In today’s digital age, data security is paramount, and the need to sanitize sensitive information has never been more critical. One effective method for data sanitization is “cryptographic erase.” This technique ensures that data is irreversibly sanitized by changing encryption keys, rendering the stored information unreadable.
Understanding Cryptographic Erase
Cryptographic erase is a robust data sanitization method designed to eliminate sensitive information from electronic storage media securely. This method is applicable to storage devices that utilize encryption keys stored within the device itself and can change these keys in a single operation. By changing these keys, crypto erase ensures that only ciphertext remains on the storage media, making the original data completely inaccessible.
However, it’s essential to note that cryptographic erase cannot be performed on encrypted storage media types where encryption keys are not stored on the storage device, such as encrypted LTO-4 tapes.
The process of crypto erase involves issuing commands through the host interface to change the encryption keys. This can be achieved using format or sanitize commands, depending on the storage device type. To maintain security, keys used in cryptographic erase should be randomly generated from the entire keyspace.
To use cryptographic erase as a data purging method, certain conditions must be met:
- All data intended for cryptographic erase must be encrypted before recording it on the storage media.
- The cryptographic algorithm used must have a strength of at least 128 bits.
- The encryption key’s entropy should be at least 128 bits.
- All copies of the encryption keys used to encrypt the data must be sanitized. If the data’s encryption keys are themselves encrypted with wrapping keys, sanitizing the corresponding wrapping key is acceptable.
It’s important to note that combining cryptographic erase with other sanitization methods, like data clearing, is not recommended as it can slow down the operation and impede verification.
Implementing Cryptographic Erase
Fidelity Height’s Opal Lock offers a comprehensive set of features to facilitate cryptographic erase and enhance data sanitization:
- Drive Status and Info: Opal Lock scans and identifies Opal drives on the system, providing drive status and relevant information.
- Setup: Users can establish a password to lock and unlock drives securely.
- Unlock Drives: After setting up a password for a drive, users can unlock access using a pre-OS boot environment, a bootable USB, or a separate, unlocked Windows system.
- Query Drive: Opal Lock allows users to view additional information about their drives, aiding in the management of data sanitization.
- View Audit Log: Users can access a drive’s event log, ensuring transparency and accountability in the sanitization process.
- Revert/Remove Lock: Opal Lock empowers users to remove the lock while preserving all data or cryptographically erase all drive data using a password or PSID, implementing the cryptographic erase method effectively.
Data sanitization is crucial in today’s data-driven world, and cryptographic erase is a powerful method for achieving it. Choose Opal Lock to implement cryptographic erase securely and ensure that sensitive data remains protected!
Photo Credit: sasun bughdaryan