Wiping Hard Disk Drives Completely: How Many Passes Do You Need?
Occasionally, customers have requested my advice regarding which data erasure standard that we recommend, or the optimal number of erasure rounds required to securely erase a hard disk drive (HDD). Well, how many passes it takes to overwrite a hard disk can be a complex question. It depends on several factors, particularly technology changes, research findings and recommended procedures. I will touch on many of these in this post.
First, let’s take a look at the target of all these concerns: the hard disk drive—also referred to as a “hard drive” or “hard disk”—and what it means to overwrite one.
Hard Drive Basics
The magnetic hard disk drive, introduced in 1956, didn’t gain prominence until the late 1980s. These days, HDDs are still widely used for non-volatile data storage, and are expected to remain for some time despite the rise of faster flash-based storage, including solid-state drives (SSDs).
HDDs retain data on magnetic platters, where it can be preserved even without electrical power for many years. Though hard drive technology is a huge asset in our data-centric world because of its large capacity, decreasing cost and physical size, it is a potential liability because it must be disposed of properly to minimize or eliminate the risk of unauthorized data access.
The safest and most cost-effective way to make data disappear without having to destroy a hard disk is to simply overwrite it. But how many overwriting passes are sufficient? Or, as some put it, how many times do you write ones, zeroes, or other junk data to a hard drive before it is completely wiped?
The Evolution of HDD Data Removal Procedures
The process of removing data from storage media has been examined by different government agencies and organizations several times during the past 20 years. Today, internal operating manuals based on NIST 800-88 Media Sanitization Guidelines (see our blog on NIST) usually specify two kinds of procedures:
- clearing (to prevent recovering data using software) and
- purging (to prevent recovering data using laboratory techniques).
Clear procedures generally involve overwriting the HDD. Purge procedures with higher security requirements can vary but usually involve overwriting techniques combined with the execution of internal HDD commands (firmware-based erasure). (NOTE: Degaussing (demagnetizing) or physical destruction of media renders the media unusable, but even then, can sometimes leave recoverable data behind).
The nature of the data (how confidential it is) as well as other considerations (whether the hard drive is leaving the organization or not, for example) determines which procedures your organization needs to follow.
Both clearing and purging techniques are satisfied by the data sanitization process, which involves a complete removal of data, including verification and certification that erasure has been performed successfully. This software-based method securely overwrites data from any data storage device by writing zeros and ones onto all sectors of the device. By overwriting the data on the storage device, the data is rendered unrecoverable and achieves data sanitization.
Early 1990s: U.S. Department of Defense Specifies the 3-Pass Method
As early as the mid-1990s, operating manuals were released for classified information handling and data sanitization, the main one being the U.S. Department of Defense (DoD) National Industrial Security Program Operating Manual (PDF). This document specified that rigid magnetic disks should be sanitized by writing some “character, its complement, and then a random character” (i.e., three overwriting passes) and is known as the “DoD 5220.22-M” standard.
Mid to Late 1990s: Gutmann Advocates 35 Passes, Schneier Says 7
In 1996, Peter Gutmann published a paper that upset the status quo by affirming that some laboratories were theoretically capable of retrieving data from overwritten hard disks by using sophisticated tools such as magnetic force microscopes. As a result, he proposed an overwriting method consisting of 35 passes!
No need to panic, however. This algorithm was meant to be used on older HDD technology from the 1980s and 1990s that used MFM/RLL line coding techniques. Also, this was a combination of three different algorithms to overwrite different line encoding schemes, which partly explains the large number of passes.
The arrival of newer HDDs using PRML techniques in the late 1990s made the hard drives using MFM/RLL techniques obsolete, along with Gutmann’s 35-pass method. About the same time, security expert Bruce Schneier published a book containing a method for data overwriting using seven passes: one pass using ones, the next pass using zeroes and passes three through seven using other static or random characters.
The Year 2000: Agencies Worldwide Weigh In, with Germany Advocating 7 Passes to Overwrite a Hard Disk
Curiously enough, early in 2000, several national agencies released operating manuals that recommended the use of more than three passes.
A good example is the VSITR method by the German information security agency, BSI, which applied seven overwriting passes. It soon became popular in Europe to use overwriting methods that consisted of four to seven passes.
2006 to Today: DoD Drops 3-Pass Requirement, Other Governments Tout 1 to 3 Passes
NIST 800-88: The Current U.S. Government Standard States 1 Pass is Sufficient
Later in 2006, the DoD 5220.22-M operating manual removed text mentioning any recommended overwriting method. Instead, it delegated that decision to government oversight agencies (CSAs, or Cognizant Security Agencies), allowing those agencies to determine best practices for data sanitization in most cases.
Meanwhile, the U.S. National Institute of Standards and Technology (NIST), in its Guidelines for Media Sanitization of 2006 (PDF), stated that “for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media.” When NIST revised its guidelines in late 2014, it reaffirmed that stance. NIST 800-88, Rev. 1 (PDF) states, “For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.” (It noted, however, that hidden areas of the drive should also be addressed.)
For ATA hard disk drives and SCSI hard disk drives specifically, NIST states, “The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. Multiple write passes or more complex values may optionally be used.”
Even for Purge, one pass will suffice, it said, though an inverted three-pass method is also an option.
HMG British Standard Advocates 1 to 3 Passes to Overwrite HDDs; BSI GSE Says 1 or 2 Passes Are Adequate
The HMG Infosec Standard 5, published by the British CESG (now part of National Cyber Security Centre), currently defines two methods: one with one overwriting pass and one with three overwriting passes. The latter three-pass method, the CESG CPA-Higher Level, is almost identical to the 1996 “DoD 5220.22-M” standard, except that it requires verification after each step.
Finally, in 2012, the newer BSI GS standards were made public, combining one to two overwriting passes of random data with firmware-based erasure.
However, keep in mind that the overwriting techniques we’ve discussed thus far were intended for magnetic hard disk drives, not flash-based SSDs.
A Note on SSDs—and the Challenge of Erasing Them
With the rise of laptops and the need for speed, non-volatile storage trends have seen an uptick in solid-state drives (also known as flash memory drives or SSDs). And though the technology has been around for decades, it wasn’t until 2005 that Samsung declared SSD as a strategic market.
Today, SSDs come in different interfaces/technologies (SATA, SCSI/SAS, eMMC, Fusion-io, NVMe/PCIe, USB) and form-factors (2.5-inch, mSATA, M.2, AiC PCIe). Faster, more reliable, and allowing for more storage capacity than their HDD counterparts, SSDs are highly efficient. They are also smaller, lighter, more resistant to damage and consume less power.
However, they also come with data destruction concerns: SSDs are difficult to physically destroy to an acceptable level, and methods like degaussing don’t work on them. While NIST allows minimum one-pass overwriting for SSDs, it’s almost always combined with specialized commands, technologies, or tools and with additional steps required to reach all sectors. This is because SSDs have mechanisms that minimize wear (wear leveling) by using non-addressable overprovisioning areas within the drive where data can be left behind. Furthermore, multiple passes also come at a cost: premature wear on SSDs that reduces the overall lifetime of the media.
Fortunately, Blancco not only erases magnetic-based media, we also offer a patented SSD erasure method to fully and securely overwrite different types of SSDs, simplifying the process and speeding up erasure across a range of flash-based storage devices.
Conclusion: Only 1 Overwriting Pass is Needed to Erase HDDs
The technology changes in the last 15 years, such as the ever-increasing data density on disk platters, have made all attempts to recover data after overwriting unlikely. Multiple overwriting passes for hard disk drives is not an absolute necessity anymore.
So, how many times should you overwrite a hard disk for complete data erasure? The answer: One pass is enough.
However, to ensure the overwriting process has been effective, major agencies and government bodies worldwide (NIST 800-88, NCSC, BSI and others) state that the verification of data erasure is mandatory for full compliance with their standards. Other research supports this idea.
To summarize, securely overwriting hard disk drives involves:
- One overwriting pass for most HDD erasure. Remember to weigh data sensitivity against the costs of higher level of security and the time you want to spend on each processed asset. More passes take longer and are usually unnecessary.
- Utilizing the drive’s firmware-based erasure commands, when available, as a valuable addition, particularly when erasing sensitive data.
- Removing and erasing any hidden areas on the HDD as part of the erasure process in those cases.
- Verifying erasure, whether at the end of the process or after each overwriting round to ensure that data sanitization has occurred and to comply with most data erasure standards.
- Remembering that what works for HDDs does not apply to flash-based storage (SSDs): match your erasure method to your media type.
Documenting erasure: The best erasure is the one you can prove; therefore, a report proving verification and certification of the erasure of a media support is also necessary.
In the end, the final decision on which erasure standard to use, and therefore, the number of times to overwrite your drives, rests with you. You can view a list of data wiping and erasure standards, as well as the number of passes used in each, on our website, then decide which one(s) is the best fit for your business.
Overwrite Your Hard Disk Drives with Our Free Data Erasure Trial
As the global leader in certified data erasure, Blancco supports 24+ international erasure standards set by government agencies, legal authorities, and independent testing laboratories. Our Blancco Drive Eraser software has been designed to support all kinds of HDDs and SSDs in both PCs and laptops and servers. It provides advanced security features and reporting capabilities to fulfill (and exceed) your data sanitization policies.
We invite you to get your FREE Blancco Drive Eraser trial for enterprise organizations today. Choose from 25+ erasure standards—from one pass to as many as your organization requires—and be confident that Blancco solutions erase data completely and permanently from all your HDDs and SSDs.
This post was originally published in 2014. It has been updated to reflect changes in technology and standards, as well as for accuracy and comprehensiveness.