Secure data deletion

The system provides methods to securely erase data from a drive or boot drive when a node or node canister is decommissioned.

Secure data deletion effectively erases or overwrites all traces of existing data from a data storage device. The original data on that device becomes inaccessible and cannot be reconstructed. You can securely delete data on individual drives and on a boot drive of a control enclosure. The methods and commands that are used to securely delete data enable the system to be used in compliance with European Regulation EU2019/424.

Deleting data from SAS drives

You can use the chdrive -task erase drive_id command to securely delete data from a SAS solid-state drive (SSD) or SAS hard disk drive (HDD) drive. The secure erase data functionality supports most devices. However, it is not supported on a few older drive models. When the command is used against the unsupported drive models, the CMMVC6626E: The task was not initiated because a command was rejected by the drive that you have specified error appears. Also, the command fails if the drive is an active member of an array, the drive is in auto manage mode, or a firmware upgrade is in progress on the drive or the enclosure. If the command process did not complete or fails, you cannot access the data on the drive; you can only enter the chdrive -task erase command again.

To see the status of the data deletion task and the estimated completion time, you can use the lsdriveprogress command. During the data deletion process, the drive activity LED indicator flashes green. When the process completes, the drive activity LED indicator becomes solid green.

Note: Do not power off the enclosure or remove the drive until the data deletion process completes. Otherwise, you might not see any progress from the lsdriveprogress command and the drive remains offline. If the drive is offline, wait until the activity LED indicator is a solid green before you try to use or remove the drive again.

The below table compares the methods that the system uses to securely delete data from the drives. The method varies according to the commands that each type of drive can support. The completion time for the erase procedure also varies, depending on the amount of data and the method that is used to delete the data. In each case, when the operation completes, the result is that the data on the drive effectively becomes impossible to access.

Table 1. Comparison of methods to securely delete data from drives
Priority Deletion type Method Completion time
1 Cryptographic erase Changes the encryption key and makes the data inaccessible. Instant
2 Block erase Quickly raises and lowers the voltage level of the storage element. Physical blocks are altered with a vendor-specific value. Fast
3 Data overwrite Replaces the existing data with random data. Slow

The methods that are used to securely delete data vary according to manufacture, drive type, and drive firmware. For more information, see the documentation that is provided by the drive manufacturer.

If a drive supports more than one data deletion method, the system uses the highest-priority method. Consider the following examples:
  • If a SAS solid-state drive (SSD) supports all of the methods, cryptographic erase is used to delete the data.
  • If a SAS SSD supports block erase and data overwrite, the system uses the block erase method to delete the data.
  • If a SAS hard disk drive (HDD) supports cryptographic erase and data overwrite, the system uses cryptographic erase to delete the data.

For more information about the drives that are supported by the system, see Control enclosure replaceable units.

Deleting data from NVMe drives

You can use the chdrive -task erase command to delete data from an NVM Express (NVMe) drive. The drive is marked as offline and the deletion process starts. Use the lsdriveprogress command to monitor the status of the data deletion process and the estimated completion time.

You can also securely delete data from NVMe drives by using the chdrive -task format drive _id command. When you issue chdrive -task format, the system changes the internal key in the NVMe drive and then erases the user data. All previous data in the drive becomes unreadable.

Before an NVMe drive is added to an encryption pool, the drive is encrypted with a new key. Because that encryption key is removed during the formatting process, the data on the NVMe drive can no longer be read.

Deleting data from boot drives

You can also securely delete the data on a boot drive of a control enclosure. To do so, use the satask rescuenode -secureerase -force command. The system then uses the block erase method to delete most of the vital product data (VPD) from the boot drive. Only the serial number, FRU part number, and MTM information remain in the VPD.