Infrastructure at your Service

Casimir Schmid

When to secure erase storage devices? How to do it on Oracle Database Appliances?

TL;DR
If hardware stays inside your data center, it’s ok to secure erase storage devices. If it leaves your data center (decommission, move to another location), it’s best to physically destroy (shredder) it. Storage devices are not only hard drives, solid state drives, but also the ones holding data temporarily like memory modules (RAM) and CPUs (containing caches, register, …). As a consequence, do not sell used storage devices.
Main reason to follow this advice is the risk that when third parties got this hardware and are able to recover data, possible abuse can seriously damage your business. Some examples for abuse are: damaging your reputation by going public, selling data, or act quietly by analyzing your data with the goal to develop a better business plan than you have. In many industries data is a very valuable asset today, adequate protection even after hardware reaches it’s lifecycle is important.

Regarding Oracle Database Appliance, use the script odaeraser.py to securely erase. It’s a good practise to do this before re-imaging.

When to secure erase storage devices

It’s convenient to erase data that falls in security category “low” and “medium” as described by NIST (see this document, Figure 4-1 “Sanitization and Disposition Decision Flow”). However, if the data can be categorized “high”, it’s recommended to physically destroy all storage devices by shredding and buying new ones. German “Bundesamt für Sicherheit in der Informationstechnik”, known as BSI, recommends similar to NIST:

  • First determine the level of data protection according to DIN 66399
  • Then choose an appropriate erase method

Furthermore, BSI recommends using higher efforts on secure erase when storage devices are not used in the same scope or sold.
Personal recommendation: do not sell used storage devices (hard drives, ssd, memory, CPUs). Main reasons are

  • You do not know what happens to sold hardware (even if securely erased). The combination of physical possession of hardware and time higher the risks that data believed to be erased securely is recovered and abused.
  • Data is a valuable asset. It’s value is even higher if data is stored in databases: it’s potentially curated, therefore very valuable and even in perfectly structured form to work with. That’s why using a database to deal with large amount of data.

About data erasure and sanitization

On Wikipedia, one can find an accurate explanation:

Data erasure (sometimes referred to as data clearing, data wiping, or data destruction) is a software-based
method of overwriting the data that aims to completely destroy all electronic data residing on a hard disk
drive or other digital media by using zeros and ones to overwrite data onto all sectors of the device.
By overwriting the data on the storage device, the data is rendered unrecoverable
and achieves data sanitization.

According to the “Guidelines for Media Sanitization” published by NIST,

Sanitization is a process to render access totarget data (the data subject to the sanitization technique)
on the media infeasible for a given level of recovery effort.
...
Clear, Purge, and Destroy are actions that can be taken to sanitize media. The categories of sanitization
are defined as follows:
- Clear applies logical techniques to sanitize data in all user-addressable storage locations for
protection against simple non-invasive data recovery techniques; typically applied through the standard
Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option
to reset the device to the factory state (where rewriting is not supported).
- Purge applies physical or logical techniques that render Target Data recovery infeasible using state of
the art laboratory techniques.
- Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results
in the subsequent inability to use the media for storage of data.

Oracle Database Appliance: Script odaeraser.py

Oracle Corporation provides the script odaeraser.py that will both clean and purge all data stored on mass storage devices on Oracle Database Appliance. The script is exhausting possibilities both on given software and hardware layer. It follows the minimum sanitization recommendations documented in the NIST guidelines for all devices that permanently storage data used in the Oracle Database Appliance. For details, see pages 32 to 38 of this document.

odaeraser.py is written in python programming language and works on ODA platforms from V2, t0 X8 (and will probably also work on upcoming hardware), both high availability and lite versions (S and M). An ODA consists of multiple types of mass storage devices such as hard disks, SSDs and NVMe storage devices. The script first detects the device types and uses then an appropriate cleaning and purging method.

Script usage can be found in Oracle documentation, for example for current X8 platform.

Script analysis

Done on script version 19.3.0.0.0/1 dated  2019/04/15
Issued erase commands and parameters did not change comparing to version 18.3.0.0.0/3 dated 2018/10/15.
Personally, I do not expect functional changes in script for future 19.x script updates.

Cleaning data

The script only cleans data on hard disk drives.

Method used for hard disk drives

See line 244 in script. Data on hard disk drives will be overwritten using scrub. In script, variables are used for parameters, what is finally executed is:

/usr/bin/scrub -p dod -f -b 10M $device

The parameters used are explained on the man page for scrub :

-p dod
Forces scrub to use a pattern to overwrite the disk drive following the standard
DoD 5220.22-M by the National Industrial Security Program, that is the nominal authority (in the United States) for managing the needs of private industry to access classified information.
The dod pattern overwrites drives in three steps using only:

    1. value 0, verify data written
    2. value 1, verify data written
    3. overwrite disk completely with random values, verify data written

-f
Scrub even if target contains signature indicating it has already been scrubbed.

-b <scrub block size>
Perform read and write calls using the specified block size (in bytes). K, M, or G may be appended to the number to change the units to KiBytes, MiBytes, or GiBytes, respectively. In script, 10MiBytes are used (line 84)

Purging Data

Methods used for hard disk drives and SSDs

The following methods are using SCSI commandos which are sent from the initiator (the host bus adapter) to the target (the disk or SSD). According to SBC-4 documentation on SCSI commandos (see this document, chapter 4.11 “sanitize operations”) , the sanitize commando on the storage device is resumed after a power loss or logical unit reset. During sanitization, the storage device does not accept new commandos from the initiator. Sanitization operations are performed on

  • The medium on the device that store logical block data
  • The medium on the device that is not being used to store logical block data. That are areas previously used to store block data, areas available for allocation and physical blocks that have become inaccessible.
  • All cache
Crypto erase

See line 257 in script. On certain storage devices, a key is used to encrypt data. The crypto erase operation is removing this key and replacing it with a new key. Without the original key, it’s not possible to decrypt data on the device anymore. In script, variables are used for parameters, what is finally executed is:

/usr/bin/sg_raw -vvv -t 300 48 83 00 00 00 00 00 00 00 00
The sg_raw utility sends an arbitrary SCSI command (between 6 and 256 bytes) to the device. The command byte is specified in plain hex format without a prefix or suffix. The parameters used are explained on the man page for sg_raw :

-vvv
Increase level of verbosity

-t <timeout>
Wait up to # of seconds for command completion (in script: 300 seconds, see line 80). Note that if a command times out the operating system may start by aborting the command and if that is unsuccessful it may attempt to reset the device.

<scsi command>
SCSI command to sanitize device using crypto erase method (in script: 48 83 00 00 00 00 00 00 00 00, line 249)

Overwrite

See line 271  in script. To overwrite data on storage device, a pattern is used. In script, variables are used for parameters, what is finally executed is:

/usr/bin/sg_raw -vvv --infile /tmp/odaeraser.zeros.dat --send=516 48 81 00 00 00 00 00 02 04 00

-vvv
Increase level of verbosity

--infile /tmp/odaeraser.zeros.dat
Read data from File instead of stdin, here from file /tmp/odaeraser.zeros.dat

--send=516
Read SLEN bytes of data, either from stdin or from a file, and send them to the DEVICE

48 81 00 00 00 00 00 02 04 00
SCSI command to sanitize device using overwrite method

Block erase

See line 285 in script. Block erase causes the device to alter information by setting the physical blocks, even those not accessible by the operating system, to a vendor specific value. In script, variables are used for parameters, what is finally executed is:

/usr/bin/sg_raw -vvv 48 82 00 00 00 00 00 00 00 00

-vvv
Increase level of verbosity

48 82 00 00 00 00 00 00 00 00
SCSI command to sanitize device using block erase method

Method used to purge NVM Express SSDs

Secure erase

See line 296 in script. If the NVMe SSD is capable of self-encryption, the “crypto erase” method is used, otherwise it uses “block erase” method. In script, variables are used for parameters, what is finally executed is:

/usr/sbin/nvmeadm erase -a -s
The parameters used are explained on the man page of nvmeadm

erase
Erases the NVMe namespace media for the controller

-a
Erase all namespaces

-s
Retrieves the vendor-specific information of the specified controller

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Casimir Schmid
Casimir Schmid

Consultant