Secure Data Erase for the IBM i

Edit online

Use this procedure to complete the secure data deletion for the SAS attached disk drives, SAS attached solid-state drives, and PCIe attached NVMe devices connected to an IBM® i partition.

Ensure that the firmware of the PCIe3 SAS adapter that controls the SAS attached disk drive or solid-state drive has firmware level 19512900, or later.
  • If the partition is using IBM i 7.2, the adapter firmware level 19512900 is available in PTF MF67086.
  • If the partition is using IBM i 7.3, the adapter firmware level 19512900 is available in PTF MF67087.
  • If the partition is using IBM i 7.4, the adapter firmware level 19512900 is available in PTF MF67089.
Ensure that the IBM i Licensed Internal Code has the code level shown below, or later.
  • The partition using IBM i 7.2 needs PTF MF99109.
  • The partition using IBM i 7.3 needs PTF MF99208.
  • The partition using IBM i 7.4 needs PTF MF99302.

To Display the PTF information on the partition: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzam8/rzam8fixinfostatus.htm

Task What to do
1. Delete the data from all Auxiliary Storage Pools (ASPs).
  1. On the Use Dedicated Service Tools (DST) display, select Work with disk units.
  2. On the Work with Disk Units display, select Work with disk configuration.
  3. On the Work with Disk Configuration display, select Work with ASP configuration.
  4. On the Work with ASP Configuration display, select Delete ASP data.
  5. On the Select ASP to Delete Data From, select 4=Delete ASP Data for every ASP listed.
  6. On the Confirm Delete ASP Data display , press F10 to confirm.
2. Delete the User Auxiliary Storage Pools (User ASPs).
  1. Press F3 to return to the Work with disk units display.
  2. On the Work with Disk Units display, select Work with disk configuration.
  3. On the Work with Disk Configuration display, select Work with ASP configuration.
  4. On the Work with ASP Configuration display, select Delete user ASP.
  5. If an error message says that there is no user ASP, go to Task 3.
  6. On the Delete User ASP display, select 4=Delete for every ASP listed.
  7. On the Confirm Delete of User ASP display, press F10 to confirm.
3. Remove all units from the System Auxiliary Storage Pool (ASP 1).
  1. Press F3 to return to the Work with disk units display.
  2. On the Work with Disk Units display, select Work with disk configuration.
  3. On the Work with Disk Configuration display, select Work with ASP configuration.
  4. On the Work with ASP Configuration display, select Work with removing units from configuration.
  5. On the Work with Removing Units from Configuration display, select Remove units from configuration.
  6. If an error message says there are No units available to be removed, go to Task 4.
  7. On the Remove Units from Configuration display, select 4=Remove unit from configuration for every unit listed.
  8. On the Confirm Remove Disk Units display, press Enter to confirm.
4. Stop mirrored protection.
  1. Press F3 to return to the Work with disk units display.
  2. On the Work with Disk Units display, select Work with disk configuration.
  3. On the Work with Disk Configuration display, select Work with mirrored protection.
  4. On the Work with Mirrored Protection display, select Stop mirrored protection.
  5. If an error message says there are no ASPs with mirrored protection, go to Task 5.
  6. On the Select ASP to Stop Mirrored Protection display, select 1=Select to stop mirrored protection.
  7. On the Confirm Stop Mirrored Protection display, press Enter to confirm.
  8. The partition automatically IPLs to DST.
  9. Sign on to DST.
  10. On the Use Dedicated Service Tools (DST) display, select Work with disk units.
5. Stop device parity protection.
  1. On the Work with Disk Units display, select Work with disk configuration.
  2. On the Work with Disk Configuration display, select Work with device parity protection.
  3. On the Work with Device Parity Protection display, select Stop device parity protection.
  4. If an error screen says there are no disk units eligible for the selected operation, go to Task 6.
  5. On the Stop Device Parity Protection display, select 1=Stop device parity protection for every parity set listed.
  6. On the Confirm Stop Device Parity Protection display, press F10 to confirm.
  7. A status screen shows the progress of the stop device parity function.
6. Stop Hot Spare.
  1. On the Work with Disk Units display, select Work with disk configuration.
  2. On the Work with Disk Configuration display, select Work with Hot Spare configuration.
  3. On the Work with Hot Spare display, select Stop Hot Spare.
  4. On the Stop Hot Spare display, select 1=Stop Hot Spare for every disk unit listed. If there are no Hot Spare units, go to Task 7.
  5. On the Confirm Stop Hot Spare display, press Enter to confirm.
7. If the partition is running IBM i 7.3 or IBM i 7.2, skip this task and go to Task 8.

Delete NVMe namespaces.

  1. On the Work with Disk Configuration display, select Work with NVMe Devices.
  2. If there are no NVMe devices, go to Task 8.
  3. For each NVMe Device, do the following:
    1. On the Work with NVMe Device display, select Delete existing NVMe Namespaces.
    2. Select the NVMe device.
    3. On the Delete Existing NVMe Namespaces display, select 4=Delete Namespace for every namespaces listed.
    4. On the Confirm Delete Existing NVMe Namespaces display, press F10 to confirm the delete of the namespaces.
8. Initialize and format the disk units.
  1. Press F3 to return to the Work with disk units display.
  2. On the Work with disk units display, select Work with disk configuration.
  3. On the Work with Disk Configuration display, select Work with disk unit recovery.
  4. On the Work with Disk Unit Recovery display, select Disk unit problem recovery procedures.
  5. On the Disk Unit Problem Recovery Procedures display, select Initialize and format disk unit.
  6. On the Select Disk Units for Initialize and Format display, select 1=Select for every disk unit listed.
  7. You may see a Problem Report display informing of you of disk units that are possibly configured. Press F10 to Ignore problems and continue.
  8. On the Confirm Initialize and Format Disk Unit display, press F10 to confirm.
  9. A status screen shows the progress of the Initialize function.
9. If the partition is running IBM i 7.3 or IBM i 7.2, go to Task 17.

Record the information about the NVMe devices.

  1. Press F3 to return to the Work with disk units display.
  2. On the Work with disk units display, select Work with disk configuration.
  3. On the Work with Disk Configuration display, select Work with NVMe Devices.
  4. On the Work with NVMe Device display, select Display NVMe devices.
  5. If there are no NVMe devices listed, go to Task 17.
  6. Using the information shown on the Display NVMe Devices display, update the appropriate table below to record the Serial Number, Resource Name, and Type of each NVMe device.
    Table 1. Use this table to record information about NVMe devices with a type of 58FC, 58FD, or 58FE
    Serial Number Resource Name Type
         
         
         
         
         
         
         
  7. Table 2. Use this table to record information about NVMe devices with a type of 594A, 594B, 594C, 59B8, 59B9, or 59BA
    Serial Number Resource Name Type
         
         
         
         
         
         
         
10. Determine if the LoadSource disk unit is controlled by an NVMe .

To find if the LoadSource disk unit is controlled by a NVMe, do the following:

  1. On the Work with NVMe Device display, select Display NVMe namespaces.
  2. If there are no NVMe devices listed, go to Task 17.
  3. Using the information shown on the Display NVMe Namespaces display, look for a namespace that has a value of 1 in the ASP column and a value of 1 in the Unit column; that namespace is the LoadSource disk unit.

    If one of the disk units under a NVMe is the LoadSource disk unit, record the LoadSource disk unit Serial Number here:

    LoadSource disk Serial Number:______________

    Record the serial number of the NMVe Device here:

    Serial Number of NVMe Device that contains the Load Source disk:______________
11. Sanitize Block Erase each NVMe device listed in Table 2 on Task 9.
  1. For each NVMe Device in Table 2 in Task 9, do the following:
    Note: The NVMe device that contains the LoadSource disk unit will not be displayed on the selection screen.
    1. On the Work with Disk Configuration display, select Work with NVMe Devices.
    2. On the Work with NVMe Device display, select Sanitize/Erase NVMe device.
    3. On the Select NVMe Device display, select the NVMe device.
    4. On the Select Type of Sanitize display, select Sanitize Block Erase.
    5. On the Confirm Sanitize/Erase NVMe Device display, press F10 to confirm your choice to Sanitize Block Erase the selected NVMe device.
12. Format Cryptographic Erase each NVMe device listed in Table 1 on Task 9.
  1. For each NVMe Device in Table 1 in Task 9, do the following:
    Note: Do not do this step for the NVMe device that contains the LoadSource disk unit. If a NVMe device contains the LoadSource disk unit, Task 10 has the serial number of the NVMe device.
    1. On the Work with Disk Configuration display, select Work with NVMe Devices.
    2. On the Work with NVMe Device display, select Create NVMe namespaces.
    3. On the Select NVMe Device display, select the NVMe device.
    4. On the Create NVMe Namespaces display, enter the value 32 for the Quantity of namespaces to create and enter the value 32 for the Capacity of each namespace.
    5. On the Confirm Create NVMe Namespaces display, Press F10 to confirm the choice to create namespaces.
  2. For each NVMe Device in Table 1 in Task 9, do the following:
    Note: The NVMe device that contains the LoadSource disk unit will not be displayed on the selection screen.
    1. On the Work with NVMe Device display, select Sanitize/Erase NVMe device.
    2. On the Select NVMe Device display, select the NVMe device.
    3. On the Select Type of Sanitize display, select Format Cryptographic Erase.
    4. On the Confirm Sanitize/Erase NVMe Device display, press F10 to confirm your choice to Format Cryptographic Erase the selected NVMe device.
13. IPL the partition in D-mode to process the NVMe device that contains the LoadSource disk unit.
  1. Make sure you can access either the Hardware Management Console (HMC) or the Integrated Virtualization Manager to control your new logical partition.
  2. If you are using Operations Console, see the Getting Started document in the Documentation directory of the IBM i Access Client Solutions CD. Section 9.9 Establishing a Console Connection to IBM i provides instruction on connecting a LAN console.
  3. Verify that this logical partition has an alternate IPL resource (the resource for loading) assigned. For more information about alternate IPL resources, see the I/O devices topic.
  4. Load the installation media volume that contains the Licensed Internal Code into the installation resource defined for this logical partition.
  5. Use the control panel to verify or to set the mode selection to Manual and the IPL source to D.
  6. Use the control panel to activate the logical partition.
  7. Wait for the display to appear that has the language feature to select. (This could take several minutes).
  8. The Select a Language Group display shows the service tools language that is currently installed on the partition. Press Enter to select the language.
  9. On the Confirm Language Group display, press Enter to confirm the language group.
14. Delete namespace and then Format Cryptographic Erase the NVMe device that contains the LoadSource disk unit.

In Task 10, you identified the NVMe device that contains the LoadSource disk unit.

If the NVMe device that controls the LoadSource is from Table 2 in Task 9, go to Task 15.

If the NVMe device that controls the LoadSource is from Table 1 in Task 9, perform this task.

  1. Select Work with disk units.
  2. On the Work with Disk Units display, select Work with NVMe Devices.
  3. On the Work with NVMe Device display, select Delete Existing NVMe Namespaces.
  4. On the Select NVMe Device display, select the NVMe device that you identified in Task 10.
  5. Select the NVMe namespace with the serial number you recorded in Task 10.
  6. Find the NVMe device whose serial number matches the information you recorded in Task 10.
    Note: The NVMe Resource name shown on the screen might not match the information you recorded for the NVMe device in Table 1 in Task 9.
  7. A 'Possibly Configured Units' warning screen may be presented. Press Enter to accept the warning and continue.
  8. On the Confirm Delete Existing NVMe Namespaces display, press F10 to confirm the delete of the namespace.
  9. When the delete of the namespaces completes, Press F12 to return to the Work with Disk Units display.
  10. On the Work with Disk Units display, select Work with NVMe Devices.
  11. On the Work with NVMe Device display, select Create NVMe namespaces.
  12. On the Select NVMe Device display, select the NVMe device that you identified in Task 10.
  13. Find the NVMe device whose serial number matches the information you recorded in Task 10.
    Note: The NVMe Resource name shown on the screen might not match the information you recorded for the NVMe device in Table 1 in Task 9.
  14. On the Create NVMe Namespaces display, enter the value 32 for the Quantity of namespaces to create and enter the value 32 for the Capacity of each namespace.
  15. On the Confirm Create NVMe Namespaces display, press F10 to confirm the creation of the namespaces.
  16. On the Work with NVMe Device display, select Sanitize/Erase NVMe device.
  17. On the Select NVMe Device display, select the NVMe device you identified in Task 10.
  18. Find the NVMe device whose serial number matches the information you recorded in Task 10.
    Note: The NVMe Resource name shown on the screen might not match the information you recorded for the NVMe device in Table 1 in Task 9.
  19. On the Select Type of Sanitize display, select Format Cryptographic Erase.
  20. On the Confirm Sanitize/Erase NVMe Device display, press F10 to confirm the Format Cryptograpic Erase of the selected NVMe device.
  21. Go to Task 16 to power off the partition.
15. Sanitize Block Erase of the NVMe device that contains the LoadSource disk unit.
  1. If the NVMe device is from Table 2 in Task 9, do the following:
    1. Select Work with disk units.
    2. On the Work with Disk Units display, select Work with NVMe Devices.
    3. On the Work with NVMe Device display, select Sanitize/Erase NVMe device.
    4. On the Select NVMe Device display, select the NVMe device that you identified in Task 10.
    5. Find the NVMe device whose serial number matches the information you recorded in Task 10.
      Note: The Resource Name of the NVMe device might not match the information for the NVMe device that you recorded in Task 9.
    6. On the Select type of Sanitize display, select Sanitize Block Erase.
    7. On the Confirm Sanitize/Erase NVMe Device display, press F10 to confirm your choice to Sanitize Block Erase the selected NVMe device.
16. Power off the partition.
  1. F3 to return to Use Dedicated Service Tools (DST) display.
  2. On the Use Dedicated Service Tools (DST) display, select Start a service tool.
  3. On the Start a Service Tool display, select Operator panel functions.
  4. On the Operator Panel Functions display, enter the value 3 for IPL source: and the value 1 for IPL Mode:
  5. Press F10 to power off the partition.
  6. Press Enter to confirm the power down of the partition

The Secure Data Erase procedure is complete.
17. Erase data on the LoadSource disk unit.
  1. Make sure you can access either the Hardware Management Console (HMC) or the Integrated Virtualization Manager to control your new logical partition.
  2. If you are using Operations Console, see the Getting Started document in the Documentation directory of the IBM i Access Client Solutions CD. Section 9.9 Establishing a Console Connection to IBM i provides instruction on connecting a LAN console.
  3. Verify that this logical partition has an alternate IPL resource (the resource for loading) assigned. For more information about alternate IPL resources, see the I/O devices topic.
  4. Load the installation media volume that contains the Licensed Internal Code into the installation resource defined for this logical partition.
  5. Use the control panel to verify or to set the mode selection to Manual and the IPL source to D.
  6. Use the control panel to activate the logical partition.
  7. Wait for the display to appear that has the language feature to select. (This could take several minutes)
  8. The Select a Language Group display shows the service tools language that is currently installed on the partition. Press Enter to select the language.
  9. On the Confirm Language Group display, press Enter to confirm the language group.
  10. On the Install Licensed Internal Code display, select Install Licensed Internal Code.
  11. On the Install Licensed Internal Code (LIC) display, select Install Licensed Internal Code and Initialize system.
  12. On the Install LIC and Initialize System - Confirmation display, press F10 to Confirm.
  13. A status screen shows the progress of the operation.
  14. The partition automatically IPLs to DST when the function is complete.

The Secure Data Erase procedure is complete.