Posted by: Ken Harthun
Data destruction, Encryption, Security
My company serves as the IT department for several medical, legal, social service, and banking organizations in our area. I don’t have to tell you that every one of these organizations deals with information that falls under various government data security and privacy acts. Every one of these organizations depends on and expects us to put in place measures to protect their data. In other words, if they suffer a breach, they’re going to assign responsibility to us on some level. So, when I decommission a server or PC, I take steps to make sure that no one is going to be able to read anything off the hard drives. Call me paranoid, but consider this: seven in 10 secondhand hard drives still have data. What’s one to do?
It’s well known that simply wiping out partitions and re-formatting drives doesn’t erase anything. It’s equally well known that overwriting every sector with pseudo-random data is considered a secure method of erasure. I give you a two-step approach that may be overkill, but is certainly a procedure that any court would consider a mitigating factor if I or my company is accused of negligence. (I work in a Microsoft environment, so that is the context here.)
Step one is to install TrueCrypt 5, (my hands-down favorite) or another full-drive encryption program, and perform the steps for full-drive encryption; this effectively writes pseudo-random noise to every sector of the hard drive. (Don’t fret about the 20-character password TrueCrypt warns you about–just type “password.” You’re not worried about logon security; you just want to encrypt the hard drive.) This one-pass encryption is probably sufficient for a home PC hard drive, but not for anything else.
Step two is to run a disk erase program that overwrites every sector with pseudo-random bits. I use Darik’s Boot and Nuke (DBAN), without question a best-of-breed open source program. One pass auto-wipe should be sufficient since you’re overwriting what already amounts to pseudo-random noise (created by TrueCrypt) on the hard disk.
After this treatment, any adversary would find it virtually impossible to recover anything usable off of the drive. Give it away, sell it on eBay, do whatever.
And have a good night’s sleep.