How to protect and safely erase data on Windows devices

Microsoft's BitLocker now uses AES encryption, but will default to the storage device's hardware encryption unless you make this setting, which will also allow you to easily sanitize drives.

Years ago Microsoft listed the 10 laws of security, and law three states that if a bad guy has unrestricted physical access to your computer, it's not your computer anymore. Thus, it’s critical to destroy hard drives and other media in recycled equipment.

On our office’s electronic waste day, we got rid of several old servers, workstations, phones and other equipment that at one time stored sensitive information. Some of it was BitLockered, but the rest was old enough not to be.

A hammer ensures information is unreadable, but that method doesn’t scale to drives in a remote data center. So, you need to look for alternatives. NIST 800-88 details the options you have to ensure that you safely can destroy the information on the media. 

BitLocker and self-encrypting hard drives give you one option. If you know whether the data was added to the hard drive before or after it was encrypted, you might be able to quickly make the drives unreadable. In the case of self-encrypting hard drives, you can change the existing password (i.e., the data encryption key) and the data is no longer readable.

The process is called crypto erase and has been approved by ISO and NIST as an acceptable data sanitization method. If you use crypto erase, test the process to ensure you can’t recover data by sampling wiped drives.

Crypto erase is especially effective with self-encrypting hard drives, but Microsoft has recently changed how BitLocker handles self-encrypting hard drives. This might change how you use crypto erase.

For newly encrypted hard drives, the default setting for BitLocker is to now use CPU-accelerated AES encryption. This will not change any existing encrypted hard drives and their settings, but you might want to revisit encryption settings where you have highly sensitive information. Here’s why.

Researchers at Radboud University found some solid-state drives (SSDs) allow an attacker to bypass the disk encryption feature and access the local data without knowing the user-chosen disk encryption password. Prior to updates KB4516045 for Windows 10 1803, KB4516071 for Windows 10 1709, KB4516059 for Windows 10 1703, and KB4516061 for Windows 10 1607, whenever BitLocker detected a hardware-based encryption capable device, the application deferred the data encryption process to the hardware device and did not encrypt the user's data at the software level. In November 2018 when the issue first broke, Microsoft released advisory ADV180028 on this issue.

How to enable BitLocker AES encryption

To review whether you want to change how you encrypt hard drives, run the manage-bde.exe -status command from elevated command prompt.

bradley erase 1 Susan Bradley

Determining BitLocker encryption status

If none of the drives listed report "Hardware Encryption" for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.

Here’s how to disable hardware encryption. In Group Policy, go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption. Under the setting Configure use of hardware-based encryption for fixed data drives, choose the setting to disable. Then, BitLocker software-based encryption is used by default rather than the drive’s hardware-based encryption.

The only way to move data from a potentially “hackable” encryption process is to unencrypt it, change the methodology, and re-encrypted the data. Obviously, you’ll want to use the proper encryption settings going forward.

bradley erase 2 Susan Bradley

Set Group Policy to disable hardware encryption

Cloud gives fewer data sanitation options

Once your data is in the cloud where you don’t have access to the underlying platform, you must rely more on contracts and agreements when it comes to data sanitation and protection. For example, the Microsoft privacy statement notes that it will store your customer data for 90 days when an account expires or is terminated. After that, Microsoft will disable the account and delete the data, including cached or backup copies, within 90 days after the initial 90-day retention period. If a disk drive fails or is decommissioned, Microsoft purges or destroys it according to NIST 800-88 media sanitation standards.

For virtual machines (VMs) hosted in data centers and cloud deployments, consider performing a wipe of the drive in addition to doing the normal procedures to remove a virtual machine and all the associated data with it. Remember, if you only delete your VM and don't delete its storage account, that data is still left behind and can be recreated with a template process.

Take the time to review your options to ensure that your data is properly erased.

As always, don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!