iDRAC10 Security Configuration Guide
Securely Erasing Data
Data security is a key consideration throughout the life cycle of a server, including when the server is repurposed or retired. Many servers are repurposed as they are transitioned from workload to workload, or as they change ownership from one organization to another. All servers are retired when they reach the end of their useful life. When such transitions occur, the best practice for data protection is to remove all data from the server to ensure that sensitive information is not inadvertently shared. Beyond best practices, often government regulations about privacy rights also necessitate complete data elimination when IT resources are transitioned.
System Erase simplifies the process of erasing server storage devices, and server nonvolatile stores such as caches and logs. To meet varying Systems Administrator needs for interactive and programmable operations, System Erase can be performed by the following methods: Lifecycle Controller UI, Redfish, and RACADM CLI.
Using one of these three methods, an administrator can selectively reset a PowerEdge server to its original state (factory settings), removing data from internal server nonvolatile stores and from storage devices within the server. System Erase can discover server-attached storage including hard disk drives (HDDs), self-encrypting drives (SEDs), Instant Secure Erase (ISE), and nonvolatile memory drives (NVMes). Data stored on ISE, SED, and NVMe devices can be made inaccessible using cryptographic erase while devices such as non-ISE SATA HDDs can be erased using data overwrite.
NVMe Sanitize Cryptographic Erase functionality is much faster and more efficient way than other methodologies. This feature destroys the key and creates a media encryption key. Data blocks are overwritten with zeros and rendered irretrievable. Data erases other user sensitive data such as debug logs and Personal Identifying Information (PII).
For information about the System Erase function within the Lifecycle Controller UI, see the Lifecycle Controller User's Guide available on the iDRAC page.
| Drive Type | Connected to | Erase Method used | Notes |
|---|---|---|---|
| SAS/SATA SED | PERC | TCG Enterprise Extension (Dell Drive specification) RevertSP | Cryptographically erases all user data and returns the drive to factory secure state. PERC issues the command to the drives. |
|
|
|
|
| SAS/SATA HDD | PERC/HBA/SW RAID/AHCI | SCSI Write Buffer(3Bh)/ATA Write Buffer | Dell only ships ISE/SED drives, this method is no longer in use. |
| NVMe | PERC/non-PERC |
|
BIOS and PERC issue these commands to the drives. Sanitize is a new command and so is supported by newer drives – older drives support the Format NVM. BIOS/PERC checks if the drive supports Sanitize and use it – if not use the Format NVM command. |
| NVMe SED | PERC/BOSS/non-PERC | TCG Opal Revert | Cryptographically erases all user data and returns the drive to a factory secure state. PERC/BOSS issues the command to the drives. For direct attach, iDRAC issues the command. BOSS and iDRAC support for NVMe SED is not supported. |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\