DataGuard

Introduction

The SP Industrial DataGuard specific device is equipped with a hardware switch that enables WriteProtect and QuickErase. The DataGuard feature is activated when a specific connector is placed on the designated pin header, either during the initial power-up sequence or at any point during operation. This ensures flexible and immediate control over data protection or data erasure, enhancing the device's security and reliability.

Write Protect

Write Protect can prevent important data stored on a solid state drive (SSD) from being accidentally changed or deleted. When activated, Write Protect mode only allows reading of data; writing and deleting are blocked. This mode can be turned on through either software or hardware settings without needing to install additional drivers, and it will function independently of the host operating system.

To enable Write Protect through hardware, change the position of the general purpose input/output (GPIO) pin connected to the SSD using a jumper or switch. To enable it through software, send a vendor command to the SSD from the host operating system.

data

Quick Erase

Reliably Erasing Data from an SSD

Securely erasing data from storage devices is vital for data protection. Unlike hard drives, solid state drives (SSDs) use flash memory and include a translation layer between logical block addresses (LBAs) and physical memory. This improves performance and durability but can leave hidden copies of data that attackers might recover, even if users can't access them. Complete data sanitization is therefore essential.

Whole-Drive Sanitization Methods

There are four main ways to sanitize an SSD:

Built-in Sanitize Commands

Modern SSDs often include firmware-based sanitize commands. These may write all zeros, ones, or manufacturer-set patterns (e.g., 0x55). Standards like “block erase” target all memory blocks, including inaccessible ones. Industrial SSDs can use multi-channel erase techniques to sanitize a 1TB pSLC SSD in around 10 seconds.

Repeated Overwriting

Another method is overwriting each logical block multiple times using standard I/O commands. Many standards follow this approach using bit patterns from 1 to 35 passes. For example, the U.S. Air Force 5020 method writes zeros, then ones, then a random character, verifying only the last remains.

Because SSDs often compress data, random patterns are best for overwriting. The effectiveness may also vary based on prior drive usage. Tests showed that overwriting twice was typically enough, regardless of access pattern, though this method is time-consuming.

Electrical Destruction

Hard drives can be degaussed to erase magnetic data, but SSDs use non-magnetic flash memory, so degaussing doesn’t work. Some propose using high-voltage to physically destroy flash chips, but such designs are rare. Industrial SSDs include strong power protection, making this method impractical and unsafe for most users.

Leveraging Encryption

Self-encrypting SSDs, like those from SP Industrial, use AES-256 encryption following the TCG/Opal standard. Encryption is always active, but keys are only managed when security features are enabled. Securely deleting the key renders the data inaccessible, offering a fast, secure sanitization method in theory.