Years ago Microsoft listed the 10 laws of security, and law three states that if a bad guy has unrestricted physical access to your computer, it’s not your computer anymore. Thus, it’s critical to destroy hard drives and other media in recycled equipment.
On our office’s electronic waste day, we got rid of several old servers, workstations, phones and other equipment that at one time stored sensitive information. Some of it was BitLockered, but the rest was old enough not to be.
A hammer ensures information is unreadable, but that method doesn’t scale to drives in a remote data center. So, you need to look for alternatives. NIST 800-88 details the options you have to ensure that you safely can destroy the information on the media.
BitLocker and self-encrypting hard drives give you one option. If you know whether the data was added to the hard drive before or after it was encrypted, you might be able to quickly make the drives unreadable. In the case of self-encrypting hard drives, you can change the existing password (i.e., the data encryption key) and the data is no longer readable.
The process is called crypto erase and has been approved by ISO and NIST as an acceptable data sanitization method. If you use crypto erase, test the process to ensure you can’t recover data by sampling wiped drives.
