Written By Abhishek Jain
Updated on Apr 30, 2022
Min Reading 3 Min
Data encryption is an added layer of security that prevents unauthorized access to sensitive information stored in drives. But, is it possible to wipe the media with encrypted data in it? This article will answer all your queries related to drive encryption, its erasure, and how to reuse the drives after data sanitization.
Encryption is the technique of converting data from plaintext (unencrypted) to ciphertext (encrypted), an unreadable code in order to prevent unauthorized access. Encrypted information cannot be accessed without using an encryption key or password. Encryption provides a fortified layer of protection just in case unauthorized access is somehow granted to a computer network or storage device. In this event, the hacker cannot gain access to the data.
Data can be encrypted on the drives via software-based encryption or hardware-based encryption. A software encryption program is used to encrypt data on a storage drive by creating a unique key and storing it on the computer memory and the storage drive. This software-generated key is encrypted with a passphrase which the user needs to get access to the encrypted data. When data is written to the drive it is encrypted using the key and is decrypted by the same key before it is presented to the program/user. Software encryption can be done by using native operating system encryption like Windows BitLocker, or other software utilities like LastPass, VeraCrypt, DiskCryptor, etc.
Sometimes, drive is encrypted by the utility provided by the drive manufacturer. Such drives are known as self-encrypting drives or SEDs. This is referred to as hardware-based encryption. A Self-Encrypting Drive or SED can be an HDD or an SSD that automatically encrypts and decrypts data as it is written or read by the user. The SEDs create random data encryption keys (DEK) through an onboard AES encryption chip which encrypts the data when it is written and decrypts the data when it is being read. Unlike software-based encryption, SEDs automatically encrypt the data without the need for any user input for encryption. SEDs are incredibly secure as they remain independent of the operating system and prevent any access from hackers. With hardware encryption, encryption sits between the system BIOS and the operating system. Once the system is booted, a custom BIOS requests a passphrase from the user to decrypt the content and grant access to the drive.
While encryption is one of the most popular method of protecting business-critical information from data theft, however, when the encrypted device is at rest and data is no longer needed, it is advisable to sanitize the media using a data erasure software to prevent data compromise and any adverse impact of data breaches.
To completely wipe a drive with software or hardware-based encryption, you can use a certified media sanitization tool such as BitRaser. The entire encrypted data on hard drives and SSDs with software-based encryption can be permanently erased with BitRaser software that further renders the drive reusable as a fresh storage device. BitRaser ensures successful eradication of data including the operating system. Data sanitization process is then followed by verification of the wiping performed to ensure successful wiping of all addressable locations on the drive.
In the scenario where the hard drive is locked with a password, the BIOS password needs to be unlocked before accessing the drive to perform erasure.
The SEDs can be sanitized by destroying the cryptographic or Disk Encryption Keys (DEK) without actually wiping the data stored on the device itself. The data becomes inaccessible without the encryption key and remains unrecoverable. Thus, cryptographic erasure is one of the fastest techniques to sanitize encrypted data. Although, cryptographic erasure has its inherent limitations as data can still be recovered through various loopholes and human errors. It is thus not a full-proof method to protect encrypted data on discarded drives as the data still resides in the storage media and remains vulnerable.
BitRaser Drive Eraser software helps erase SEDs by offering an advantage of combining cryptographic erase with data overwriting through its NIST 800-88 Purge erasure algorithm, giving an added level of security to the entire data sanitization process. You can simultaneously both destroy the encryptions keys as well as wipe the encrypted data to eliminate all vulnerabilities. The digitally generated reports and certificates of destruction by the software acts as audit trails and help you meet your compliance needs. Thus, BitRaser meets all your needs to wipe encrypted hard drives, SSDs, and SEDs seamlessly that helps you reuse the drives and achieve sustainability.
You may like to read our informative piece on How to perform cryptographic erasure on SSDs or read How to wipe NVME and M.2 Drives. Alternatively, browse through our Knowledge Base section to learn about erasure on different device types.
At a time when data breaches are in news everywhere, businesses are aligning their data protection and data security strategies to protect their invaluable data through the use of encrypted devices. Encryption of data and the evolution of SED technology provides a layer of security that prevents hackers from unauthorized access to confidential data. Organizations should further ensure that these encrypted devices when disposed of are permanently sanitized using the right method of data destruction, preferably data erasure, in order to promote recycling and reuse of devices.
BitRaser is NIST Certified
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|