Solved

Secure HDD Wipe on RAID

Posted on 2013-01-21
25
1,492 Views
Last Modified: 2016-12-08
I need a commercially available solution for securely erasing HDDs connected to a RAID; our hardware is DELL R610 using a Perc H700 with either Fujitsu or Seagate SAS drives. Logging is required to verify drive erasure.

We work with financial institutions that won't accept DBAN (I know...). I've tried both WipeDrivePro v.7 and Blancco. Neither of these detect the HDDs on the RAID.

I have tried with no RAID configured and with a simple RAID 1 spanning all the drives.
I've upgraded the BIOS and FW of the controller and the drives to no avail.

Thoughts?
0
Comment
Question by:PotreroHill
  • 8
  • 5
  • 4
  • +4
25 Comments
 
LVL 11

Expert Comment

by:Giladn
ID: 38802026
WipeDrivePro should support raid, did you check for a newer version/updates?
0
 
LVL 32

Expert Comment

by:PowerEdgeTech
ID: 38802038
The software needs to natively support the PERC H700 or allow you to add drivers during the process so it can see the drives.
0
 
LVL 11

Expert Comment

by:Giladn
ID: 38802051
you should try some tools until you find one that fits your needs, look here:

http://pcsupport.about.com/od/toolsofthetrade/tp/free-data-destruction-software.htm

I used killdisk, try it :

"
 We need to completely erase all data from a raid set including the raid striping information.. What is the best way to do this?
You should use a software like killdisk. The striping information is stored on sectors on the disk, and since Killdisk erases all sectors, it will erase those sectors as well.

"
hope this helps,

G
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 38802056
I'm actually doing one right now. I have an HP Proliant with a RAID 5 disk set and I'm using KillDisk to wipe the RAID. Check it out at killdisk.com.
0
 
LVL 11

Expert Comment

by:Giladn
ID: 38802059
Dell Openmanage doesn't help??
0
 
LVL 32

Expert Comment

by:PowerEdgeTech
ID: 38802099
Dell Openmanage doesn't help??
Help do what?  Erase the drives?  No ... you can configure/reconfigure RAID which will sufficiently erase the data, but there is no logging that would be acceptable for data erasure audit/policies.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 38802136
There may be an issue if there are special drivers that need to load before an app can access the drives.  In that scenario, I suppose that something like Kill Disk might fail. But you could then always break the array so that you are dealing with single disks and wipe each disk.  Probably not the fastest way, but it should work.
0
 
LVL 11

Expert Comment

by:Giladn
ID: 38802180
jhyiesla

you are correct, this will take some time to 6-7 pass every drive to zeo it (this is what you need from what I've read) ..

did you try Megaraid ?
http://www.lsi.com/channel/products/storagesw/Pages/MegaRAIDSafeStoreSoftware.aspx
0
 

Author Comment

by:PotreroHill
ID: 38802587
Thanks for all the suggestions to this point!

WipeDrivePro is the SW dictated to use by the financial institution, but after 10 days of working with their support, no go. We did verify that the SW detected the RAID controller (megaraid and megaraid_sas modules both loaded, which are those used in CentOS 6), but no drives seen.

I hadn't found KillDisk, but it doesn't meet the 'commercially available' spec. Business purposes require the backing provided by commercial SW, otherwise I would have tested DBAN.

I don't believe MegaRAID has any multi-pass secure erase features; it does support secure erase through the removal of the security key. And while this is valued above secure erase by the NIST, it only works on encrypted drives and ours aren't.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 38802622
None of those programs will provide proper logging since they will not be able to see the physical disk serial numbers; logical disk serial numbers (if they exist) are meaningless since you could delete the config and create a new one on top and the data would still be there but the logical serial number would have changed.

You have to take the disks off the RAID controller and put them on a dumb non-RAID HBA, then any of them will be able to do the job including logging the serial numbers.
0
 
LVL 32

Expert Comment

by:PowerEdgeTech
ID: 38802640
You have to take the disks off the RAID controller and put them on a dumb non-RAID HBA, then any of them will be able to do the job including logging the serial numbers.
And to this point, the H700 does NOT support non-RAID/JBOD, so it can't be done while the disks are connected to the H700.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 38802670
@PET, Is there a recommended HBA for that server that takes same connectors as the current PERC so they can just move the backplane cables?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 32

Expert Comment

by:PowerEdgeTech
ID: 38802712
The H200 supports RAID and non-RAID and uses the same SFF-8087 SAS connection.
0
 
LVL 11

Expert Comment

by:Giladn
ID: 38802725
how about focusing on the software that didn't work like "Blancco"
did you try  using LSI MegaCLI tools ?
0
 
LVL 55

Expert Comment

by:andyalder
ID: 38802884
Giladn, I don't think you've understood the question, it isn't about not being able to erase the data but about being able to "prove" you've done it. That requires recording the physical disk serial number which really isn't possible with a RAID controller in the way unless the erase software has a copy of the controller's management tools built into it and a whole lot of other checks that it hasn't been fooled into certifying that the specific disk has been wiped*. Easily done since the software vendor's tech can't have understood either or they wouldn't spend 10 days before saying they can't certify it.

*wiped well enough for physically recycling as scrap or reusing in a similar or higher security environment than the current one that is, software erase isn't suitable for downgrading to a lower security regime since there's data on those 'bad' blocks that could conceivably be useful even though it's shredded into 512 byte blocks and unreadable without very special software.
0
 
LVL 11

Expert Comment

by:Giladn
ID: 38804907
OK, now I understand, I was positive it fits but here is a technical issue causing it not to work, I will try to ask people woking with me if they know a good a solution..
0
 
LVL 11

Expert Comment

by:Giladn
ID: 38804948
OK, I got some info, not much since this is not very common (I have no idea why)
first to be clear,are you using any type of information security ISO?
for guideslines have a look here:
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf

and here for Jetico's solution, this is a link to the unix/linux forum where you can maybe get more info:

http://www.smokey-services.eu/forums/index.php?PHPSESSID=q08r0us97uh8dncvuafpb3fqr5&board=153.0


I hope this helps somehow,

G
0
 
LVL 16

Expert Comment

by:Gerald Connolly
ID: 38805020
With disks being so low cost, wouldnt physically destroying the disks be a simpler and lower cost option, Just get them shredded.
0
 

Author Comment

by:PotreroHill
ID: 38837680
Hi Folks, sorry for the delay in responding to everyone's comments. As you know, getting randomized away from tasks is part fo our job.

First, THANKS! to everyone who responded with suggestions and potential solutions. Here are comments and the outcome of what I discovered in this process. I hope this helps other people looking for commercially available, secure erase SW with logging:

(1)I wrote to LSI support regarding MegaRAID and have not heard back. Good thought though!
(2)One of the requirements was 'a commercially available software' so KillDisk, and other OpenSource/Freeware are automatically out of the running; financial institutions are cretaceous behemoths that rely on various government and internal 'black box' specifications and reasonings for certifying acceptable SW. So, no matter how effective a product, if the financial institution says 'commercial software', well, that's just one of the rules.
(3) Logging would be done to an attached USB key; properly written SW will detect all attached drives and allow writing to one as long as it is not being erased. Most LiveCDs implementations will detect an attached USB Keys, so this isn't an issue, unless the SW does not mount, enable a CLI to mount or  allow you to identify the key as a 'write-to' location.
(4) We are a start-up and money is money; these drivess are only a year old and can be re-used in another test implementation. The cost per drive wiped is 3x less than the cost of the drive.


Here's what I've found:
Most importantly, Blancco sent me the incorrect SW, they sent me the version for SCSI not SAS. When I received the SAS version, it worked.  Shame on them!
A *properly written program* (like Blancco, www.blancco.com) will detect the RAID controller AND the specific RAID configuration. Any software would have to tear down the RAID config, since any decent RAID controller will stripe the config across drives so they can be moved to an identical system in the case of massive HW failure. So, tear down config, then wipe drives independently, in parallel. Blancco does this, saving time.

For me, this is another lesson/reminder that most company's marketing over-sells their product, as was the case with White Canyon's WipeDrivePro7.

Blancco detected the RAID controller and its configuration. The SW indicated it would tear down the configuration and then securely wipe the drives. I hit go, and it did. Unfortunately we had a major power outage, and since the test system was running off optical media there was no configuration for a graceful shutdown, and thus no logging.

I have to re-run the tests (we've jsut had a re-org so there's plentiful distractions). I will re-post after I re-run the software.

Blancco has a MUCH BETTER GUI than WipeDrivePro7, trust me on this one.

NOTE: White Canyon recently emailed me indicating they successfully re-engineered their product to detect and wipe the drives on a DELL R610 with a configured RAID. I will test this new incarnation when I have access to the SW and report back.
0
 

Expert Comment

by:twmcginley
ID: 38986956
KilkDisk has a professional "commercially available" product.   You may have been looking at the free version.  Although I haven't tried it yet with RAID, they claim to deal with it properly.   It may require including and loading a driver on their boot disk.  It provides verification and reporting as well for compliance freaks.   It's also fairly inexpensive -- licensed per concurrent use rather than number of disks erased (Enterprise license is $ 3,499 for unlimited copies and unlimited locations worldwide)  I've already used one copy to erase 10 SATA drives concurrently (2 each in 5 USB attached external SATA drive docks).   I've also erased USB thumb drives, ZIP and JAZ drives (yes we still have some of these).  I'm looking for opportunity to test on RAID and SCSI.  I also was able to add utilities to do ATA secure erase and "secure crypto erasure" of encrypted drives.  KillDisk creates a bootable disc (either to Windows PE or DOS) from which I've run the added utilities.  With the included disk editor, I am able to review results.
0
 

Author Comment

by:PotreroHill
ID: 39009389
I tried creating a WindowsPE, but found that I needed to figure out how to get the proper drivers loaded in, otherwise the boot didn't recognize any drives. I suspect it would be the same with KillDisk.

One of the biggest issues was with achieving the logging, which I was able to do effectively with Blancco. WipeDrive Pro, I could never get the logging to work, it wouldn't see the extra partition I created on the USB Drive so I could never select that for writing the log file. And honestly, with WipeDrive Pro I kind of felt I was doing their QA and in some cases beta.

If I get a chance, I'll try KillDisk, but right now I don't have access to a system whose drive I can obliterate.
0
 
LVL 11

Expert Comment

by:Giladn
ID: 39010082
I believe this can be easier to solve with WipeDrive Pro , can you tell the reason that prevented you from listing your usbdrive partition? I am downloading a trial and will try later, did you try intergrating WipeDrive Pro to another boot cd with usb support?
0
 

Accepted Solution

by:
PotreroHill earned 0 total points
ID: 39038522
@Giladn Yes, I did try booting from CD with a FAT formatted USB key installed. The WipeDrive Pro interface did not allow me to navigate to the USB key in the logging option, or it didn't detect it; a major #FAIL either way on their part, if you ask me.

How did you find the WDP interface? Pretty, um, thoughtless I felt. Some of the option in the GUI have no way to back out to the main menu. It just didn't seem well thought out to me.

If I have a choice, I'm using Blancco in the future.

And for anyone who thinks drives are so cheap that they can just be shredded, I hotly disagree. High volume SAS drives are still quite expensive (900GB are >= $500), if yo're filling 6-8 bays, that's $3-$4K; not to mention the thoughtlessness of the landfill mentality, especially with a sophisticated drive that may have many more years of useful service.
0
 
LVL 16

Assisted Solution

by:Gerald Connolly
Gerald Connolly earned 250 total points
ID: 39038654
Its a matter of economics, when the cost of the disk gets so low (i found 1TB Enterprise SAS disks for $300) so it doesnt take many hours of your time to cover that, then its not worth the time to wipe and prep for reuse.

Its not economic to try and fix disk PCB's anymore, and because of PRML its not even worth replacing the PCB because you cannot depend on it working reliably.

There is a case for recycling which adds another dynamic to the economics and i am not against that.
0
 

Author Closing Comment

by:PotreroHill
ID: 40404604
In the end, the only product that worked was Blanco. The other products either had flawed interfaces or didn't work at all.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Suggested Solutions

Solid State Drive Performance Tips: Solid state storage technology is now a standard.  After testing and using several different brands and revisions of SSD's over the years I have put together a collection of tips,tools and suggestions that I ha…
this article is a guided solution for most of the common server issues in server hardware tasks we are facing in our routine job works. the topics in the following article covered are, 1) dell hardware raidlevel (Perc) 2) adding HDD 3) how t…
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now