Sanitizing Brocade encrypted FC switch before returning to vendor

Posted on 2014-01-23
Last Modified: 2014-01-25
We have a faulty encrypted Brocade fibre switch :
after vendor has replaced it, we need to sanitize it
before returning to supplier.

However, when we tried to reset its settings to factory
settings, it won't allow us.  Thus, we deleted the

What are the ways / measures people usually take
before returning suicch a switch?

Is deleting the FabricOS good enough to sanitize it?

Is there an NVRAM or HDD inside the switch that
could be easily removed from the machine for

By deleting the FabricOS, does it delete the config
Question by:sunhux
  • 3
  • 2
  • 2

Author Comment

ID: 39805469
Attached is a screen of the console messages after we've deleted
the FabricOS
LVL 47

Assisted Solution

dlethe earned 230 total points
ID: 39806707
Frankly, I do not know if there is a HDD inside it, but if you degauss the drive then you effectively destroy any warranty so they probably wouldn't even take it back.

I do work for DoD and government and in such situations the procedure is to contact the manufacturer directly.  If this was a HDD, for example, and you had top-secret data on it, then the RMA policy would be that you physically destroy the device and send proof (which is site-dependant, but can be nothing more than providing a serial number via an audited process).

Dead/dying hardware can't be properly initialized, so the only safe way to do this is via the manufacturer directly and ask what they will allow.  Believe me, there is a process. There may even be a vendor specific command for just such a thing,  that is only known by field support or OEMs.  In any event they absolutely have a way to deal with this.

Besides, deleting the O/S or initializing it doesn't mean that proprietary information gets destroyed.  Deleting is not the same as sanitizing.

Author Comment

ID: 39808218
> degauss the drive then you effectively destroy any warranty so they probably
> wouldn't even take it back.

We have a word with the reseller & he's Ok with it.

 I just need to know if the Brocade encryption switch
a) stores its configurations (zoning info) in an NVRAM or a HDD ?
b) is this NVRAM or HDD easily removed?
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 47

Assisted Solution

dlethe earned 230 total points
ID: 39808241
You don't degauss NVRAM, and there is absolutely NVRAM.  You can't remove it without damaging the motherboard.  

I do not know if there is also a HDD, but I expect there is not.  If you destroy either, then it will turn the switch into a paperweight.

I expect if the reseller was aware that you will brick the switch if you go down this path then they wouldn't give you permission.   Call Brocade support directly and ask about the sanitization process.
LVL 62

Accepted Solution

btan earned 270 total points
ID: 39808291
Just to add on if it is real encrypted switch, probably a mean is to consider wiping the crypto key used to encrypt the static storage (if any) in the switch.

As for the dynamic volatile memory, they should have live time as it doesnt persist unlike the Non-volatile type. In this case, the safer is not even to return to them and have some sort of RMA scheme to retain it and still in replacement. It will be higher cost but that depends on your org risk appetite, some company just destroy them or retain to certain life time which the data is of no longer good value or impact...

The switch doesnt seems to have "storage" as in its purpose is to perform encrypt to the SAN connected to it etc. Better to have support to does come with smart card and the crypto is supposed to be open via card auth success. We do need to be wary what about recovery assuming card is spolit and where is this backup crypto key stored or password keyfile (they should be securely wiped)?

More info on brocade SAN protection

The Brocade encryption device features the following:
• Up to 96 Gbps processing bandwidth for disk encryption
• Up to 48 Gbps processing bandwidth for tape encryption with
• Encryption using the industry standard AES-256 algorithm
• Compression using a variant of gzip
• 8 Gbps FC port speeds
• Disk encryption latency of 15–20 microseconds
• Tape encryption and compression latency of 30–40 sec
• Brocade-developed encryption ASIC technology
• FC switching connectivity based on the Brocade Condor 2 ASIC
• Dual Ethernet ports for HA synchronization and heartbeats
• Smart Card reader used as a System Card (ignition key optional)

Below is an FAQ that be useful...

Q Can encryption be used to protect confidential information on decommissioned storage?
A Brocade provides support for Device Decommissioning, a license-free feature that
enables managed destruction of LUN data prior to decommissioning a disk array. Device
decommissioning deletes the key ID metadata on designated LUNs and within the
encryption device itself, providing a one-step, low-cost means of retiring arrays as an
alternative to expensive degaussing, physical destruction, or overwrite techniques. The
operation also creates an audit log of action to provide a verifiable means of the data
destruction. Once the data on the disk is destroyed, the key used to decrypt it is also
Device Decommissioning is supported in Brocade FOS 6.4 for EMC’s RSA RKM (DPM)
and NetApp LKM key managers. Brocade FOS 7.1 expands Device Decommissioning
support to HP ESKM, IBM TKLM, SafeNet KeySecure, and Thales TEKA.
LVL 62

Assisted Solution

btan earned 270 total points
ID: 39808295
Here is another interesting for performing destruction and they sell used switch too. They can be good channel to consult on destruction services too since they deal with re-selling.

Data destruction

Author Comment

ID: 39808511
There's only zoning info in the switches so I guess it's not
that sensitive to the extent that we need to degauss the
NVRAM but I'll see what our corporate security guys say


Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (, worldwide spending on cybersecurity …
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question