Could you be leaking sensitive data when you to toss or repurpose that old drive? I recently got into a conversation with David Szabados of Seagate Technology regarding their whole drive encryption and its contribution to corporate security. He told me about an interesting new relationship they have with IBM, which will result in drive arrays that use encryption to ensure that drives removed from the array due to failure prevent their data from being recovered through forensic techniques. Although data on an array is generally striped across somewhere between three and 16 drives, even recovering every 16th block could yield social security numbers, account numbers, or other critical information, so supporting whole drive encryption within an array is something that all storage vendors should investigate. With this support enabled, the array automatically generates a key when the array is initialized. Subsequently, whenever the array is turned on it passes they key to each drive to unlock its data. Szabados and I talked a little about the quick secure erase feature of the drives, which allows an admin to quickly and easily render the drive unreadable. This does not simply delete partition information like reformatting the drive would, nor does it write over every block on the disk several times. Quick secure erase deletes the encryption key stored on the drive, which leaves all the content encrypted with no way to decrypt it. That led into a discussion of how drives are commonly disposed of by companies, and whether the disposal procedures can be circumvented. Typical disposal procedures include reformatting the drive, using a disk erasing utility, and physically disabling the drive. Reformatting the drive is not a good way to securely delete data, as it only deletes the partition table and leaves the data on the disk intact. That means a forensic program can often recover most of the data on the disk. Drive erasing utilities, which write zeros to every block of the disk from three to 35 times, are effective, but they can take quite a while to run, and they won’t work with a disk that has had an electronic failure. A hacker could repair the electronics, then access all the data. Degaussing the disk with a big electromagnet can also work, but with modern drives you’ll need a very strong magnetic field. In fact, unless the degausser is strong enough to physically damage the drive, data on the drive will likely remain readable. Not the preferred solution for those who want to reuse the drive. For those who don’t want the drive reused, drilling or punching one or more holes through the drive seems like it should work well. After all, it physically destroys parts of the disk, disables the electronics, and fills the disk with debris that should render the drive inoperable even if someone repairs the electronics. However, I worked with an organization that used this procedure and inadvertently destroyed some drives with critical information that hadn’t been backed up yet. We sent the drives to a drive recovery service called Drive Savers, and they were able disassemble the drives in a clean room, clean the platters, re-assemble the platters into a new drive chassis, and recover a large percentage of the information. The ultimate data protection strategy is running the disk through a purpose-built hard drive shredder, which is like a wood chipper on steroids. This physically destroys the entire disk, ensuring that data can’t be recovered. But of course the machine to do this is expensive, and it prevents recycling of the drives. More affordable drive destroyers, which bend the drive 90 degrees at the turn of a crank, are also available. As a fairly paranoid sysadmin myself, I would put into place a three-tier policy for dealing with drives being removed from systems. If the drive was inoperable, I’d physically destroy the drive to ensure that data couldn’t be recovered by repairing the drive. If the drive was operable and being re-purposed internally, I’d reformat it, or overwrite every block a couple of times if the drive was in a high-security system, such as HR, accounting, or sales. If the drive was operable and being sold or donated either singly or in a PC, I’d overwrite every block at least five times. The critical issue to address is not just the security policy, but to classify your internal systems according to the nature of the data on them, and how likely that data is to be lost. If all files are stored on servers and the only things on the PC’s disk are the OS and applications, there isn’t likely to be much sensitive data. A PC being used by accounting or HR, on the other hand, could have a lot of sensitive data on it, and you should have a specific policy that addresses securely disposing of drives before one gets lost.