DoD Harddrive Secure Erase Wipe

DoD Harddrive Secure Erase Wipe

I have a project which I need to DoD harddrives for the company. I
have large raid-scsi enclosure which I can use.

I have access Quad/Octa Xeon P4 servers with 3 dual channel LVE/SE
ultra scsi 160 cards. With these, I would be able to drive 4 x 14 scsi
drive (IBM EXP300 / 3531-1RU) units.

What are my options?

I was thinking about doing following.

1. for i in 1 2 3 4 5 6 7; do time dd /dev/random of=/dev/sda
bs=1048576; done

Use the random bits into drive 7 times.
I think with 14 x 36GB scsi in raid5 setup would take approximately
18 x 7pass = 5 days.
This is pretty bad.

2. I could setup stripped version of gentoo with proper raid
controller driver(here IBM ServeRaid 4Mx and run DBAN from boot drive.

I've got a question, does anyone have working knowledge of DoD5200.28-
STD & DoD5200.22-M? I need to know how it's supposed to work, then I
could just write simple c program to erase drive instead of relying on
other tools for speed.
I need fastest solution available.

Thanks.

From: "oktokie" <oktokie@yahoo.com>

| DoD Harddrive Secure Erase Wipe
|
| I have a project which I need to DoD harddrives for the company. I
| have large raid-scsi enclosure which I can use.
|
| I have access Quad/Octa Xeon P4 servers with 3 dual channel LVE/SE
| ultra scsi 160 cards. With these, I would be able to drive 4 x 14 scsi
| drive (IBM EXP300 / 3531-1RU) units.
|
| What are my options?
|
| I was thinking about doing following.
|
| 1. for i in 1 2 3 4 5 6 7; do time dd /dev/random of=/dev/sda
| bs=1048576; done
|
| Use the random bits into drive 7 times.
| I think with 14 x 36GB scsi in raid5 setup would take approximately
| 18 x 7pass = 5 days.
| This is pretty bad.
|
| 2. I could setup stripped version of gentoo with proper raid
| controller driver(here IBM ServeRaid 4Mx and run DBAN from boot drive.
|
| I've got a question, does anyone have working knowledge of DoD5200.28-
| STD & DoD5200.22-M? I need to know how it's supposed to work, then I
| could just write simple c program to erase drive instead of relying on
| other tools for speed.
| I need fastest solution available.
|
| Thanks.

Based upon a memo by Linton Wells II on the sanitization of of non-classified hard disks,
circa June '01...

You have to write a bit pattern such as; 11110000
Then its complement such as; 00001111
Then another pattern such as; 01010101
Which has to be repeated 6 times.

"Sanitization is not complete until all six passes of the three cycles are completed".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

oktokie wrote:

> DoD Harddrive Secure Erase Wipe
>
> I have a project which I need to DoD harddrives for the company. I
> have large raid-scsi enclosure which I can use.
>
> I have access Quad/Octa Xeon P4 servers with 3 dual channel LVE/SE
> ultra scsi 160 cards. With these, I would be able to drive 4 x 14 scsi
> drive (IBM EXP300 / 3531-1RU) units.
>
> What are my options?
>
> I was thinking about doing following.
>
> 1. for i in 1 2 3 4 5 6 7; do time dd /dev/random of=/dev/sda
> bs=1048576; done


Wow, just four obvious problems...

1. the syntax if "if=$inputdevice".

2. This will take forever, since /dev/random blocks if not sufficient
entropy is available, and only fill up at a rate of about 1 KB/s.

3. Without a 'sync' at the end, the last block might not be written in case
of a hard crash.

4. Why a blocksize of only 1 MB, and why not write it as "1m"?

> I think with 14 x 36GB scsi in raid5 setup would take approximately
> 18 x 7pass = 5 days.
> This is pretty bad.


As standing above, it would rather take 117.3 years. :-)

However, I can't follow your calculation either. If you write to all disks
simultanously (damn, add a '&'!), at a rate of 40 MB/s, it would take
roughly 2 hours.

> I've got a question, does anyone have working knowledge of DoD5200.28-
> STD & DoD5200.22-M? I need to know how it's supposed to work,


Simply said, it's an out-dated idea with concepts that don't apply any more.
Unless you're required to do it, don't do it.

oktokie <oktokie@yahoo.com> wrote in news:32bea820-e550-4f70-9f1f-
bf50673a8faf@i7g2000prf.googlegroups.com:

> ...then I
> could just write simple c program to erase drive instead of relying on
> other tools for speed.
> I need fastest solution available.


I caution against writing your own program unless you have an intimate
understanding of how the hard drive itself handles writes. For instance,
with the large buffers on many current HDs it is quite possible that only
the last write of a series of writes to a given sector micht actually
make it to the platters (depending on how your software is written).
Similarly, it is non-trivial to ensure that any flagged and remapped
sectors (those listed in the G-list and, if you're a paranoid, possibly
even those in the P-list) not be skipped for overwriting lest they
contain sensitive data. Also be sure not to accidentally skip over any
HPA sectors, if present.

I suggest that, in addition to using any roll-your-own erase program, you
use the HD manufacturer's software to invoke the "secure erase" command
that is part of any ATA-spec-compliant modern HD (which is to say, all of
them). It's also *much faster* than block writing.

You may also wish to use the DoD-compliant erasing program HDDerase
http://cmrr.ucsd.edu/people/Hughes/HDDErase.zip from the Center for
Magnetic Recording Research at UCSDhttp://cmrr.ucsd.edu/

In fact, lingering there to do a little reading might be helpful :-)

As for me, I don't believe in erasing and recycling drives if they're to
go out of house - I believe in destroying them. I note that DoD 522.22M
requires physical destruction the magnetic disks for data above
"secret." So I take the "roach motel" approach with HDs: "drives check
in but they don't check out."

HDs are cheap, it takes much care and time to erase them properly, and
risks and liabilities are large if there's a fuck-up (procedural fuck-ups
are quite common which vitiates the hoped-for protection of even the best
erasure software :-)

Regards,

PS Most SCSI drives do not natively support a "secure erase" command
equivalent to that in ATA drives (the command is *optional* in the SCSI
spec and no drives currently implement it).

PPS For better control of the process, consider such (very expensive)
solutions as the "Digatal Shredder"
http://www.deadondemand.com/products/digitalshredder/