Request for ATA erase method: Sanitize/Crypto Scramble Ext
Brought to you by:
ideguy
Menu
▾
▴
#19 Request for ATA erase method: Sanitize/Crypto Scramble Ext
[Background]
Some recent SED SSDs/HDDs support scrambling the cryptographic key when SECURITY ERASE UNIT (F4h) is invoked (via normal or enhanced, sometimes both). This can be in addition to, or instead of, overwriting/erasing the user data area. However, it's never really clear if this is occurring, as the function is usually a vendor-specific addition to the requirements: some vendors explain that they do this in their specifications, others do not.
[New ATA function called SANITIZE]
There's a newish T13-published function called SANITIZE (B4h), which includes one or more of three possible sub-functions: BLOCK ERASE EXT (0012h), CRYPTO SCRAMBLE EXT (0011h) and OVERWRITE EXT (0014h).
CRYPTO SCRAMBLE EXT explicitly wipes the drive's data key(s) and creates new ones. If you rely on needing to re-key drives for security purposes, this is the function you want to depend on.
IDENTIFY DEVICE has additional flags available to indicate support for SANITIZE and which sub-functions are available.
[Where it exists]
The only software I have run across of that actually implements this is the drive erase function in contemporary Thinkpad BIOSes: the newest ones require a boot CD/floppy + BIOS support for safety reasons, older ones can be done directly through the BIOS alone once permanently activated via a utility CD. The most recent version is here: http://support.lenovo.com/en_US/downloads/detail.page?DocID=DS019026
There may be commercial software out there that also supports this new function.
The only hardware I've come across (in my limited experience) that supports this is the Crucial M500 series. I verified using above lenovo routine, which showed a complete bit-randomization pattern after the cryptographic scramble was invoked (verified via WinHex). I also notified Micron that their specification sheet indicated that the drive only supported OVERWRITE EXT, they agreed that was an error in their specifications which they are updating as it supports CRYPTO SCRAMBLE EXT instead.
-Brendan
PS - I forgot to mention a significant benefit: the routine returns in seconds, not minutes/hours.
On 14-02-04 01:13 PM, Brendan Hoar wrote:
..
Sounds cool.
Can I interest you in fame and fortune,?
Or at least the fame part, if you send me a patch or three?
Even the regular SECURE ERASE returns in seconds (not minutes/hours) on an SSD.
Cheers
-- Mark Lord
Last edit: Mark Lord 2014-02-04
Mark,
Ok, yeah, good reply. If I get a chance, I'll take a look. What is your recommended build environment? Thanks.
Just about any Linux system, with the normal build-essential package (or equivalent) installed. hdparm does not use any weird libraries or stuff, so it is mostly self-contained.
The Source package includes a Makefile, so one just says "make" to build it.
Also, I do prefer direct email (mlord@pobox.com) rather than having to do this communication through a website that I nearly never check up on.
Cheers
Hey guys, was there any progress on this? I'm looking at implementing sanitize and was thinking hdparm might be a good place to work through it since it has framework in place for disk communication.
1.5 years was passed, any news on this ticket? We still no utils for 3 sanitize methods.
For this to move forward, somebody has to step up and volunteer to implement it, and send me a working patch.
Or.. make it really easy (aka. non time-consuming) for me, and send me the T13 ATA documentation for these new commands and identify data, and I may be able to add it rather quickly. Hunting for the documentation seems to take me longer these days, and my time is less available. :)
Cheers
Mark Lord
Thanks for reply, Mark.
If it will be enough, here is documentation.
http://www.t13.org/documents/UploadedDocuments/docs2009/e07197r7-T13_Sanitize_Command_Proposal.pdf
It would be really good to implement both SANITIZE and CRYPTOGRAPHIC SCRAMBLE in hdparm so that we don't have to rely on closed-source manufacturer utilities when making sure to securely wipe our SSDs!
Any chance you could check out the PDF Mark?
It's been 2 years, so thought I'd bump this worthy suggestion. Thank you for the continued updates.
Isn't this already there?
Eg. hdparm --sanitize-crypto-scramble
and similar..
Mark, Thanks so much for implementing the Sanitize operations. I've put together a brief introduction and guide here: https://tinyapps.org/docs/ata_sanitize_hdparm.html . Aloha, Miles