A question regarding Synology's "Secure Erase" feature

[NAS-SYN]

Hello everyone. I have a stack of various, rack mountable, Synology NAS devices from which I need to purge all data prior to disposition.

After coming across the link below, I found the third response, posted by "Dune7" on 2/22/20, to be quite helpful.

Synology Community

Hi! Come and join us at Synology Community. A place to answer all your Synology questions. Ask a question or start a discussion now.

community.synology.com

Does anyone know if Synology's "Secure Erase" feature officially complies with any U.S. federal data sanitization guidelines, such as those from the NIST or DoD? If not, is it possible to boot a Synology NAS to, say, an Ubuntu USB drive, to wipe the hard drives via the dd command?

Thank you for your time.

 

[Telos]

Does anyone know if Synology's "Secure Erase" feature officially complies with any U.S. federal data sanitization guidelines, such as those from the NIST or DoD

I've never seen evidence that Synology's Secure Erase is forensically secure. For those with Windows access (diskpart clean all)... for those with Mac/Linux access (dd with all zeroes) should be reasonable), with the caveat that SSDs cannot be securely erased.

 

[NAS-SYN]

Thank you for replying, Telos. It seems I may need to temporarily relocate the drives, none of which are SSDs, to another server in order to fully wipe them clean.

 

[LexxR]

Been long time reader on here but not actually posted stuff (so new account, unsure if this post will even make it past spam filter)

Secure erase on Synology is not just dd erase it's triggering the disks built in drives secure erase it's far more complete erase vs a Windows diskpart clean all or DD zero command,,it erases everything including sectors that are not normally accessible are erased, you not recover anything from a secure erase

if the disk is the hdd SED self encryption type disk normal secure erase just resets the encryption keys to render all data impossible to access any more and will only take less then 2 minutes to reset, (but it won't unfortunately reset any weak sector problems)

For a ssd the correct way to erase a ssd is to trigger the built in secure erase as it resets the encryption keys (this in it self makes data unrecoverable, assuming it has encryption support as all data is pre encrypted even if no password is set on the ssd) it then erases the page table and then sends trim to all nand locations usually takes less then 30 seconds on most ssds as the trim command is a background process usually it finishes after 2-3 minutes if ssd is powered off it will finish the background trim on power up, you can see the performance loss on enterprise ssds as the speed temporally dropped to the quality of service read/write speeds for about 2-3 minutes (don't use dd on a SSD)

Before using a ssd as an caching ssd make sure trigger secure erase so when you select the ssd for caching it's all zeroed out (recommend setting OP to 50-100gb for better ssd life expectedly, if secure erase hasn't been ran the OP can be meaningless if there has been data on there before especially if filled to full in the past, if its new ssd shouldn't have any data on there secure erase doesn't take long on SSDs so no reason not to do it)

 

[Telos]

Secure erase on Synology is not just dd erase it's triggering the disks built in drives secure erase it's far more complete erase vs a Windows diskpart clean all or DD zero command,,it erases everything including sectors that are not normally accessible are erased, you not recover anything from a secure erase

You must be a Synology employee... for there is no evidence of your assertions. How about some proof. DD and Diskpart are proven tools.

Please cite independent testing for both HDDs and SSDs. I for one, would never trust Synology coding to provide forensic level erase.

 

[fredbert]

Does anyone know if Synology's "Secure Erase" feature officially complies with any U.S. federal data sanitization guidelines, such as those from the NIST or DoD?

Unless Synology has gone through the official evaluation and certification process then 'officially complies' will be 'no'. Until then, if Synology say they comply then you'll have to take it on trust, or not.

 

[LexxR]

I never did respond back to this (unsure why I need proof, if your looking for proof for your own hdds then look up secure erase for your particular drive if it meets DoD or NIST, witch I am sure dd or diskpart clean all does not)

Synology is triggering the drives built in ATA secure erase command, that "should" be more compleat then dd or diskpart clean all (as hidden areas of the disk are also erased with secure erase) this is dependant on the drive doing a full erase witch all drives I have performed it on has done it correctly

for an ssd that means page table is reset and trim command is sent to all nand space (if the ssd has encryption support additionally it will erase the encryption key and regenerate it making data recovery impossible even if trim did not erase all nand) full performance of the drive is usually restored after 2-5 minutes (trim full erase is qued as background process in the drive it self)

ATA secure erase is always the correct action to be performed on a ssd (even qnap uses ATA secure erase on ssd) dd and diskpart clean all does not reset page table on a ssd and some data might not be erased due to virtual LBA and wear leveling

For hdd ATA secure erase, protected area and normal area is zero fill cleared so take long time to perform (also good at reseting hdds with posable pending or offline relocation events, I found dd or diskpart all doesn't always clear offline pending)

if the hdd is SED type it usually doesn't zero fill erase but erases the encryption keys and regenerates them rendering the stored data instantly scrambled (usually takes less then 30-120 seconds to perform) you have to perform higher security secure erase if you want to trigger zero fill (not possible on Synology via gui, SED hdds are very rare anyway I have only ever owned one)

All sectors report back as 00 regardless if I use real ATA secure erase (that Synology triggers) , dd or diskpart clean all (can't see why I should have to take the drive out an plug it into a pc to do what the drives built in secure erase does perfectly fine)

Additional benefit of secure erase is until the secure erase is successful the drive is locked (so say you have power loss midway dd or diskpart clean all might have only erased half the drive so remaining data might be accessable, an unfinished secure erase drive stays locked)

 

[Telos]

Synology is triggering the drives built in ATA secure erase command

So no proof.

Even if this were true, that is not a universal drive feature, and surely not with most HDDs. But feel free to use SE if you are satisfied; all others should be wary.