This post is more than 5 years old
6 Posts
1
17857
DoD Wipe of Data Domain?
We have several Data Domain VTL units on lease and need to be returned soon. Because of contract requirements, we must wipe the data off of the Data Domain units using DoD standards, not just the standard sanitize command. There is apparently a service you can purchase from EMC where they will do it for you, but with as many units as we have and the cost per unit, the actual cost is astronomically prohibitive. I am wondering if there is an alternate way to do this in house?
captain.tinker
6 Posts
1
September 22nd, 2014 10:00
After a lot of research and help from others, the answer has been found. You CAN boot from a USB drive and wipe the disks! Here is the procedure:
1. create bootable media, either a USB thumbdrive, or bootable CD using BCWipe or whatever other application you choose.
2. attach bootable media via USB
3. boot Data Domain with a keyboard and monitor attached directly to it. The moment you see the first text on the screen, start tapping the F2 key.
4. It will eventually come up and ask for the CURRENT password. This is NOT the password you have set up for users, this is a BIOS/CMOS password. Found the password info HERE: http://lvlnrd.com/emc-datadomain-default-bios-cmos-password/
DD460 = d400d (delta four zero zero delta)
DD670 = d600d (delta six zero zero delta)
DD880 = d800d (delta four zero zero delta)
The pattern is simple, “d + major series model number + d“
5. Once you are into the BIOS, go to the boot menu, set your USB drive as the first boot disk, and reboot.
6. Once you have rebooted it will boot from the USB drive, and you can then wipe the disks as you need to. This may take a week or more depending on size of your drives.
7. After the wipe is complete, you will likely need to re-install the DDOS, the instructions for which can be found in the official documentation.
NOTE: There is only one drawback with this method that I can think of. There is not a way with BCWipe booting it from USB that you can save the logs or get the certificate saved so any media, so the only way to get a record of it is to snap a photo of the logs. Cybersecurity has agreed to this method.
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
May 21st, 2014 13:00
If you need an official certificate, you have to use EMC data erasure services.
jbrooksuk
208 Posts
0
May 22nd, 2014 01:00
As has been said, to achieve your DoD compliant erasure (with a certificate), EMC offers the disk erasure services to achieve this for you. The Data Domain does not have this functionality built in.
If your question is whether you can do it yourself, you can use any product you like to erase the Data Domain units, any that use DoD standards and provide you with a certificate to prove it was done.
EMC offers this service to meet your requirement for secure erasure and an engineer to perform it from your site, so the cost is not just for the erasure software/licenses, it requires two site visits, one to start and one to complete/gather certificate.
At the end of the day it's your DD and your DoD requirement, as long as whatever path you choose meets DoD standards and you are happy to perform it yourself then you don't need to buy the turn key services from EMC.
Regards. Jonathan
captain.tinker
6 Posts
0
June 18th, 2014 07:00
Here is another question, can I boot from either a USB attached DVD drive or a USB stick containing BCWipe? If I can get it to boot to that, I can use BCWipe to do a DoD wipe.
jbrooksuk
208 Posts
0
June 18th, 2014 08:00
Probably, we have had to do it that way before to get over an issue we were experiencing with the software, it wasn't all that pleasant.
USB with stick is way easier in my opinion. The EMC Blancco procedure to do this states stick.
Also, if you're using a USB DVD drive, how will you save the completion files?
You'll probably still need to insert a stick.
The EMC build of Blancco is not the standard version anyway, it's been written for EMC to account for the correct device drivers and other idiosyncrasies for the multitude of DDR models out there.
Regards, Jonathan
captain.tinker
6 Posts
0
June 18th, 2014 08:00
Ok. That's a good idea, I am running it now. But just for my own information, in case security isn't satisfied with that, and requires me to do the BCWipe after all, how would I boot off of the USB stick?
jbrooksuk
208 Posts
0
June 18th, 2014 08:00
If you don't need to save anything then you probably don't need DoD compliancy because a completion certificate is required to meet that governance plus the method of multiple pass overwrites etc...
If you don't need compliance and you don't need a certificate then you should just issue a command;
filesys destroy and-zero (make sure it's the correct DDR
)
The and-zero will write zero's and will take several hours to complete. It is not supported on gateway appliances.
Without the "and-zero" it will just 'mark' the data as deleted and finish very quickly.
I hope that helps, Regards Jonathan
captain.tinker
6 Posts
0
June 18th, 2014 08:00
Ok, I tried to do that yesterday, but could not figure out how to get to the BIOS to do that. I am using a DD610 in this case, with OS 5.4.2.1 on it. I got into some kind of BIOS, but I think it was specifically the storage controller BIOS, not the machine itself.
jbrooksuk
208 Posts
0
June 18th, 2014 08:00
Oh yes, sorry - missed that!
It will probably just boot from stick but not always, if it doesn't then drop into BIOS and tell it to boot from USB.
It really depends on the model - even similar models behave marginally differently to one another.
Regards, Jonathan
captain.tinker
6 Posts
0
June 18th, 2014 08:00
This isn't Blancco, it's a bootable USB stick that allows me to run BCWipe. I don't believe I need to save anything. It is just going to wipe the disks completely before sending the unit back from Lease. When you need to boot from a USB stick, is there a button or combination of buttons on boot that is needed to be pressed like most servers/pc's to have it recognize to boot from something other than the internal OS?
jbrooksuk
208 Posts
0
September 23rd, 2014 06:00
Hi,
I'm glad you are happy with your DoD system wipe, nice job.
On your final note, with the EMC services to perform the wipe we insert a stick when it completes and capture the raw files from the erasure completion onto it and then generate a certificate in pdf form to confirm the successful passes against each disk and that the verification also completed with no errors. This lists out the SN of the disks and the system etc...
Without that certificate and the details, we would not be able to complete as DoD compliant but your guys are happy with a photo and thats great news.
Note: The EMC erasure software is actually running from the software loaded in RAM, not from the stick, which is how we can insert a different stick to collect that raw completion files, the software obviously has to be able to scan for this new stick/media when inserted and thats where the drivers become very important.
I've never done it with any other erasure products, so maybe those have a similar method.
Regards, Jonathan
doranlum
12 Posts
0
September 29th, 2014 20:00
How do I run filesys destroy and-zero on my DD ?
I'm trying it with NAVCli which I'm using it for my VNX but I get invalid response. I believe for DD it would be a different way ?
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
September 29th, 2014 20:00
can't use navicli , either purchase certified erasure server from EMC or try the steps above.
Mahi07
1 Message
0
May 30th, 2021 15:00
Hi,
I've EMC DD2500 and it doesn't have the VGA port or USB boot option. DD2500 has only a serial port. How I can I proceed with dod wipe for dd2500. IT has only cli mode.