Crypto-Erase: More Relevant than Ever

We have had a number of inquiries from our customers and partners regarding cryptographic erase lately, so I decided to do a little research and make it the subject of my blog for this month.

I had a look at a White Paper on our web site from January 2011, “Reduce the Total Cost of Ownership of Laptops and Desktops; Effective end-of-life drive sanitization and disposal” and was pleased to see that it is still relevant. Despite the title it is mostly about crypto erase. It states that at the time, “Regulatory agencies and encryption professionals are currently studying crypto erase as a potential sanitization method of future updates to publications like NIST SP 800‐88.” That led me to this NIST document which was updated in Sept 2012. NIST SP 800-88, Guidelines for Media Sanitization, is a bit dry and technical, but what I got out of it is that NIST now sees crypto erase as a legitimate sanitization tool given the appropriate caveats including:

  1. The underlying encryption is FIPS 140 validated
  2. The encryption was turned on before any sensitive data was written to the media
  3. If there are any backups of the encryption keys they are stored separately and securely away from the crypto erased device.

It is hard and time consuming to sanitize gigabytes or even terabytes of data from modern drives. The main idea behind crypto erase is that if the data was properly encrypted already, then all one really has to do is wipe the encryption key and call it a day. Or as NIST puts it, “Thus, with <crypto erase>, sanitization may be performed with high assurance much faster than with other sanitization techniques.”

It is worth noting that SecureDoc has supported crypto erase for many years now for both software encryption and self-encrypting drives. This includes a feature where the SES (SecureDoc Encryption Server) administer can send a crypto erase command to a remote SecureDoc protected client machine, and then record the action in the SES database for compliance reasons.

Previous Post
Yahoo! Security!
Next Post
Talking Security at SC Congress

Related Posts

The Million Dollar Question

We’ve seen the countless benefits encryption can have for organizations.  So why aren’t organizations putting encryption at the top of their priority list when it can help mitigate such a huge business risk?  Over the years, there have been many…
Read more

Visionary! – Gartner Magic Quadrant

Being a software company focused on Mobile Data Protection (MDP) means we’re constantly trying to evolve our products and services. And according to Gartner Inc. that’s paying off as once again we were recognized as a Visionary in their annual…
Read more

4 Comments. Leave new

  • Hi, great post, very relevant

    does this crypto erase work even if the device is off the network for SEDs? or does is it executed when the device comes back on the network?


  • Hi Steve,

    Yes, we can enable admins with the ability to enforce a timed check-in for devices. If they fail to check in within x number of days, the device will erase the keys and lock the drive.

  • Thanks for the response. Does this require Intel Anti thief

  • Hi Steve,

    No, it does not require Intel AT.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Contact Us

This will close in 0 seconds