Secure Erase

From NComputing Knowledge Base
Jump to: navigation, search

When installing NoTouch OS, i.e. placing it on the hard drive or flash drive of the target system it will overwrite whatever is there (typically old Windows on PCs, proprietary Linux or embedded Windows on Thin Client boxes). Since the NoTouch image is relatively small, only a small portion of the hard drive will be overwritten. To make sure that really every accessible block gets overwritten, the NComputing GENESIS installer has an option to "wipe" the disk. This is a sophisticated feature that usually needs extra software to be achieved.

Many organizations do not securely erase the hard drive before installing NoTouch simply because they have a business process that would lead to physically destroying hard drives the moment a PC is trashed. That is fine and the NoTouch Secure Erase is a feature you can decide to use or not use.

Traditionally, a secure wipe was done by overwriting the disk several times, to make sure that no data stays visible even after the delete (the problem of Data remanence). The pure overwrite from an operating system may be tempting but in fact it is dangerous as for example bad blocks are excluded automatically from the region the OS sees by the drive's microcontroller and its firmware. The ATA Secure Erase command makes the drive's firmware erase the drive, thus including such inaccessible regions. A safe procedure like the one implemented in NoTouch does both.

Please do not use Secure Erase on Thin Client devices, at least not without prior consideration. First of all, the effectiveness is questionable since Thin Clients are supposed to hold no user data at all and there is no big gain in securely erasing a legacy Thin Client OS. Second, some manufacturers' flash modules may not support secure erase. Worst case would be the flash module being destroyed.

Secure Erase in NoTouch

NoTouch implements the secure erase by two things:

  1. Issue an ATA secure erase command to the drive
    • The drive's firmware will then erase the drive, which lasts hours
  2. Overwrite the disk with binary zeros.
    • This may seem redundant but it safeguards against bugs in the drive's firmware. This can also take hours.

Remember, a secure erase takes a long time. It is not uncommon to last four to eight hours. You can easily predict the time a secure erase takes: Take the average writing speed (say, 20 MB/s), and divide the drive's capacity by this average writing speed. Multiply with two (as we have two passes). A 100 GB drive will need 5000 seconds for one pass to complete, thus 10000 seconds for both steps, which translates to roughly 2 1/2 hours, with some extra margin as a rule of thumb say it will be three hours in this case.

Recovering from an interrupted secure erase

If for some reason a secure erase is interrupted within the first step, i.e. the drive executing the ATA secure erase command, the drive will be locked and inaccessible. You might not be able to enter the GENESIS installer again as it will complain about not finding a target disk. You can however easily unlock the drive:

  1. Boot into Live Boot
  2. Open the Configuration application and log in
  3. Execute the "Console" (from the menu list on the left) and type in these commands (case-sensitive, spaces do matter):
     hdparm --user-master u --security-unlock p /dev/sda
     hdparm --user-master u --security-disable p /dev/sda

After that, reboot into the installer and re-run the installation.

(Should, in an absolutely rare case, the hard disk or flash module not be usable again, there is no other way around it than using manufacturer's warranty. This indeed is a legitimate warranty claim as using a well-documented and specified API like ATA Secure Erase can hardly be the customer's fault. If they don't implement ATA Secure Erase, then the drive's firmware should reject the command, but not do "something".)