes performing additional methods such as a 1-Pass overwrite, ‘Block Erase,’ and ‘Secure Erase’ after CE to ensure that no traces of data are left on the device as recommended by NIST Purge.