Forgot your password?
typodupeerror
Data Storage Security Hardware

New Toshiba Drives Wipe Data When Turned Off 239

Posted by CmdrTaco
from the how's-that-gonna-work dept.
CWmike writes "Toshiba on Tuesday introduced a new hard drive feature that can wipe out data after the storage devices are powered down. The Wipe feature in Toshiba's SED (Self-Encrypting Drives) will allow for deletion of secure data prior to disposing or re-purposing hard drives, Toshiba said. The technology invalidates a hard-drive security key when a system's power supply is turned off. The new Wipe capability will go into future versions of the SED drives, for which no timeframe was given. Beyond use in PCs, Toshiba wants to put this feature on storage devices in copiers and printers."
This discussion has been archived. No new comments can be posted.

New Toshiba Drives Wipe Data When Turned Off

Comments Filter:
  • by mlts (1038732) * on Tuesday August 10, 2010 @04:51PM (#33208974)

    I can see this used not just in copiers where temporary files need to be zapped for privacy reasons, but in a number of other places:

    1: Photo kiosks.
    2: Documents stored on public access computers.
    3: Medical terminals used for X-ray viewing.
    4: Cash register terminals for storing CC data.
    5: CCTV DVRs. If a video time frame needs flagged for long term copying, it is.
    6: Proxy/sendmail log servers where logs don't have to be kept for longer than it takes to check if there is an intrusion.
    7: Temporary scratch space for a database server, say to pack and unpack normally encrypted BLOB/CLOB data.
    8: A special hard disk just for /tmp. If one thinks about it, this type of HDD is absolutely perfect for the /tmp filesystem in the classic sense of it being zeroed out on reboot.
    9: Temporary scratch space when unarchiving data and putting it on a secure partition or tape drive. For example, getting data from tape or another site, storing it temporarly to get a machine to restore locally.
    10: A machine set up and automatically imaged for guests to browse the Web.
    11: A machine set up and autoimaged in a student computer lab. This way, a power cycle ensures that private data is not recoverable from the previous student.
    12: Drives set up for swap. This way, a power cycle removes all traces of a virtual machine's paging.
    13: Community clouds, where a VM is cloned to the drive, used to give better capacity, then shut down and the drive cycled so the next user on that drive doesn't have access to the previous user's data.
    14: A place to decode encryption keys temporarly pulled out of a HSM to be copied to another source.
    15: Airport X-day machines so the private pictures of people stay private.

    • by Anonymous Coward on Tuesday August 10, 2010 @04:54PM (#33209014)

      I guess it was either that, or telling everyone they were holding it wrong.

    • Re: (Score:3, Funny)

      by cosm (1072588)
      16. Porn.
      17. More Porn.

      Lets not be shortsighted.
    • Re: (Score:3, Insightful)

      by von_rick (944421)
      Most of the applications you have listed are subsets of no.8 on your list, "A special hard disk just for /tmp".
    • by h4rr4r (612664)

      Most of that stuff would be better off with a tmpfs. You should already be doing that with /tmp in mos cases.

      10 and 11 should just be PXE booted machines with no discs.

      • by KiloByte (825081)

        Any normal filesystem will go a long way to ensure the data is securely on the disk, forcing flushes after a short time, making multiple writes first to the journal, then to data sectors, then to metadata to ensure everything is consistent. That's utterly wasteful for /tmp/ -- with tmpfs, there won't be a single disk access in a vast majority of cases.

        I don't get why most distributions don't have /tmp/ on tmpfs by default. Just enlarge the default swap size by what is expected for /tmp/, to make sure max

        • [Put] /tmp/ on tmpfs [and] enlarge the default swap size by what is expected for /tmp/, to make sure max virtual memory capacity doesn't suffer.

          Once you start using tmpfs, sensitive information will accumulate in the swap file. This makes pseudo-volatile drives like these even more suited for item 12 (swap).

    • by drewhk (1744562)

      Don't worry, they will pass a law that prohibits this technology... Privacy is obsolete, so they say.

    • by Grishnakh (216268)

      Instead of making a special hard disk just for this application, why not just change the code of these embedded devices to delete this data?

    • deep freeze is better then reimage on boot as it is much faster. You need a fast sever + good network + a fast HDD on the pc to make autoimaga on boot not be a big slow down and this also makes it so each windows update that needs reboot a new images. Deep Freeze can be set up to go into a mode there you can install updates and keep them after reboot and then go back to the reset on reboot mode + you can have a user area that does not get wiped out as well.

      • by Galestar (1473827) on Tuesday August 10, 2010 @05:27PM (#33209442)
        This isn't "reimage on boot". This is encrypted storage whereby the key is volatile. There is not performance problem here.

        and to reply to OP, this tech really doesn't have as many uses are you say. It is really only useful for sensitive data. You can use it for /tmp, but there's really no point. Cleaning /tmp with software can be done pretty quickly - why buy expensive hardware?
      • by h4rr4r (612664)

        or PXE boot, then have /home be a tmpfs. That can be nice and fast if you have the rest of the OS on NFS or ISCSI, plus you remove one more part that can fail.

    • by camperslo (704715)

      Of course if it only removes the key, the data is still there. The user may not be able to access it but who says someone else can't?

      Maybe they should make flash drives designed to be put in a microwave oven.

      • by pilgrim23 (716938)
        there are many utilities that can read each block-sector then re-create a index/VTOC or FAT table. Looks like a place to make some bucks in the tech support field.
        • Re: (Score:3, Insightful)

          by afidel (530433)
          Doesn't matter, if it's doing AES256 correctly the universe will die of heat death before you can brute force the key. Unless someone comes up with a significant attack against AES256 I wouldn't worry about the recoverability of the encrypted data.
          • Re: (Score:3, Interesting)

            by fluffy99 (870997)

            I recall a story about so-called AES encrypted thumb drives. While the hardware symmetric key was encrypted with AES, the actual 'encryption' of the data stored in the memory itself was nothing more the XORing the data with the secret key. Not terribly secure. Is this Toshiba drive actually doing any sort of decent encryption that losing the key is significant?

            What makes this any more secure than Bitlocker or other similar whole drive/partition encryption with a passphrase?

    • by jgrahn (181062)

      8: A special hard disk just for /tmp. If one thinks about it, this type of HDD is absolutely perfect for the /tmp filesystem in the classic sense of it being zeroed out on reboot.

      Not really. You expect /tmp to *exist but be empty* after reboot. With such a disk you'd at least have to repartition and mkfs somewhere early in the boot sequence. I see all kinds of problems.

      • by tepples (727027)

        With such a disk you'd at least have to repartition and mkfs somewhere early in the boot sequence. I see all kinds of problems.

        When /tmp uses tmpfs, it's redirected to swap. What kind of problem do you foresee with such a "quick format" of the swap partition on boot?

    • by Mendy (468439)

      Anywhere where someone doesn't have a Hot Plug [wiebetech.com]. I'm also curious what the behaviour is if someone leaves the power on but plugs the sata into a different computer.

  • by Anonymous Coward on Tuesday August 10, 2010 @04:56PM (#33209042)
    You invented random-access memory. Good job!
    • Re: (Score:3, Funny)

      by Amouth (879122)
      actually they realized that they could make a market for their self encrypting disks where the nvram to store the keys was bad... 
    • Re: (Score:3, Interesting)

      by IICV (652597)

      Not necessarily - you can still read the contents of RAM relatively accurately for up to ten minutes [freedom-to-tinker.com] after the power goes out as long as you're quick about extracting the sticks and applying some cryogenics (a spray from an upside-down can of compressed air works pretty well). Presumably, when they sense that the power is cut these hard drives convert the momentum in the spinning disks into enough electricity to zero out the onboard encryption key, which would take moments and render the contents unrecovera

      • what if the head is in sleep mode so no momentum and then power is lost?

        • The key could be stored in static RAM, which does lose data instantly when power is lost (downside is that it's more expensive, but for a single encryption key that's not a problem). Alternately, you could just stick a capacitor on the board with enough power to erase the RAM. Or just bury the RAM cells inside the CPU, so it's impractical to access them (and make the CPU erase them on next power-on).
          • On further research, some static RAM chips do retain data (though not all of them). If you really need the data blanked out, storing it in a D-type flip flop [play-hookey.com] might be better then.
      • Re: (Score:3, Interesting)

        by Kymermosst (33885)

        Presumably, when they sense that the power is cut these hard drives convert the momentum in the spinning disks into enough electricity to zero out the onboard encryption key, which would take moments and render the contents unrecoverable.

        The KISS principle suggests that they would use a capacitor.

        • by Splab (574204)

          No, actually each drive comes with a build in cat, gerbil and a baloon, when the drive is powered down the cages to each animal are opened and the cat chasing the gerbill in the closed area will generate enough static electricity rubbing against the baloon to wipe the key.

          Pure and simple, no fancy faulty capacitor to ruin your day.

          • No, actually each drive comes with a build in cat, gerbil and a baloon, when the drive is powered down the cages to each animal are opened and the cat chasing the gerbill in the closed area will generate enough static electricity rubbing against the baloon to wipe the key.

            Pure and simple, no fancy faulty capacitor to ruin your day.

            Not but a faulty cat will ruin your day, at least capacitors don't have claws.

        • by IICV (652597)

          You're probably right, especially since this is probably not going to be used in spinning media. I just think the concept of converting disk momentum back into electricity in order to power emergency shutdown maneuvers is so awesome I had to put it in there.

          • by tepples (727027)

            I just think the concept of converting disk momentum back into electricity in order to power emergency shutdown maneuvers is so awesome I had to put it in there.

            As I understand it, drives already do this to park the heads on an unused track.

        • The KISS principle suggests that they would use a capacitor.

          The Doc Brown principle suggests that they would use a flux capacitor!

      • by profplump (309017)

        Or they could just install a capacitor, which is what's typically done for dying-gasp circuits. It's not like you need 4kJ to overwrite 4K of RAM, particularly if you design a circuit with rapid reset in mind -- for example, DRAM could be built with the ability to connect all its capacitors to a drain simultaneously (or in big chunks) rather than one word at a time.

    • by mlts (1038732) *

      In a way you are right. A software approximation of this technology is having a RAMdisk, creating a TC volume on the hard disk that stores the keyfile on the RAMDisk, and when the machine is rebooted, the old TC volume and the keyfile that unlocks it is recreated.

    • by sixfootfive (1875604) on Tuesday August 10, 2010 @05:42PM (#33209600)
      Sounds more like Toshiba said, "Hey, we have this lot of bad drive" why don't we classify them as wipe feature enabled.
    • by pitchpipe (708843)

      You invented random-access memory. Good job!

      Not quite... this doesn't include the random part. Call it 'Sequential Access Volatile Memory': includes all the bad of RAM, and all the bad of HDD!

    • I congratulate companies on these advancements. For years we've had to settle for this happening only to the gigabytes of RAM in our computers, but now, we can have our hard drives lose all their data when they lose power as well. Some day, 5-10 years from now, we'll have technology that erases everything within one block of a PC that loses power.
  • Murphy's Law (Score:4, Interesting)

    by SilverHatHacker (1381259) on Tuesday August 10, 2010 @04:57PM (#33209066)
    Sounds like a good idea, but I'm almost positive there will be instances where important data is going to be screwed with by mistake. I personally would rather not have my hard drive erasing my data without my express approval, but I'm not the average Joe.
    • Re: (Score:3, Informative)

      by hviniciusg (1481907)

      A bether solution would be this automated self destructing HD that can be remotely destroyed :D

      "The Enhanced Hard Drive solves the problem of computers that are lost or stolen. A new hard drive feature will become the last word in data protection. A destruction technology is imbedded in the hard drive casing and can be initiated by as many as 17 remote triggers. Once deployed, the data stored on the disks is destroyed beyond forensic recovery. The process is non-toxic, non-combustible and does not cause any

  • In other news today, a company under investigation by authorities claimed all the data was wiped from their servers following an unexpected power outage.
  • As the Microsoft trials taught us data is hard to delete permanently.
    • by Andorin (1624303) on Tuesday August 10, 2010 @05:07PM (#33209194)
      Is it really? Perhaps I can get some education here. *nix systems come with a tool called shred [wikimedia.org], which overwrites a file multiple times with random data to provide secure deletion. We also have tools like dban [dban.org], which will do basically the same thing to the whole drive. How securely do tools like these erase data?
      • Re: (Score:3, Informative)

        by X0563511 (793323)

        dban is great, but is slow. Wiping a 500gb drive takes several hours at least.

        Shred and the like are only useful when you don't have a journaling filesystem. So that means anything but ext2 (including ext3) defeats it.

        • Re: (Score:3, Interesting)

          by Andorin (1624303)
          Can you elaborate on how shred is defeated by any file system besides ext2? For example, does it not function properly on other file systems?
          • by ChipMonk (711367) on Tuesday August 10, 2010 @05:52PM (#33209668) Journal
            Shred also works on drives. I shredded a Deskstar with a 25-pass wipe, which took over 16 hours. (And in a stroke of good timing, it started making the Deskstar "click of death" sounds less than 10 minutes after it finished.)

            But about file system journals. It's a bit much to say "any file system" besides ext2 defeats shred. The concern is this: If file data is committed to the journal first, rather than the filesystem proper, the only way shredding is secure is to shred a file that's larger than the journal. Otherwise, multiple overwrites of file data are actually going to the journal, where they'll be analyzed, all but the last overwrite will be canceled, and the file data in the filesystem ends up with only a single overwrite.

            Part of the purpose of shredding a file, is to overwrite the residual magnetic flux between tracks on a platter. Multiple overwrites on the platter will do this; shred used to do 25 overwrites by default, which was good enough for DoD secure erasure requirements. However, a FS journal would defeat this on a file that was less than 1/25 the size of the journal.

            Ext3/4 can do this, but not by default; the default is "ordered" mode, where file data goes directly to the FS, and then its metadata goes to the journal. A mount option can change this temporarily, and "tune2fs" can change the mode persistently.

            XFS and JFS journal only metadata, so shredding a file on those FS's is safe. You can verify this with an external journal on a different drive, then watch where the activity is during a shred. It isn't in the journal.

            OTOH, log-structured file systems like Btrfs may or may not erase the data in place; if the data is part of a snapshot, then later overwrites don't remove the snapshot.

            Yes, this is a lot to think about.
            • I tested shred against XFS, and found that it writes to the journal, rather than to the file data in-place. So shred is not safe to use on XFS.
          • Re: (Score:3, Informative)

            by KiloByte (825081)

            Most of modern filesystems don't put the new data into the old place. This is most prominent on JFFS (which is mostly the entire reason for it), then, in a decreasing order: btrfs, reiserfs, jfs, ext[34]. And on old filesystems on flash, you'll often have an underlying layer that does wear-levelling. Also, if there's any copy-on-write, tail packing, snapshots, etc, involved, shred will most likely be defeated as well.

        • Shred and the like are only useful when you don't have a journaling filesystem. So that means anything but ext2 (including ext3) defeats it.

          That's why you copy files you want to keep onto another partition, then run shred on the original partition's block device, then recreate the filesystem.

        • by gad_zuki! (70830) on Tuesday August 10, 2010 @05:51PM (#33209656)

          >Wiping a 500gb drive takes several hours at least.

          Not really. The problem is that everyone picks some zany wiping scheme. Those Gutmann patterns don't even make sense with any modern drive. All you really need to do is zero the drive once. It doesn't take that long. I have yet to see a recovery from a drive that's been zero'd out. Anything past one pass of zeros is just extra credit.

      • by txoof (553270) on Tuesday August 10, 2010 @05:38PM (#33209552) Homepage

        This has been covered to death here [slashdot.org] on slashdot [slashdot.org], but basically one pass of /dev/random will pretty much take care of wiping a drive. Drive recovery companies will tell you that the hypothetical bit-by-bit recovery is possible, but is so ungodly costly that it's not worth doing unless there's something REALLY important on the drive (like pictures of your mom [xkcd.com]). If you're really paranoid, don't waste your time with shred, just dd if=/dev/urandom of=/dev/hda twice and call it a day. Shred takes F O R E V E R and really provides nothing more than a nifty status bar. If you're SUPER paranoid, dd the drive twice and yank the platters, play frisbee, build a tesla turbine [instructables.com] or simply scratch the hell out of them and chuck them in the recycle bin.

      • by LoRdTAW (99712)

        I remember it being proven that even a single pass of running your drive over with 0's using dd is enough. There is even a prize for anyone who successfully figures out how to recover a zeroed out disk. Was on ./ not too long ago.

    • As long as it can guaranteed stay encrypted out past the statute of limitations I think that it will be fine for legal/illegal purposes. AKA: Sure they're going to come up with better decryption methods and better supercomputer/cloud compute power but if in its current state it'll take big blue 1000 years to decrypt it, I think its safe to say its not going to be decrypt-able in any sort of time frame that would be relevant to anyone living today. 100 years of estimated big blue time to brute force it would

      • by shentino (1139071)

        There is no statute of limitations when it comes to a fraud upon the court, which includes knowingly withholding evidence.

        • The beauty of the situation is that it seems to me that the drive can be set up so that even if you wanted to you can't possibly retrieve the data, thus the statute would still apply.

          • I thought about it for a second after hitting the submit button and remembered that if they do decrypt it afterwards and find criminal material they can still prosecute as long as its for a new crime. At least in Canada. Don't know about anywhere else. The Civil suit would be history however.

            As the other respondent said though, you'd likely be too dead to care by then.

  • by Dynamoo (527749) on Tuesday August 10, 2010 @05:01PM (#33209118) Homepage
    Remember RAM disks? Kind of an eighties thing I guess..
    • by txoof (553270)

      Remember RAM disks?

      Is that an operating instruction?

      • Re: (Score:3, Funny)

        by tepples (727027)

        Remember RAM disks?

        Is that an operating instruction?

        Yes. In context, it means "speculatively load what you know about the basics of RAM file systems".

  • The Computer Word story is light on details. No surprise there.

    How is your data protected against accidental deletion - hardware failure, power outages, etc?

    • by Grishnakh (216268)

      Sounds like it isn't. If the power fails, the data's gone. I'm guessing this is really only useful for applications where you really don't want to preserve data past a power outage (such as spooled documents on a networked office printer, or some other weird high-security application where they're actually worried about people reading the RAM (on a ramdisk) using cryogenic methods).

    • by txoof (553270) on Tuesday August 10, 2010 @05:51PM (#33209658) Homepage

      All the articles are pretty poorly written, and the Computer World article misquotes the Toshiba press release

      Computer World

      Drives with the technology will go into hard drives for laptops and desktops.

      Toshiba

      But lost or stolen notebooks are not the only security risk that IT departments must address. Today, most office copier and printing systems utilize HDD capacity and performance to deliver a highly productive document imaging environment. Many organizations are now realizing the critical importance of maintaining the security of document image data stored within copier and printer systems.

      Toshiba is selling these drives as a method for securing scanning copiers. Many of the current copiers hold onto everything that is copied or scanned indefinitely leaving a gaping security hole. The new SED drives encrypt their contents and then wipe the key when the drive powers down leaving the data intact, but no meaningful method for recovering it. If a thief tries to yank a SED drive out of a copier, it automagically wipes it. If part of your security procedure is to shut down the copiers each night, your daily load of potentially secure documents and copies of Bob's butt are also automagically wiped.

      Clearly, this type of technology would be worthless in a notebook or any other type of PC. You'd always be running from outlet to outlet to save your data. It'd be an IT version of that terrible Jason Statham movie Crank 2: High Voltage. Shudder.

      • by Todd Knarr (15451)

        Only one problem: the filesystem gets wiped along with the data. When these drives are powered off, they aren't just blank drives they become unformatted drives as far as the copier's concerned. And I really doubt those copiers have the brains to automatically handle an unformatted drive.

  • Their laptop hard drives have been self erasing for years via head crashes and other catastrophic malfunctions. Absolutely horrible laptop hard drives.

  • I spilled water into a power bar back in 95 and achieved exactly the same effect!
  • I used to call that "hammer & magnet"...
  • SED? (Score:5, Funny)

    by lowrydr310 (830514) on Tuesday August 10, 2010 @05:18PM (#33209322)
    I've always thought SED stood for "Smoke Emitting Diode"

    It's my favorite electronic component, but the only problem is that they only work once.
    • by mweather (1089505)
      Duh, the magic smoke is what makes electronics work. Once you let it out, it stops working.
  • by overshoot (39700) on Tuesday August 10, 2010 @05:24PM (#33209408)
    Somehow I don't think that Toshiba is quite so stupid as to build what TFA describes: a laptop drive that wipes itself after the power is turned off.

    My bet is on the usual baked-in drive encryption, very badly described.

  • by jeko (179919)
    Pfft. Western Digital and Maxtor have had this feature for years....
    • by RoboRay (735839)

      No, Maxtor drives wiped all your data without even having to power the thing down. That's even better!

  • by joe_cot (1011355) on Tuesday August 10, 2010 @05:29PM (#33209478) Homepage

    From the scant details in the article and summary, it appears that the drives are encrypted, and the "wipe" consists of getting rid of the encryption key.

    Calling that a "wipe" is rather misleading in my opinion. Toshiba's in for one hell of a liability issue if their encryption is ever cracked -- though I'm sure they'll take care of all that in the fine print.

    • Re: (Score:3, Insightful)

      by tepples (727027)

      Toshiba's in for one hell of a liability issue if their encryption is ever cracked

      A meaningful crack for industry-standard ciphers such as AES would make just about every firm in the IT world "in for one hell of a liability issue".

  • by John Hasler (414242) on Tuesday August 10, 2010 @05:30PM (#33209502) Homepage

    Well, the local copy, anyway...

  • I've never had a drive that did ANYTHING after it was powered down.

    This is a tremendous advance. And I RTFA, and it doesn't offer me much of an explanation.

  • by xtal (49134) on Tuesday August 10, 2010 @06:42PM (#33210116)

    This is a good step forward for general security.

    How could you trust this 100%? Without the firmware (and some way to verify it), this likely could / does contain backdoors.

    For the children, you see.

    I don't see a major improvement over well set up truecrypt partitions.

  • Frags your drive on power loss, eh? Yeah, nothing could go wrong there.

    How about this. It sounds like all you're really killing is the stored key. Instead of fooling around with what amounts to a RAM chip, why not take a lesson from floppy disks? Back in the day, when you were done writing to a disk there was a little tab you would break and then the disk would be permanently read-only (unless someone used tape). Why not store the key in a little thing that you break off? If you wanted to get really fancy,

  • I just write all of my data to /dev/null. Take that, toshiba!

You are in a maze of UUCP connections, all alike.

Working...