Sanitizing Brocade encrypted FC switch before returning to vendor

Posted on 2014-01-23
Medium Priority
Last Modified: 2014-01-25
We have a faulty encrypted Brocade fibre switch :
after vendor has replaced it, we need to sanitize it
before returning to supplier.

However, when we tried to reset its settings to factory
settings, it won't allow us.  Thus, we deleted the

What are the ways / measures people usually take
before returning suicch a switch?

Is deleting the FabricOS good enough to sanitize it?

Is there an NVRAM or HDD inside the switch that
could be easily removed from the machine for

By deleting the FabricOS, does it delete the config
Question by:sunhux
  • 3
  • 2
  • 2

Author Comment

ID: 39805469
Attached is a screen of the console messages after we've deleted
the FabricOS
LVL 47

Assisted Solution

David earned 920 total points
ID: 39806707
Frankly, I do not know if there is a HDD inside it, but if you degauss the drive then you effectively destroy any warranty so they probably wouldn't even take it back.

I do work for DoD and government and in such situations the procedure is to contact the manufacturer directly.  If this was a HDD, for example, and you had top-secret data on it, then the RMA policy would be that you physically destroy the device and send proof (which is site-dependant, but can be nothing more than providing a serial number via an audited process).

Dead/dying hardware can't be properly initialized, so the only safe way to do this is via the manufacturer directly and ask what they will allow.  Believe me, there is a process. There may even be a vendor specific command for just such a thing,  that is only known by field support or OEMs.  In any event they absolutely have a way to deal with this.

Besides, deleting the O/S or initializing it doesn't mean that proprietary information gets destroyed.  Deleting is not the same as sanitizing.

Author Comment

ID: 39808218
> degauss the drive then you effectively destroy any warranty so they probably
> wouldn't even take it back.

We have a word with the reseller & he's Ok with it.

 I just need to know if the Brocade encryption switch
a) stores its configurations (zoning info) in an NVRAM or a HDD ?
b) is this NVRAM or HDD easily removed?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 47

Assisted Solution

David earned 920 total points
ID: 39808241
You don't degauss NVRAM, and there is absolutely NVRAM.  You can't remove it without damaging the motherboard.  

I do not know if there is also a HDD, but I expect there is not.  If you destroy either, then it will turn the switch into a paperweight.

I expect if the reseller was aware that you will brick the switch if you go down this path then they wouldn't give you permission.   Call Brocade support directly and ask about the sanitization process.
LVL 65

Accepted Solution

btan earned 1080 total points
ID: 39808291
Just to add on if it is real encrypted switch, probably a mean is to consider wiping the crypto key used to encrypt the static storage (if any) in the switch.

As for the dynamic volatile memory, they should have live time as it doesnt persist unlike the Non-volatile type. In this case, the safer is not even to return to them and have some sort of RMA scheme to retain it and still in replacement. It will be higher cost but that depends on your org risk appetite, some company just destroy them or retain to certain life time which the data is of no longer good value or impact...

The switch doesnt seems to have "storage" as in its purpose is to perform encrypt to the SAN connected to it etc. Better to have support to clarify...it does come with smart card and the crypto is supposed to be open via card auth success. We do need to be wary what about recovery assuming card is spolit and where is this backup crypto key stored or password keyfile (they should be securely wiped)?

More info on brocade SAN protection

The Brocade encryption device features the following:
• Up to 96 Gbps processing bandwidth for disk encryption
• Up to 48 Gbps processing bandwidth for tape encryption with
• Encryption using the industry standard AES-256 algorithm
• Compression using a variant of gzip
• 8 Gbps FC port speeds
• Disk encryption latency of 15–20 microseconds
• Tape encryption and compression latency of 30–40 sec
• Brocade-developed encryption ASIC technology
• FC switching connectivity based on the Brocade Condor 2 ASIC
• Dual Ethernet ports for HA synchronization and heartbeats
• Smart Card reader used as a System Card (ignition key optional)

Below is an FAQ that be useful...

Q Can encryption be used to protect confidential information on decommissioned storage?
A Brocade provides support for Device Decommissioning, a license-free feature that
enables managed destruction of LUN data prior to decommissioning a disk array. Device
decommissioning deletes the key ID metadata on designated LUNs and within the
encryption device itself, providing a one-step, low-cost means of retiring arrays as an
alternative to expensive degaussing, physical destruction, or overwrite techniques. The
operation also creates an audit log of action to provide a verifiable means of the data
destruction. Once the data on the disk is destroyed, the key used to decrypt it is also
Device Decommissioning is supported in Brocade FOS 6.4 for EMC’s RSA RKM (DPM)
and NetApp LKM key managers. Brocade FOS 7.1 expands Device Decommissioning
support to HP ESKM, IBM TKLM, SafeNet KeySecure, and Thales TEKA.
LVL 65

Assisted Solution

btan earned 1080 total points
ID: 39808295
Here is another interesting for performing destruction and they sell used switch too. They can be good channel to consult on destruction services too since they deal with re-selling.


Data destruction


Author Comment

ID: 39808511
There's only zoning info in the switches so I guess it's not
that sensitive to the extent that we need to degauss the
NVRAM but I'll see what our corporate security guys say


Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question