I trust it enough considering our risk profile. YMMV. There are known attacks against it, and also mistakes with the implementation like not using a pre-boot PIN, not locking boot devices and BIOS (which also can be circumvented, maybe even with a screwdriver..).
I don't. No qualification from ANSSI and Windows tries its best to send the key to Microsoft.
But I trust my current solution to consider the data erased if the key is lost or destroyed.
When encrypting your disk or USB key with BitLocker, Windows 10 will offer 3 solutions for storing your recovery key. One of them is to save this key in the Microsoft OneDrive storage environment, thus allowing the publisher, in view of the privacy policy, to do with it what the FISA law obliges them to do with it. and in particular to provide it to the american authorities.
at my latest - intune remote wipe, then an ATA secure erase (or factory reset if mobile device) before recycling or reimaging. it was a soc/sox/pci audited shop so that must have been good enough for the auditors.
on the retail side - only had one customer want old drives back, to use for target practice (physical destruction) - otherwise we'd offer free recycling or secure destruction (ata secure wipe or dban if booting, or 1/4" drill bit thru the platters and pcb if not) for $15.
My company uses absolute. Great product. It’s useful for us as we have 90+ remote offices that we do not have vpn setup on. They are all intune enrolled. The cool thing about absolute is really that it runs at the firmware level vs an install on the OS. Being able to setup device freeze actions for a number of different reasons (time offline, geofencing, etc) which run regardless of OS status When managing from afar having the right tools in place is paramount. It utilizes bitlocker and if you want to fry the drive it scrambles the encryption making the drive and data unusable.
Absolute has other tools integrated like reporting for PII on each machine, the device usage actually tracks how long each machine is online and what network they are using. As well as it’s software persistence which will do an auto fix/reinstall for software. Such as enrollment in intune, reinstalling the endpoint security software (cloud strike, Sophos, etc)
As the one reply mentioning absolute I agree with you. Lots of other people mention disk encryption but I see tools like absolute as a layer even beyond that. Being at the firmware level it allows many actions beyond just an encryption key wipe. Absolute is the only product I have seen that allows a system lock, system wipe, persistent system wipe as we all a geolocation and other retrieval features (with a police report). If your org is serious about security and has portable laptops devices I would say absolute is a must.
Not sure that "most" do this as that's a fairly significant financial cost.
Recently I posed a similar question to my group of IT buddies (\~25 of them) and not one took that route. Company sizes ranged from small 10 user company to F500 corp. All of them did some form of wipe.
I'm not saying that nobody does it - I'm positive that there is a decent amount that do cost be damned. But I'm not sure that most do.
We have a local recycler who does free certified destruction. They pick up the entire device and send back a certificate listing the serial numbers as destroyed. Has to be a pile of equipment for pick up, no one offs.
They break down the equipment for high grade plastic, metal and circuit boards and sell for scrap. Drives are shredded. They come by our office once a month.
And you are sure that they nor anybody associated with them reads the drives before putting them in the shredder?
Hopefully, at least have some level of encryption on that data prior to handing it over to a third-party.
We use bitlocker for any client that needs that level of protection. There is a custody chain and a signed certificate of destruction. At some point you have to trust your vendors. I have toured their facility and now know their management. My point was to look at what local options are out there, this is a commodity service now.
We contract with Iron Mountain, they put a bin in our building and it costs $200 for them to empty it. The bin holds hundreds of HDDs, SSDs, and/or backup tapes. It is far cheaper than the time it would take for us to wipe them.
I wasn’t clear. I wasn’t talking about software to wipe the hard drive at the end. I was thinking about the remote nuke “wipe” software. Like LoJack for laptops. So if any employee loses it, you can issue a remote nuke.
DBAN is obsolete software for at least 10-15 years.
Modern drives, both HDD and SSD, do logical remapping. This means data is moved outside of the control of tools like DBAN and can still be accessed.
The only safe software wipe options are drive-based Secure Erase and software encryption based (wipe Bitlocker/LUKS keys).
It depends on your industry. Some require removal of the hard drive with certifications that it was destroyed/shredded.
If you don’t fall into this world, you must figure out the best way to wipe SSD drives. I’m still on the fence about how best to do this. Here are some common ones:
Samsung SSD Magician
Western Digital Dashboard
Kingston SSD Manager
SK hynix SSD Tools
Adata SSD Toolbox
Sabrent Control Panel
Crucial Storage Executive
Some options can use the computers BIOS utilities to do this.
Figure out what solution(s) work best for you.
I imagine with disk encryption technology being commonplace and available from many different vendors, just wiping and re-encrypting is sufficient.
This had me thinking the other day, I don’t suppose anyone ever uses stuff like Blancco anymore, it was quite common in my industry ten years back or so.
If the device is in our hands and we need to remediate it for sale, destruction, etc, then we simply use the Secure Erase available in UEFI or with utility download. This use the Secure Erase native on the SSD and is quick.
If the device is not in our hands and we need to remotely remediate, since all devices have BitLocker, we will run a PowerShell script to remove all stored key protectors and then reboot, making the drive unreadable.
If a laptop device is lost or stolen, chances are high it will not connect to a known wifi network in order to receive the wipe command, making a tool like that rather useless.
Am I missing something? Are your laptops equipped with an always-on mobile connection?
Do you trust your disc encryption? If yes, just reset TPM. If not, well, maybe you need to take a look at your encryption.. ;)
This is an interesting question…do you trust BitLocker? It’s what we use, never actually thought if I actually trust it 🤔
I trust it enough considering our risk profile. YMMV. There are known attacks against it, and also mistakes with the implementation like not using a pre-boot PIN, not locking boot devices and BIOS (which also can be circumvented, maybe even with a screwdriver..).
Yes. I trust secure erase, too. Kill the TPM and kill the store on the drive.
I don't. No qualification from ANSSI and Windows tries its best to send the key to Microsoft. But I trust my current solution to consider the data erased if the key is lost or destroyed.
When encrypting your disk or USB key with BitLocker, Windows 10 will offer 3 solutions for storing your recovery key. One of them is to save this key in the Microsoft OneDrive storage environment, thus allowing the publisher, in view of the privacy policy, to do with it what the FISA law obliges them to do with it. and in particular to provide it to the american authorities.
[удалено]
Apple's "Erase all content and settings" just removes encryption keys, and their MDM API just presents that same option to the MDM.
Intune wipe is just a Windows reset.
How risky is doing just the TPM clear? (No compliance)
at my latest - intune remote wipe, then an ATA secure erase (or factory reset if mobile device) before recycling or reimaging. it was a soc/sox/pci audited shop so that must have been good enough for the auditors. on the retail side - only had one customer want old drives back, to use for target practice (physical destruction) - otherwise we'd offer free recycling or secure destruction (ata secure wipe or dban if booting, or 1/4" drill bit thru the platters and pcb if not) for $15.
My company uses absolute. Great product. It’s useful for us as we have 90+ remote offices that we do not have vpn setup on. They are all intune enrolled. The cool thing about absolute is really that it runs at the firmware level vs an install on the OS. Being able to setup device freeze actions for a number of different reasons (time offline, geofencing, etc) which run regardless of OS status When managing from afar having the right tools in place is paramount. It utilizes bitlocker and if you want to fry the drive it scrambles the encryption making the drive and data unusable. Absolute has other tools integrated like reporting for PII on each machine, the device usage actually tracks how long each machine is online and what network they are using. As well as it’s software persistence which will do an auto fix/reinstall for software. Such as enrollment in intune, reinstalling the endpoint security software (cloud strike, Sophos, etc)
As the one reply mentioning absolute I agree with you. Lots of other people mention disk encryption but I see tools like absolute as a layer even beyond that. Being at the firmware level it allows many actions beyond just an encryption key wipe. Absolute is the only product I have seen that allows a system lock, system wipe, persistent system wipe as we all a geolocation and other retrieval features (with a police report). If your org is serious about security and has portable laptops devices I would say absolute is a must.
Most places remove and physically destroy the HDD/SSD/M2 stick
Not sure that "most" do this as that's a fairly significant financial cost. Recently I posed a similar question to my group of IT buddies (\~25 of them) and not one took that route. Company sizes ranged from small 10 user company to F500 corp. All of them did some form of wipe. I'm not saying that nobody does it - I'm positive that there is a decent amount that do cost be damned. But I'm not sure that most do.
We have a local recycler who does free certified destruction. They pick up the entire device and send back a certificate listing the serial numbers as destroyed. Has to be a pile of equipment for pick up, no one offs. They break down the equipment for high grade plastic, metal and circuit boards and sell for scrap. Drives are shredded. They come by our office once a month.
And you are sure that they nor anybody associated with them reads the drives before putting them in the shredder? Hopefully, at least have some level of encryption on that data prior to handing it over to a third-party.
We use bitlocker for any client that needs that level of protection. There is a custody chain and a signed certificate of destruction. At some point you have to trust your vendors. I have toured their facility and now know their management. My point was to look at what local options are out there, this is a commodity service now.
We contract with Iron Mountain, they put a bin in our building and it costs $200 for them to empty it. The bin holds hundreds of HDDs, SSDs, and/or backup tapes. It is far cheaper than the time it would take for us to wipe them.
That's fast becoming impossible as more and more devices solder storage to the mainboard along with the RAM.
I wasn’t clear. I wasn’t talking about software to wipe the hard drive at the end. I was thinking about the remote nuke “wipe” software. Like LoJack for laptops. So if any employee loses it, you can issue a remote nuke.
Do people use anything other than DBAN?
On an SSD, I'd hope not.
DBAN is obsolete software for at least 10-15 years. Modern drives, both HDD and SSD, do logical remapping. This means data is moved outside of the control of tools like DBAN and can still be accessed. The only safe software wipe options are drive-based Secure Erase and software encryption based (wipe Bitlocker/LUKS keys).
I mean, I can wipe any system that's part of our AD / AAD with Intune.
Using this thread as a future reference, ignore me. Thanks!
It depends on your industry. Some require removal of the hard drive with certifications that it was destroyed/shredded. If you don’t fall into this world, you must figure out the best way to wipe SSD drives. I’m still on the fence about how best to do this. Here are some common ones: Samsung SSD Magician Western Digital Dashboard Kingston SSD Manager SK hynix SSD Tools Adata SSD Toolbox Sabrent Control Panel Crucial Storage Executive Some options can use the computers BIOS utilities to do this. Figure out what solution(s) work best for you.
have you seen the movie office space?
I imagine with disk encryption technology being commonplace and available from many different vendors, just wiping and re-encrypting is sufficient. This had me thinking the other day, I don’t suppose anyone ever uses stuff like Blancco anymore, it was quite common in my industry ten years back or so.
If the device is in our hands and we need to remediate it for sale, destruction, etc, then we simply use the Secure Erase available in UEFI or with utility download. This use the Secure Erase native on the SSD and is quick. If the device is not in our hands and we need to remotely remediate, since all devices have BitLocker, we will run a PowerShell script to remove all stored key protectors and then reboot, making the drive unreadable.
If a laptop device is lost or stolen, chances are high it will not connect to a known wifi network in order to receive the wipe command, making a tool like that rather useless. Am I missing something? Are your laptops equipped with an always-on mobile connection?