New Toshiba Drives Wipe Data When Turned Off 239
CWmike writes "Toshiba on Tuesday introduced a new hard drive feature that can wipe out data after the storage devices are powered down. The Wipe feature in Toshiba's SED (Self-Encrypting Drives) will allow for deletion of secure data prior to disposing or re-purposing hard drives, Toshiba said. The technology invalidates a hard-drive security key when a system's power supply is turned off. The new Wipe capability will go into future versions of the SED drives, for which no timeframe was given. Beyond use in PCs, Toshiba wants to put this feature on storage devices in copiers and printers."
Lots of uses for this technology... (Score:5, Insightful)
I can see this used not just in copiers where temporary files need to be zapped for privacy reasons, but in a number of other places:
1: Photo kiosks. /tmp. If one thinks about it, this type of HDD is absolutely perfect for the /tmp filesystem in the classic sense of it being zeroed out on reboot.
2: Documents stored on public access computers.
3: Medical terminals used for X-ray viewing.
4: Cash register terminals for storing CC data.
5: CCTV DVRs. If a video time frame needs flagged for long term copying, it is.
6: Proxy/sendmail log servers where logs don't have to be kept for longer than it takes to check if there is an intrusion.
7: Temporary scratch space for a database server, say to pack and unpack normally encrypted BLOB/CLOB data.
8: A special hard disk just for
9: Temporary scratch space when unarchiving data and putting it on a secure partition or tape drive. For example, getting data from tape or another site, storing it temporarly to get a machine to restore locally.
10: A machine set up and automatically imaged for guests to browse the Web.
11: A machine set up and autoimaged in a student computer lab. This way, a power cycle ensures that private data is not recoverable from the previous student.
12: Drives set up for swap. This way, a power cycle removes all traces of a virtual machine's paging.
13: Community clouds, where a VM is cloned to the drive, used to give better capacity, then shut down and the drive cycled so the next user on that drive doesn't have access to the previous user's data.
14: A place to decode encryption keys temporarly pulled out of a HSM to be copied to another source.
15: Airport X-day machines so the private pictures of people stay private.
Re:Lots of uses for this technology... (Score:5, Funny)
I guess it was either that, or telling everyone they were holding it wrong.
IT Crowd... (Score:3, Funny)
"Have you tried turning it off and on again?"
Re: (Score:3, Funny)
17. More Porn.
Lets not be shortsighted.
Re:Lots of uses for this technology... (Score:5, Funny)
16. Porn.
17. More Porn.
Lets not be shortsighted.
Take your own advice. Do you think any self respecting slashdotter is going to put his porn on a drive that erases itself when poweres down? Heck most of us won't trust our collection to anything short of RAID6!
Re:Lots of uses for this technology... (Score:4, Funny)
Raid 1+0 here. When you gotta have it, you gotta have it. Access delays not allowed.
Re: (Score:3, Funny)
You power down your machines?
Re:Lots of uses for this technology... (Score:5, Funny)
I haven't calculated the odds of both of the UPS units and the generator attached to the porn cluster failing at the exact same time, but that's just not a chance that I'm willing to take.
I almost facepalmed.. (Score:2)
Heck most of us won't trust our collection to anything short of RAID6!
My porn collection, along with all my other documents and media is on a RAID-6 array.
...Along with my massive collection of confiscated geek cards.
Re:Lots of uses for this technology... (Score:5, Funny)
Do you think any self respecting slashdotter is going to put his porn on a drive that erases itself when poweres down?
It depends on the country and the subject of the pornography. Some countries persecute and/or prosecute people who collect erotic pictures of some subjects.
Re: (Score:3, Insightful)
Re: (Score:2)
Most of that stuff would be better off with a tmpfs. You should already be doing that with /tmp in mos cases.
10 and 11 should just be PXE booted machines with no discs.
Re: (Score:2)
Any normal filesystem will go a long way to ensure the data is securely on the disk, forcing flushes after a short time, making multiple writes first to the journal, then to data sectors, then to metadata to ensure everything is consistent. That's utterly wasteful for /tmp/ -- with tmpfs, there won't be a single disk access in a vast majority of cases.
I don't get why most distributions don't have /tmp/ on tmpfs by default. Just enlarge the default swap size by what is expected for /tmp/, to make sure max
tmpfs just folds these into item 12 (Score:3, Insightful)
[Put] /tmp/ on tmpfs [and] enlarge the default swap size by what is expected for /tmp/, to make sure max virtual memory capacity doesn't suffer.
Once you start using tmpfs, sensitive information will accumulate in the swap file. This makes pseudo-volatile drives like these even more suited for item 12 (swap).
Re: (Score:2)
Don't worry, they will pass a law that prohibits this technology... Privacy is obsolete, so they say.
Re: (Score:2)
Instead of making a special hard disk just for this application, why not just change the code of these embedded devices to delete this data?
deep freeze is better then reimage on boot faster (Score:2)
deep freeze is better then reimage on boot as it is much faster. You need a fast sever + good network + a fast HDD on the pc to make autoimaga on boot not be a big slow down and this also makes it so each windows update that needs reboot a new images. Deep Freeze can be set up to go into a mode there you can install updates and keep them after reboot and then go back to the reset on reboot mode + you can have a user area that does not get wiped out as well.
Re:deep freeze is better then reimage on boot fast (Score:4, Insightful)
and to reply to OP, this tech really doesn't have as many uses are you say. It is really only useful for sensitive data. You can use it for
Re: (Score:2)
or PXE boot, then have /home be a tmpfs. That can be nice and fast if you have the rest of the OS on NFS or ISCSI, plus you remove one more part that can fail.
Re: (Score:2)
Of course if it only removes the key, the data is still there. The user may not be able to access it but who says someone else can't?
Maybe they should make flash drives designed to be put in a microwave oven.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
I recall a story about so-called AES encrypted thumb drives. While the hardware symmetric key was encrypted with AES, the actual 'encryption' of the data stored in the memory itself was nothing more the XORing the data with the secret key. Not terribly secure. Is this Toshiba drive actually doing any sort of decent encryption that losing the key is significant?
What makes this any more secure than Bitlocker or other similar whole drive/partition encryption with a passphrase?
Re: (Score:3, Informative)
The key only known to the drive, the owner doesn't know it.
Re: (Score:2)
Not really. You expect /tmp to *exist but be empty* after reboot.
With such a disk you'd at least have to repartition and mkfs somewhere early in the boot sequence.
I see all kinds of problems.
Re: (Score:2)
With such a disk you'd at least have to repartition and mkfs somewhere early in the boot sequence. I see all kinds of problems.
When /tmp uses tmpfs, it's redirected to swap. What kind of problem do you foresee with such a "quick format" of the swap partition on boot?
Re: (Score:2)
Anywhere where someone doesn't have a Hot Plug [wiebetech.com]. I'm also curious what the behaviour is if someone leaves the power on but plugs the sata into a different computer.
Re:Lots of uses for this technology... (Score:4, Insightful)
You've got some redundancy in your list there!
Congratulations... (Score:5, Funny)
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
Not necessarily - you can still read the contents of RAM relatively accurately for up to ten minutes [freedom-to-tinker.com] after the power goes out as long as you're quick about extracting the sticks and applying some cryogenics (a spray from an upside-down can of compressed air works pretty well). Presumably, when they sense that the power is cut these hard drives convert the momentum in the spinning disks into enough electricity to zero out the onboard encryption key, which would take moments and render the contents unrecovera
what if the head is in sleep mode so no momentum a (Score:2)
what if the head is in sleep mode so no momentum and then power is lost?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
Presumably, when they sense that the power is cut these hard drives convert the momentum in the spinning disks into enough electricity to zero out the onboard encryption key, which would take moments and render the contents unrecoverable.
The KISS principle suggests that they would use a capacitor.
Re: (Score:2)
No, actually each drive comes with a build in cat, gerbil and a baloon, when the drive is powered down the cages to each animal are opened and the cat chasing the gerbill in the closed area will generate enough static electricity rubbing against the baloon to wipe the key.
Pure and simple, no fancy faulty capacitor to ruin your day.
Re: (Score:2)
No, actually each drive comes with a build in cat, gerbil and a baloon, when the drive is powered down the cages to each animal are opened and the cat chasing the gerbill in the closed area will generate enough static electricity rubbing against the baloon to wipe the key.
Pure and simple, no fancy faulty capacitor to ruin your day.
Not but a faulty cat will ruin your day, at least capacitors don't have claws.
Re: (Score:2)
Well they do have two sharp points...
Re: (Score:3, Informative)
Always mount a scratch cat.
Re: (Score:2)
You're probably right, especially since this is probably not going to be used in spinning media. I just think the concept of converting disk momentum back into electricity in order to power emergency shutdown maneuvers is so awesome I had to put it in there.
Re: (Score:2)
I just think the concept of converting disk momentum back into electricity in order to power emergency shutdown maneuvers is so awesome I had to put it in there.
As I understand it, drives already do this to park the heads on an unused track.
Re: (Score:2)
The KISS principle suggests that they would use a capacitor.
The Doc Brown principle suggests that they would use a flux capacitor!
Re: (Score:2)
Or they could just install a capacitor, which is what's typically done for dying-gasp circuits. It's not like you need 4kJ to overwrite 4K of RAM, particularly if you design a circuit with rapid reset in mind -- for example, DRAM could be built with the ability to connect all its capacitors to a drain simultaneously (or in big chunks) rather than one word at a time.
Re: (Score:2)
In a way you are right. A software approximation of this technology is having a RAMdisk, creating a TC volume on the hard disk that stores the keyfile on the RAMDisk, and when the machine is rebooted, the old TC volume and the keyfile that unlocks it is recreated.
Re:Congratulations... (Score:4, Funny)
Re: (Score:2)
You invented random-access memory. Good job!
Not quite... this doesn't include the random part. Call it 'Sequential Access Volatile Memory': includes all the bad of RAM, and all the bad of HDD!
Re: (Score:2)
Re: (Score:2)
Murphy's Law (Score:4, Interesting)
Re: (Score:3, Informative)
A bether solution would be this automated self destructing HD that can be remotely destroyed :D
"The Enhanced Hard Drive solves the problem of computers that are lost or stolen. A new hard drive feature will become the last word in data protection. A destruction technology is imbedded in the hard drive casing and can be initiated by as many as 17 remote triggers. Once deployed, the data stored on the disks is destroyed beyond forensic recovery. The process is non-toxic, non-combustible and does not cause any
My kingdom for a UPS (Score:2, Interesting)
I find this hard to believe (Score:2)
Re:I find this hard to believe (Score:4, Interesting)
Re: (Score:3, Informative)
dban is great, but is slow. Wiping a 500gb drive takes several hours at least.
Shred and the like are only useful when you don't have a journaling filesystem. So that means anything but ext2 (including ext3) defeats it.
Re: (Score:3, Interesting)
Re:I find this hard to believe (Score:4, Informative)
But about file system journals. It's a bit much to say "any file system" besides ext2 defeats shred. The concern is this: If file data is committed to the journal first, rather than the filesystem proper, the only way shredding is secure is to shred a file that's larger than the journal. Otherwise, multiple overwrites of file data are actually going to the journal, where they'll be analyzed, all but the last overwrite will be canceled, and the file data in the filesystem ends up with only a single overwrite.
Part of the purpose of shredding a file, is to overwrite the residual magnetic flux between tracks on a platter. Multiple overwrites on the platter will do this; shred used to do 25 overwrites by default, which was good enough for DoD secure erasure requirements. However, a FS journal would defeat this on a file that was less than 1/25 the size of the journal.
Ext3/4 can do this, but not by default; the default is "ordered" mode, where file data goes directly to the FS, and then its metadata goes to the journal. A mount option can change this temporarily, and "tune2fs" can change the mode persistently.
XFS and JFS journal only metadata, so shredding a file on those FS's is safe. You can verify this with an external journal on a different drive, then watch where the activity is during a shred. It isn't in the journal.
OTOH, log-structured file systems like Btrfs may or may not erase the data in place; if the data is part of a snapshot, then later overwrites don't remove the snapshot.
Yes, this is a lot to think about.
correction (Score:2)
Re: (Score:3, Informative)
Most of modern filesystems don't put the new data into the old place. This is most prominent on JFFS (which is mostly the entire reason for it), then, in a decreasing order: btrfs, reiserfs, jfs, ext[34]. And on old filesystems on flash, you'll often have an underlying layer that does wear-levelling. Also, if there's any copy-on-write, tail packing, snapshots, etc, involved, shred will most likely be defeated as well.
Re: (Score:2)
Shred and the like are only useful when you don't have a journaling filesystem. So that means anything but ext2 (including ext3) defeats it.
That's why you copy files you want to keep onto another partition, then run shred on the original partition's block device, then recreate the filesystem.
Re:I find this hard to believe (Score:5, Informative)
>Wiping a 500gb drive takes several hours at least.
Not really. The problem is that everyone picks some zany wiping scheme. Those Gutmann patterns don't even make sense with any modern drive. All you really need to do is zero the drive once. It doesn't take that long. I have yet to see a recovery from a drive that's been zero'd out. Anything past one pass of zeros is just extra credit.
Re: (Score:3, Informative)
Are you defending against someone with a magnetic force microsocope?
Yes, see Overwriting Hard Drive Data: The Great Wiping Controversy [vidarholen.net]. Even with a magnetic force microscope, one pass is plenty. You can correctly identify a bit overwritten once with a probability of 0.56, up from 0.50 when randomly guessing. That's a 1% chance of correctly identifying any given byte.
Re:I find this hard to believe (Score:5, Informative)
This has been covered to death here [slashdot.org] on slashdot [slashdot.org], but basically one pass of /dev/random will pretty much take care of wiping a drive. Drive recovery companies will tell you that the hypothetical bit-by-bit recovery is possible, but is so ungodly costly that it's not worth doing unless there's something REALLY important on the drive (like pictures of your mom [xkcd.com]). If you're really paranoid, don't waste your time with shred, just dd if=/dev/urandom of=/dev/hda twice and call it a day. Shred takes F O R E V E R and really provides nothing more than a nifty status bar. If you're SUPER paranoid, dd the drive twice and yank the platters, play frisbee, build a tesla turbine [instructables.com] or simply scratch the hell out of them and chuck them in the recycle bin.
Re: (Score:3, Insightful)
Re: (Score:2)
I remember it being proven that even a single pass of running your drive over with 0's using dd is enough. There is even a prize for anyone who successfully figures out how to recover a zeroed out disk. Was on ./ not too long ago.
Re: (Score:2)
First, create the file system with "mkfs.jfs -j
Create a large-ish file: "dd if=/dev/zero of=/mnt/zeros bs=1048576 count=96". Run "sync" to flush buffers.
Now, if anything about that file besides its own file data changes, it'll go to the journal first. That includes file rel
Re: (Score:2)
As long as it can guaranteed stay encrypted out past the statute of limitations I think that it will be fine for legal/illegal purposes. AKA: Sure they're going to come up with better decryption methods and better supercomputer/cloud compute power but if in its current state it'll take big blue 1000 years to decrypt it, I think its safe to say its not going to be decrypt-able in any sort of time frame that would be relevant to anyone living today. 100 years of estimated big blue time to brute force it would
Re: (Score:2)
There is no statute of limitations when it comes to a fraud upon the court, which includes knowingly withholding evidence.
Re: (Score:2)
The beauty of the situation is that it seems to me that the drive can be set up so that even if you wanted to you can't possibly retrieve the data, thus the statute would still apply.
Re: (Score:2)
I thought about it for a second after hitting the submit button and remembered that if they do decrypt it afterwards and find criminal material they can still prosecute as long as its for a new crime. At least in Canada. Don't know about anywhere else. The Civil suit would be history however.
As the other respondent said though, you'd likely be too dead to care by then.
It's just a RAM disk then? (Score:3, Insightful)
Re: (Score:2)
Remember RAM disks?
Is that an operating instruction?
Re: (Score:3, Funny)
Remember RAM disks?
Is that an operating instruction?
Yes. In context, it means "speculatively load what you know about the basics of RAM file systems".
Re: (Score:3, Informative)
Not a problem with a tmpfs on a beefy server.
RAM disks (Score:2)
Using ramfs as an alternative to tmpfs means that you lose the ability to stipulate a maximum size, and it can grow to exhaust all available memory in the system. Because ramfs won't page out, I presume it is quite possible to take down the entire machine in such circumstances.
It's sad that MacOS (pre-X) had the problem solved 15 years ago by allowing the creation of a fixed size RAM disk th
Re: (Score:2)
You need to buy more ram, if you ever find swap in use that is just a sign to buy more ram. Stuff is dirt cheap these days.
Information, please. (Score:2)
The Computer Word story is light on details. No surprise there.
How is your data protected against accidental deletion - hardware failure, power outages, etc?
Re: (Score:2)
Sounds like it isn't. If the power fails, the data's gone. I'm guessing this is really only useful for applications where you really don't want to preserve data past a power outage (such as spooled documents on a networked office printer, or some other weird high-security application where they're actually worried about people reading the RAM (on a ramdisk) using cryogenic methods).
Re:Information, please. (Score:5, Informative)
All the articles are pretty poorly written, and the Computer World article misquotes the Toshiba press release
Computer World
Drives with the technology will go into hard drives for laptops and desktops.
Toshiba
But lost or stolen notebooks are not the only security risk that IT departments must address. Today, most office copier and printing systems utilize HDD capacity and performance to deliver a highly productive document imaging environment. Many organizations are now realizing the critical importance of maintaining the security of document image data stored within copier and printer systems.
Toshiba is selling these drives as a method for securing scanning copiers. Many of the current copiers hold onto everything that is copied or scanned indefinitely leaving a gaping security hole. The new SED drives encrypt their contents and then wipe the key when the drive powers down leaving the data intact, but no meaningful method for recovering it. If a thief tries to yank a SED drive out of a copier, it automagically wipes it. If part of your security procedure is to shut down the copiers each night, your daily load of potentially secure documents and copies of Bob's butt are also automagically wiped.
Clearly, this type of technology would be worthless in a notebook or any other type of PC. You'd always be running from outlet to outlet to save your data. It'd be an IT version of that terrible Jason Statham movie Crank 2: High Voltage. Shudder.
Re: (Score:2)
Only one problem: the filesystem gets wiped along with the data. When these drives are powered off, they aren't just blank drives they become unformatted drives as far as the copier's concerned. And I really doubt those copiers have the brains to automatically handle an unformatted drive.
Their drives have self erased for years (Score:2)
Their laptop hard drives have been self erasing for years via head crashes and other catastrophic malfunctions. Absolutely horrible laptop hard drives.
That's nothing... (Score:2)
Oh really? (Score:2)
SED? (Score:5, Funny)
It's my favorite electronic component, but the only problem is that they only work once.
Re: (Score:2)
Yeah, that's great journalism (Score:5, Insightful)
My bet is on the usual baked-in drive encryption, very badly described.
Re: (Score:2)
It could be intended for use as a tmp/swap drive.
True, it /could/ (Score:3, Insightful)
Piffle. (Score:2)
Re: (Score:2)
No, Maxtor drives wiped all your data without even having to power the thing down. That's even better!
Not deleted, encrypted (Score:5, Interesting)
From the scant details in the article and summary, it appears that the drives are encrypted, and the "wipe" consists of getting rid of the encryption key.
Calling that a "wipe" is rather misleading in my opinion. Toshiba's in for one hell of a liability issue if their encryption is ever cracked -- though I'm sure they'll take care of all that in the fine print.
Re: (Score:3, Insightful)
Toshiba's in for one hell of a liability issue if their encryption is ever cracked
A meaningful crack for industry-standard ciphers such as AES would make just about every firm in the IT world "in for one hell of a liability issue".
"...invalidates a hard-drive security key..." (Score:3, Insightful)
Well, the local copy, anyway...
I'm impressed (Score:2)
I've never had a drive that did ANYTHING after it was powered down.
This is a tremendous advance. And I RTFA, and it doesn't offer me much of an explanation.
How can they guarantee security? (Score:3, Interesting)
This is a good step forward for general security.
How could you trust this 100%? Without the firmware (and some way to verify it), this likely could / does contain backdoors.
For the children, you see.
I don't see a major improvement over well set up truecrypt partitions.
30 second idea for a better approach (Score:2)
Frags your drive on power loss, eh? Yeah, nothing could go wrong there.
How about this. It sounds like all you're really killing is the stored key. Instead of fooling around with what amounts to a RAM chip, why not take a lesson from floppy disks? Back in the day, when you were done writing to a disk there was a little tab you would break and then the disk would be permanently read-only (unless someone used tape). Why not store the key in a little thing that you break off? If you wanted to get really fancy,
An even more secure solution (Score:2)
Re: (Score:3, Informative)
According to the article, it uses this "Opal" storage spec. (didn't find it on wikipedia..)
Below from: http://www.trustedcomputinggroup.org/resources/storage_application_note_encrypting_drives_compliant_with_opal_ssc [trustedcom...ggroup.org]
Storage Application Note: Encrypting Drives Compliant with Opal SSC
This document provides examples of the communication between a host and a storage device implementing the TCG Storage Security Subsystem Class: Opal SSC and the TCG Storage Architecture Core Specification.
Examples are provided f
Re: (Score:2)
Considering that there are 256 values possible for a given byte that's not quite as useless as one would think.
Re: (Score:2)
Nope, if they want your data they keep the machine one by splicing into the power outlet.
Re: (Score:2)
Even multiple truecrypt partitions could offer something similar. They can't tell how many levels deep something like that goes.