CLARiiON Data Erasure – DIY edition

Open Hard Drive with pencil eraser on platterOver the last couple of months I’ve been busy phasing out an old EMC CLARiiON CX3 system and migrating all the data to either newer VNX and/or Isilon systems. The hard work paid off: the CX3 is now empty and we can start to decommission it. But before we ship it back to EMC we need to employ a type of CLARiiON data erasure to make sure data doesn’t fall into wrong hands.

Do you need a certificate?

If you need to show proof to auditors that the array was completely wiped of data, there’s only one real option. EMC offers CLARiiON Data Erasure as a professional service. At the end of the engagement they’ll present you a certificate and a list of disks that didn’t erase properly and you’re covered.

A quick check determined that we do not have such a strict policy and do not need a certificate. We DO need to make sure data cannot be easily retrieved, which is pretty much common sense in my opinion. If someone gets their hands on a drive, they shouldn’t be able to read the data.

Why?

Let’s assume I leave the LUNs bound on the CLARiiON and pull out a drive. In a worst case scenario, assume I’ve gotten my hands on a RAID1 drive: I now have a fully functioning copy of the data that I can play around with. Which is bad news…

On the other side you have the full (DoD 5220.22-M approved) 7-pass overwrite mechanism, the one the CLARiiON Data Erasure service also utilizes. This is done to eliminate data remanence, or residual data on the platters. The theory behind this is simple: let’s say you’ve got a platter filled with binary data. You erase all data (write a zero in all possible locations). Should you then remove the platter and place it under specialized laboratory equipment, you’d see a difference in magnetism between “true zeroes” and “zeroes that were formerly a one”. There’s a slight amount of residual magnetism left.

Digging a bit further it seems that this is slightly exaggerated. NIST publication 800-88 Rev 1 states the following:

For storage devices containing Legacy Magnetic media, a single overwrite pass with a fixed pattern such as 0s typically prevents recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.

That sounds good enough for our purposes.

DIY data erasure

In previous engagements (which also didn’t require a certificate) I’ve always used a combination of removing all LUNs and RAID groups, swapping drive positions, creating new random RAID groups and LUNs (wait for the bind process to complete), attach LUNs to a server and use software to overwrite the data. A CLARiiON LUN bind is followed by an automatic zeroing of the space which erases all previous traces of data, but it’s hard to report this to management. “Yeah if you look in the event logs and see this and that event code…”

All in all a very time consuming operation with no fixed procedure and/or very limited reporting whether the data is actually gone. I didn’t want to go through that entire nightmare again this time. I know from a previous erasure that EMC has a tool to connect to the array and wipe all the drives in parallel. But even though I’m working for an EMC partner and the fact that I don’t need a certificate, I’m not allowed to use that tool myself. So Google it is!

I ran into a blog post called “How to scrub/zero out data on a decommissioned Clariion” which talks about the zerodisk CLI command. Included in that command is a switch that checks whether or not a drive has been zeroed. That’s exactly what we need!

 Zerodisk procedure

First of all, you might want to retrieve the zero mark for all the disks in your array. The command syntax is as follows:

CLARiiON Data Erasure Zerodisk GetZeroMark
naviseccli -h <IP_of_SP> zerodisk -messner <drive_ID> getzeromark

As long as this Zero Mark is NOT either 69704 or 69760, your drive is NOT zeroed. Since this array contains 210 drives, I wasn’t really planning on entering all the drive IDs manually. So I had exported the full list of drives from unisphere and Excelled it with some concatenate formulas to generate the drive IDs (0_0_0 etc). Only then did I try substituting the drive ID in the command for “all”…. sigh! So yeah, do that, it saves time.

I don’t want to wipe my vault drives just yet. There’s conflicting information on the internet whether the zerodisk command removes your FLARE code, so better safe than sorry: create a RAID group and LUN on your VAULT drives. The zerodisk command will not run against disks that have LUNs bound so you’ve now certain your vault is protected against accidental zeroing.

CLARiiON Data Erasure starting the zerodisk process
naviseccli -h <IP_of_SP> zerodisk -messner <drive_ID> start
naviseccli -h <IP_of_SP> zerodisk -messner <drive_ID> status

For a single disk, enter the above commands and zeroing will start. It looks like a single 1TB disk wipe took about 5 minutes per 2%, so the process should complete in a little over 4 hours.

If you’re feeling confident, substitute the drive ID for “all” and watch the magic happen. You will see in the output below that the vault drives are skipped because of the bound LUN; the other error is the drive that is already zeroing.

CLARiiON Data Erasure - zerodisk starting for all disks

Now just wait till all disks are finish, run the getzeromark command, export it to file to prove all drives are empty and you’re set! Fun fact: this CX3 is so old, the sudden I/O of all drives zeroing instantly faulted two drives.

CLARiiON Data Erasure complete!

Comments, suggestions, questions? Plenty of room in the comments section! Happy erasing!

  • Rob Koper

    In a certain ILT a few months ago, the instructor explaned (or told us his version) why some data still remains on the magnetical platters. He said the head have a very small tolerance and are not completely fixed over a certain track. This means that for example if a track is 1 cm wide (EXAMPLE!!!) and the head is 8 mm, this leaves 2 mm of unwritten track. However: on the next write session the head could have moved slightly and that remaining 2 mm do now contain the new data. But this leaves the old data on the 2 mm on the other side of the track. You get the picture? If you have a head, small enough to read that 2 mm sub-track, you’re reading the old data.

    On the other hand, your version (and mine as well) is that if a head writes data, let’s say a 1, the magnetic field represents that 1. If you now write a 0, the polarity needs to swap and chances are that on its way from that 1 to the new 0 is stops swapping around and it ends up being a 0.15. Digitally this reads as a 0, since the tolerance for a 0 is probably somewhere between 0 and 0.4 or so. If you write a 0 again, you might end up with a 0.03. This also reads as a 0, but if you look closely, you see the 0.03 instead of a 0.15, so you know that value was a zero before and a 1 before that.

    Anyway, this was highly hypothetical, but sounds plausible, right? But that first explanation sounds plausible too. So which is it?

    • Jon Klaus

      Neither of the two apparently, since according to the Computer Security Resource Center at NIST there’s no (or negligible) risk involved.

  • Allen Ward

    Based on past experience of having a drive that had been overwritten many times recovered after a physical failure I disagree with the NIST position. They just want us to think out data is safe. A guy using software and hardware that I could have purchased for a few hundred dollars was able to recover data from my failed drive and the biggest question was how “deep” I wanted him to go. He was able to pull entire usable images of the drive from previous points in time that were certainly prior to the last format… some were from several formats ago. And I don’t use quick format either. So the drive was fully formatted several times and overwritten with data (including different OS versions) several times yet there was usable data there. It’s like archaeology… just cause you can’t see it on the surface doesn’t mean someone with the right tools can’t dig it up. And that wasn’t a high tech lab using thousands of dollars worth of equipment either…

    • Jon Klaus

      With full format, do you mean unchecking the quick format option or do you mean a full “write zeros everywhere, start to end”? Because a “full format” in Windows is just a quick format followed up with a bad sector check. Which would mean just the MFT is gone and the rest of the drive can indeed be reconstructed.

  • dynamox

    too much hassle, shred them for cents per pound/kilo

  • jdawg183

    Is this process repeatable? We are preparing to wipe ours now, and while a DoD wipe is not required, we like to get as close as possible. As such, we want to be able to run the process, then once it completes, do it again. Is this something that can be done?

    • Jon Klaus

      Hi, absolutely! Once the disk has finished zeroing, just use the same command to re-run the zero process.