Troubleshooting
Data Sanitization: Secure Erase vs Instant Secure Erase
March 3, 2016
3 min read
Data Sanitization: Secure Erase vs Instant Secure Erase
Secure erase (SE) and instant secure erase (ISE) are two popular types of data sanitization.
Secure erase is essentially a set of commands in the firmware of more modern PATA and SATA hard disks that allows for complete data overwrite of a hard disk. There are many utilities, software, and packages that can erase data securely, however the main difference is that SE is supported by the National Institute of Standards and Technology (NIST) as an acceptable way of sanitizing data. This does not mean that other sanitization methods should not be used, it simply means that secure erase should be enough to delete data from hard disks. Secure erase is also only accessible through software that can interface directly with the disks as well. The firmware typically allows for two types of commands; overwrite, and block erase. Overwrite writes over the data with binary 1’s and 0’s to not only erase data but make it unable to be restored. Secure erase only performs one cycle of data overwrite as accepted by the NIST. It is also worth noting that the US Department of Defense requires four cycles according to Hewlett-Packard. This is because the NIST standard is meant for erasing unimportant data effectively, but can still be partially salvaged with high-end data recovery methods. To fully destroy all data, more than one overwrite may be necessary. Block erase is essentially the same thing except exclusive for solid state drives (SSD), “electrically” erasing each block of the drive.
While SE might seem to do the acceptable bare minimum for data sanitization, it is widely used because the data sanitization comes from the hard disk itself. The firmware allows for the drive to sanitize itself, and as a result the sanitization is fairly quick compared to other methods which use software to write over data.
Instant secure erase is a super-set of secure erase and utilizes encryption to make data unreadable. Instant secure erase contains the commands of secure erase but also adds a "crypto" erase (CE) command. This command can be utilized by both hard disks and solid state drives if available. With ISE each disk creates a cipher key that is used to encrypt data as it is being read or written. When the crypto command is accessed, the cipher key is destroyed and all data on the disk is unable to be read. Because there is no need to overwrite the data, ISE only takes a few milliseconds to make the disk unreadable compared to other sanitization methods which can take several hours depending on the number of passes and the size of the disk. Instant secure erase is also supported by the NIST (under cryptographic erase), and usually coupled with the FIPS (Federal Information Processing Standard Publication) 140-2 level 2 certification that provides at rest data tamper protection. It is important that any hard disk with ISE also have this certification. Major hard disk brands should offer the certification such as HGST and Seagate, but it does not seem to be a requirement for data sanitization.
All in all, both data sanitization methods provide effective data erasure. Instant secure erase is quicker, but limited to only the most modern drives (specific models that came out after 2014). ISE is also less secure as the cipher key needs to be protected as well. Secure erase is slower than ISE, but SE is also much quicker than other data sanitization methods with the added bonus of being more accessible than ISE, but both methods are comparable and should be utilized by any business with data storage.
Troubleshooting
Data Sanitization: Secure Erase vs Instant Secure Erase
March 3, 20163 min read
Data Sanitization: Secure Erase vs Instant Secure Erase
Secure erase (SE) and instant secure erase (ISE) are two popular types of data sanitization.
Secure erase is essentially a set of commands in the firmware of more modern PATA and SATA hard disks that allows for complete data overwrite of a hard disk. There are many utilities, software, and packages that can erase data securely, however the main difference is that SE is supported by the National Institute of Standards and Technology (NIST) as an acceptable way of sanitizing data. This does not mean that other sanitization methods should not be used, it simply means that secure erase should be enough to delete data from hard disks. Secure erase is also only accessible through software that can interface directly with the disks as well. The firmware typically allows for two types of commands; overwrite, and block erase. Overwrite writes over the data with binary 1’s and 0’s to not only erase data but make it unable to be restored. Secure erase only performs one cycle of data overwrite as accepted by the NIST. It is also worth noting that the US Department of Defense requires four cycles according to Hewlett-Packard. This is because the NIST standard is meant for erasing unimportant data effectively, but can still be partially salvaged with high-end data recovery methods. To fully destroy all data, more than one overwrite may be necessary. Block erase is essentially the same thing except exclusive for solid state drives (SSD), “electrically” erasing each block of the drive.
While SE might seem to do the acceptable bare minimum for data sanitization, it is widely used because the data sanitization comes from the hard disk itself. The firmware allows for the drive to sanitize itself, and as a result the sanitization is fairly quick compared to other methods which use software to write over data.
Instant secure erase is a super-set of secure erase and utilizes encryption to make data unreadable. Instant secure erase contains the commands of secure erase but also adds a "crypto" erase (CE) command. This command can be utilized by both hard disks and solid state drives if available. With ISE each disk creates a cipher key that is used to encrypt data as it is being read or written. When the crypto command is accessed, the cipher key is destroyed and all data on the disk is unable to be read. Because there is no need to overwrite the data, ISE only takes a few milliseconds to make the disk unreadable compared to other sanitization methods which can take several hours depending on the number of passes and the size of the disk. Instant secure erase is also supported by the NIST (under cryptographic erase), and usually coupled with the FIPS (Federal Information Processing Standard Publication) 140-2 level 2 certification that provides at rest data tamper protection. It is important that any hard disk with ISE also have this certification. Major hard disk brands should offer the certification such as HGST and Seagate, but it does not seem to be a requirement for data sanitization.
All in all, both data sanitization methods provide effective data erasure. Instant secure erase is quicker, but limited to only the most modern drives (specific models that came out after 2014). ISE is also less secure as the cipher key needs to be protected as well. Secure erase is slower than ISE, but SE is also much quicker than other data sanitization methods with the added bonus of being more accessible than ISE, but both methods are comparable and should be utilized by any business with data storage.
