1

I am about to return my ThinkPad laptop to my (former) employer. I found a very nice solution to erase / protect my private data -- ThinkWipe application in ThinkPad's BIOS. I made use of it right away.

However, to my kind of big surprise, it told me that:

  • 2 seconds long encryption key reset is a safe method,
  • 15 minutes long zero-write (single pass) isn't considered a safe method.

I'd like to update my knowledge in this area.

What is encryption key reset? Doesn't this simply mean that currently used (and valid for decryption) key will be replaced with some random one (and not valid for data decryption)? If that's true then this mean that my data is still there, encrypted of course. Doesn't this mean that if someone would figure out my "old" key or somehow could reverse encryption key reset process, would again gain access to my data.

Anyway, even if I am blind here, this still doesn't change the fact that my data is kept untouched (there is no way that 2-second long process is able to erase entire disk). How then this method can be considered safe while method of replacing every bit of data with zero isn't safe?

I understand that single-pass zeroing isn't "that safe" and only 3-pass can be considered as safe. But... still... I don't get how it isn't safer than just ecnryption key reset.

I have read this question, but it doesn't seem to be fully answering my question here, because it says pretty much nothing about encryption key reset.

trejder
  • 3,619
  • 5
  • 24
  • 35
  • 4
    Does this answer your question? [Wipe data from many storage devices](https://security.stackexchange.com/questions/181719/wipe-data-from-many-storage-devices) – user Apr 26 '21 at 12:55
  • 3
    If someone would figure out the encryption key, then you were already unsafe. – kelalaka Apr 26 '21 at 14:19
  • @user No, it doesn't. While it is pretty much very enhanced and complex review of various disk wipeing options, it deals with disk-writing solutions only. If I am not mistaken, it says nothing about resetting encryption key, the most important thing of my question here. – trejder Apr 28 '21 at 06:22

1 Answers1

3

Time spent on an operation does not necessarily relate to effectiveness of said method. Simply copying a file to an external drive is much faster and will yield better results than converting it to base64 and then typing it in.

Why is an Encryption Key Reset secure?

Essentially, it means you are okay with the attacker gaining access to your encrypted data, believing that they will not be able to decrypt it. While this sound strange at first, keep in mind that every sensitive information you have ever transmitted over the internet - ranging from your online banking credentials, over health-related data to pictures of your genitals - has undergone this exact process, and we still consider it secure.

We assume that AES-128 and AES-256 is in fact so secure, that without the secret key being known, it is physically impossible to recover the data That's right - we're not talking about statistics anymore, we're talking about physics. Thermodynamics, to be exact. There isn't enough energy in the universe to recover it. And AES has been around since 1998 and it shows no signs of weakness yet.

So when you do an Encryption Key Reset, what you actually do is just delete or overwrite a very small (128 or 256 bit) piece of data. You can do that countless times, very very quickly. As you yourself said, it only takes 2 seconds. I'm sure that after thousands and thousands of writes to the location of the key, it's not recoverable anymore.

Why is zeroing out a drive insecure?

Essentially, you're going down the hard route here. If your data is encrypted already, then zeroing it out or overwriting it with randomness is essentially redundant. Without the key it becomes unreadable anyways, as mentioned above. Zeroing it out certainly doesn't make it less secure, but it won't make it more secure either (practically speaking). What you actually end up doing by zeroing it out is adding wear to your storage, which is particularly bad with SSDs.

Now where zeroing something out is indeed less secure is if the data is stored in plain text, and you're trying to destroy it by overwriting it. Now, the question whether or not a single-pass of zeroing is enough to destroy the data permanently is being debated. Some say it's perfectly fine, others say that specialists can recover the data. I'm not an expert when it comes to forensics, so I will say "Some people claim that a single-pass of zeroing is not enough to fully erase all data" - which is the only factual statement I can give in regards to that.

In the end, zeroing out the key is probably the better method, for various reasons:

  1. It's a lot faster.
  2. It doesn't wear your storage device out.
  3. It's just as secure.
  4. You should use Full-Disk Encryption anyways.
  • 3
    @trejder - A couple of comments. (1) Your password or passphrase for an encrypted disk is actually a password to the encryption key which is a gawd awful 128/256 bit key. Even if your password was *1234*, once the actual 256-bit key is gone, your password is useless. One possible risk with this method is if the header with key was previously copied. (2) I can assure you that a single pass wipe is sufficient vice multiple. The real risk with a wipe is verification that the wipe was successful. There are a number of reasons why a wipe might partially fail, generally related to disk errors. – user10216038 Apr 26 '21 at 15:56
  • 1
    Even worse for zeroing out a drive, you CANNOT reliably overwrite data on an SSD since the wear leveling algorithm will very likely direct the writes to a different physical block. The only alternatives are the firmware's secure erase functionality (which requires trust in the drive manufacturer, and likely performs a key reset internally), or using full-disk encryption and destroying the key. Or physically destroying the drive, but I doubt OP wants to do this :) – amon Apr 26 '21 at 18:14
  • @amon Just to clarify, in this particular scenario (mine) we're talking about ThinkWipe solution being part of my ThinkPad's BIOS app, so I believe this mandates to what you called "firmware's secure erase functionality". But, after all, I totally agree with your point and thanks for enhancing MechMK1's answer. – trejder Apr 28 '21 at 06:20