How do you guys actually handle drive wipe documentation when decommissioning hardware?

[-]

WVMNTR61@reddit

Get someone else to handle it for you, document serial numbers of each device, furnish a certificate of destruction, and save the headache. idk if you've heard of PACE Shredding, which I want to state I work for. They do secure shredding, and it checks the audit box for many people. It's practical, not complex. PACE Shredding is also a partner in a national network of industry-certified document and information destruction companies, if you need assistance outside of their regional service area.

Reply

[-]

sryan2k1@reddit

All client computers are FDE'd with bitlocker. We just do an OS recovery which wipes the TPM. Same on servers, all of our servers run ESX and all data is on various iSCSI arrays with DARE. So nothing to wipe when an individual server gets swapped out.

Reply

[-]

malikto44@reddit

Depends on the audit. I've had to show the entire data migration path to the third party, with the entire chain of custody being inspected before. However, that was government work. FDE does help, and I personally try to make everything have FDE, but if the regs require the drives to be physically zonked, they get it.

Reply

[-]

fantomas_666@reddit

Can't people have saved the encryption key where?

Reply

[-]

sryan2k1@reddit

The drive gets formatted as part of the OS reimage so the old key doesn't work.

Reply

[-]

StableVegetable9291@reddit

If this actually worked, what would be the point of encryption in the first place? Just format, and all the data is "gone".

Reply

[-]

sryan2k1@reddit

So that other people can't get your data?

Reply

[-]

StableVegetable9291@reddit

If formatting the drive is your entire decommissioning strategy, and the encryption key still exists somewhere (like in AD), then the encryption isn't really helping you. A quick format doesn't overwrite all sectors, and even with a full format, re-mapped/bad sectors never get touched by a format at all. Someone with the old key and raw disk access could potentially recover data from those remnants.

Reply

[-]

sryan2k1@reddit

This is why the disks are full drive (including empty space) encrypted the moment they are out of the box before any corporate data is on it. When the TPM is reset and the encryption key reset the data is 100% useless. You don't need to physically overwrite anything as the data is as good as background noise without the key/protector. The key will exist in AD/Azure only until that computer object is removed, but the whole point of the key in AD/Azure is because it's our computer, we want the key. FDE is so other people can't get your data, not so you can't get your data. This isn't rocket science.

Reply

[-]

avj@reddit

This seems to be the most sane and acceptable modern way to deal with this in an environment where no rotational drives are in play.

Reply

[-]

Right_Tangelo_2760@reddit (OP)

Oh that's great

Reply

[-]

malikto44@reddit

With drives that I have to nuke via regulations, I use a two step process. First a software erase. Second, something like a degauss. Or if needed physically damaging (if possible), but doesn't damage the serial number sticker Something like puncturing a drive with a drill to shatter it. Finally, each drive goes to the on-site shred truck, and I get a video of each drive's final moments, and a certificate of destruction with every drive's serial number. The reason I do this two stage method is that I want the data as unrecoverable as possible before I hand the drive over. This way, if something happened and the drive was still usable and had data on it, the data most likely can't be exfiltrated.

Reply

[-]

pugs_in_a_basket@reddit

I don't know how things go at our office with papers nor usb drives or such. But in our service, we keep our hard drives and tapes. We don't send tape drives for maintenance with tapes in them. If a tape has fucked up a drive, or the otherway around, they will be both destroyed. Or if ALL of the tape can be extracted the drive can go. We don't send defective hard drives or tapes anywhere but secure electric equipment disposal. That is what we do, but in my previous job we sent defective hardware back to the supplier if it was replaceable, like drives or tapes. They didn't contain data under GDPR.

Reply

[-]

FastFredNL@reddit

We take the drives out before disposing of hardware. Then when we have a bunch of them it's worth it to have them destroyed certified. Only way to please the auditors is to have the disks destroyed by a certified company. We get a list of all drives and their serialnumbers that have been destroyed afterwards. Actually that company takes almost all our old IT stuff (only exception is large MFP printers), destroys any data left on it, sells it and the profit they make goes to cancer research or basically any charity of our choosing.

Reply

[-]

rowle1jt@reddit

With a hydraulic punch. Also great for stress relief. 🙂

Reply

[-]

the_doughboy@reddit

Drives do not need to be wiped if they're encrypted. Clear the TPM and they're "Wiped"

Reply

[-]

Optimal-Cry9494@reddit

auditors mostly want a clear chain of custody linking the asset tag to the serial number. i follow nist 800 88 standards and use systools hard drive data eraser to get certified wipe reports for each disk. then i just attach those to the decommission ticket. it covers you if the vendor makes a typo on their destruction certificate.

Reply

[-]

korewarp@reddit

As usual the answer is - it depends. I am a certified ISO27001 auditor, and what I look at is the client's risk assessment. Legal/contractual obligations. Self-imposed controls and procedures. If they have no external requirements asking for destruction, then we obviously don't expect them to do that. If they have no internal requirements for destruction (risk assessment for example) then that isn't expected either. Leaving us with the control simply requiring a log of serial numbers, date of erasure, method of erasure, and the technician(or external company) that did it. If your auditor's expectations appear unfair/unrealistic/unfounded please reach out and I'll help out. Sometimes we auditors get lost in the sauce. Using scopes/requirements from other orgs, and we need a gentle reminder to realign. 😅😅

Reply

[-]

Right_Tangelo_2760@reddit (OP)

Really helpful - for orgs that do have external requirements like SOX or PCI-DSS, does the bar change significantly beyond those four elements? Things like chain of custody documentation or verification evidence?

Reply

[-]

korewarp@reddit

Depends on requirements/controls. A SOC2 report has a scope and a list of controls (and other things too) and it's here you can see exactly what you're measured against, so to speak. I'm not familiar with PCI DSS, but I'd imagine you could find a list of controls or requirements related to compliance with it. It's hard to give concrete answers, because it really does depend on many factors, external and internal.

Reply

[-]

Polar_Ted@reddit

The last place I worked all drives went into an industrial shredder. No exceptions. Even drives under warranty. They just ate the cost and shredded em.

Reply

[-]

BWMerlin@reddit

I send it off to a computer recycler who provides me with a certificate of data destruction.

Reply

[-]

shikkonin@reddit

The degausser scans the S/N barcode, takes a photo of the drive and a report of the achieved field strengths. The SSD shredder just takes a photo of the drive as it goes in.

Reply

[-]

BigBearChaseMe@reddit

Damn. Degaussers do all that now? Amazing

Reply

[-]

Break2FixIT@reddit

I remember when it was just a really big metal cabinet that you just cranked the lever to bring the hard drive next to the huge magnet and it would fall out the bottom in the tray..

Reply

[-]

fizzlefist@reddit

Hell, my old boss built his own. Never underestimate a radio engineer.

Reply

[-]

shikkonin@reddit

Ours does, yes.

Reply

[-]

Affectionate-Cat-975@reddit

Drill press

Reply

[-]

MuffinsMcGee124@reddit

KillDisk with the certificate saved to a folder and……. Printed. CTO thought the binder was an easier method for our governing body to review during visits.

Reply

[-]

Neuro_88@reddit

Killdisk. Please explain more.

Reply

[-]

CantPullOutRightNow@reddit

https://www.killdisk.com/eraser.html It’s what I’ve used for many years.

Reply

[-]

Mountain-eagle-xray@reddit

Dla 2500 and da 7770.

Reply

[-]

quiet0n3@reddit

We format and run a simple zero in house, then when we have enough we send a box off for certified destruction.

Reply

[-]

SandyTech@reddit

Our e-waste company does the drive destruction right there in our parking lot and provides certificates of destruction for each drive. The originals are filed away in our records and we keep digital copies which satisfy most audit requests.

Reply

[-]

Right_Tangelo_2760@reddit (OP)

When it doesn't satisfy - what are auditors typically asking for that the certificate doesn't cover?

Reply

[-]

Evan_Stuckey@reddit

If the destruction company has the appropriate ISO type certifications then tell the auditor to take a leap, having said that we usually take some photo of video of it happening as well.

Reply

[-]

SandyTech@reddit

The last time we had to pull the physical ones it was just a spot check to make sure we weren’t just photoshopping certificates. I guess they’d had a data leak incident when their previous MSP was improperly disposing of the drives and just photoshopping CoDs.

Reply

[-]

Evan_Stuckey@reddit

For erase we keep of the log of the erase/overwrite/secure erase(ssd) in our cmdb, same as devices erase like switches we keep the logs showing it active and standby firmware is erased. For physical destruction we have our company scan the barcodes in drives and we watch them get degaussed and then put in secure bins before send for shredding, the company then provides a report to us. (Usually use iron mountain just because the are available in our purchase system)

Reply

[-]

Optimal-Archer3973@reddit

date, serial number of machine the drive came out of, position in machine, brand-size-type of drive, serial number of drive, destruction report, sales or disposal date and destination

Reply

[-]

Cheomesh@reddit

Degaussing if magnetic, burning if not.

Reply

[-]

R2-Scotia@reddit

At the Ministry of Defence we usrd to take old drives to the workshop and have fund destroying them ourselves. The 100 tonne press always a good start.

Reply

[-]

RoxnDox@reddit

I used to work at a local hardware store ("helpful hardware folks"), and the owner knew nothing about IT. I wanted to wipe the old server that had been sitting untouched for several years, then try to sell it for $700-800. Nope, he made me remove and destroy the drives and throw the carcass in the dumpster. Sigh... At least I got the satisfaction of drilling holes thru the disks and then sledgehammering them into shards...

Reply

[-]

R0B0t1C_Cucumber@reddit

Ticket counts as documentation of start of the disposal process. The after part is a certificate of destruction from a 3rd party. depends on what security standard your business adheres to.

Reply

[-]

Right_Tangelo_2760@reddit (OP)

That gap between the ticket and the certificate - does anything sit in between, or do auditors just accept those two bookends?

Reply

[-]

Anonycron@reddit

What kind of auditors?

Reply

[-]

Right_Tangelo_2760@reddit (OP)

IT auditors, SOX compliance reviews, or anyone doing a formal security audit of data disposal practices.

Reply

[-]

Anonycron@reddit

Yeah gotcha. I wasn't sure you have one specific kind in mind since different audits have different requirements. For almost all of ours, includes SOC, we get away with a cryptographic destruction process... but that assumes the drives are bitlocked and (at least in our process) that the key is stored in intune. For non-bitlocked drives we have a third party recycle them and give us a certificate of destruction.

Reply

[-]

avj@reddit

Thanks for mentioning this, because I was wondering what the modern use case for would be in an environment with no rotational drives where FDE was in use.

Reply

[-]

R0B0t1C_Cucumber@reddit

At least for my guys, the in between is staging, preparing batches of machines to ship to the data disposal place, checking for remaining Active Directory artifacts of the computer acct etc, normal decommission stuff.

Reply

[-]

Pusibule@reddit

Honest question people... why are you scanning or getting scanned the serial number of the disk? Do you keep a relation where that disk was and what it contained? Do you invest time to keep an inventory of disks serial numbers? We have 2000 computers and never cross my mind to track hd serial numbers. The only thing i can think that this solves, is that one of those disk is not correctly processed and is a data leak and the physical disk is available to check the serial number, you then can point to a paper to say its not your fault.

Reply

[-]

Coldsmoke888@reddit

Third party e-waste company. They kick us a certificate of destruction after they’re done with it.

Reply

[-]

Lazy_Excitement334@reddit

When I ran the IT services team, wiping the drives from a decommissioned array was difficult. Could not run a DOD wipe without remounting each drive in a PC, which would have taken a coupla months. My main server guy took them home and put a 30.06 through them, sighting in his rifle. Documentation was his photos.

Reply

[-]

MFKDGAF@reddit

My old data center use to decommission our dries. The machine they had would print out a certificate of destruction with the serial number of the drives I forget if it just wrote 1's and 0's or if it actually destroyed the drives. I looked at getting the machines about 6 years ago and it was around $500 USD.

Reply

[-]

schwags@reddit

500 bucks isn't going to get you physical destruction. That was probably doing some kind of logical wipe.

Reply

[-]

asdlkf@reddit

You can get thermite for less than 500

Reply

[-]

Different-Ebb-1429@reddit

We pay a company to do it and provides us a receipt of destruction.

Reply

[-]

Anonycron@reddit

Cryptographic destruction. We delete the recovery key.

Reply

[-]

Winter_Engineer2163@reddit

In most places I’ve worked we tied it to the asset lifecycle rather than just keeping wipe logs somewhere random. Typically the wipe is done with something like Blancco or DBAN and the report gets exported and attached to the asset record or ticket (ServiceNow / Jira / etc.). The ticket usually contains the asset tag, serial number, who performed the wipe, the method used (NIST 800-88, DoD, etc.), and the generated report from the wiping tool. For audits, what they usually want to see is: – proof the drive was sanitized – which standard/method was used – which asset it belonged to – who performed the wipe and when Some orgs also generate a certificate from the wipe tool and store it with the decommission ticket or asset management system. Others just attach the wipe report PDF. The key thing auditors look for is traceability: asset → wipe method → report → responsible person. If you can show that chain consistently, they’re usually satisfied.

Reply

[-]

badboybilly42582@reddit

E-waste vendor will take drives, scan the serials, send us a COD with the serials listed on it.

Reply

[-]

albertyiphohomei@reddit

Take out the drives. And shred them using companies that are certified

Reply

[-]

GX_EN@reddit

This is what I always did as well.

Reply

[-]

collectivedisagree@reddit

Can confirm - need evidence for our compliance program. Truck shows, up two people watch as drives are shredded. Serial numbers recorded, two people sign.

Reply

[-]

Professional-Heat690@reddit

All logical disks are encrypted. Anything older that comes to it's end of life goes through a shredder. same for sysbrds or anything with nvram etc.

Reply

[-]

Ark161@reddit

At my current employer, we work with a shredding company (iron mountain). They provide a cert of destruction. HOWEVER, I typically expect my team to scan the serials of the drives before dropping them in the bin so we have a record of when the drive was dropped and have a list to reconcile against the vendor's certrificates.

Reply

[-]

Nonaveragemonkey@reddit

Use shred, then physically shredding every drive.

Reply

[-]

Equilibrium_Path@reddit

I ise to work at an e-waste company. They'd take a pallet of computer. Load then on a bench, scan the S/N of the drive along with S/N and asset tag of the device it came from along with other identifiers incase it needs to be looked up in the future or when audit comes around. Wipe the disk with Blanco, upload the certificate along with the home device identifiers to a database. Move on to the next pallet. Some devices will get resold, some with get destroyed and the gold extracted. Just depends on the client and what they want.

Reply

[-]

Right_Tangelo_2760@reddit (OP)

When clients ask for proof of sanitization for their own audit purposes - is the Blancco certificate usually sufficient or do they ever ask for more? Things like chain of custody documentation or verification that every drive was accounted for?

Reply

[-]

Equilibrium_Path@reddit

Sorry to answer the first question, it depends on the customer. For the most part, a certificate/document is more than enough but if they need more they are welcome to request more which has been done in the past. Such as pick up sign off forms along with a certificate for each item and if an item couldn't be wiped then documentation about what was done with it and business justification

Reply

[-]

Equilibrium_Path@reddit

Hey, thanks for the question, apologies I only really partially described what out data guys did. Here's a high level of the whole process which I hope answers your question but if it doesn't feel free to let me know. 1) Customer reaches out, says they have tech that needs recycling. 2) We provide them a form to fill out with things such as: Site address Primary contact details Secondary contact details Collection details (Such and date and time and quantity of items being collected and the type of tech being collected What does the customer want done with the tech (Destruction or not) 3) Then a technician will call the contact before pick up to let them know they're on their way and estimated time of arrival 4) Technician arrives on site, photographs what gets picked up and scans everything before loading it onto the truck. 5) Site contact signs off on pick up. 6) Technician goes back to the warehouse, puts everything onto the pallet, wraps it and adds the pick up number and labels the pallet. 7) Technician loads up the scanned tech into the database in the format of: Hardware type, Make, Model. Serial, asset number. Uploads a scanned copy of the pick up sign off and any additional photos that were taken so that its all in the same pickup/case number. 8) Data techs take the pallet, open the case, do their scan of the pallet to make sure everything is there. 9) Follow data destruction process using Blanco then upload all their own recorded evidence to the case. (This will highlight if anything has gone missing or potentially stolen while it was sitting on the pallet) Everything is now in 1 case per collection with all pickup evidence, sign off records, data destruction or Blanco certificates, etc. When audit comes they don't usually ask for everything as that will be ALOT of work on their end, instead they'll ask for a summary of our records, then select maybe 25-50 cases then we provide all records for the cases they've requested just to make sure everything lines up or if there's any issues. (Generally there's not much issues because we had worked with them before hand to identify their requirement and make sure we suffice our regulators and laws etc. I hope that helps

Reply

[-]

skreak@reddit

Every Org does it differently, and even within the same org if it's large enough will do it differently between teams. I work in HPC so when we decommission a system we have sometimes \_thousands\_ of drives to decommission at the same time. I wrote a fancy script on top of NWipe that captures the hostname, serial number of the host, the drives, the log of nwipe's completion and writes that to a NAS share. If the device isn't running linux and is a vendor supported device like a NetAPP, Nimble or other storage frame then we use the vendor supported method to wipe them. Physical drives fall into a few buckets: 1) Leased hardware that needs to be returned in-tact; These drives simply get wiped in place, a ticket signs off on the entire device/cluster that it's been wiped with with attached log files or at minimum a path to find said log files. 2) Leased hardware but the drive has faulted; we keep the dead drives but they go into a locked cabinet until we have a 'shredding event'. 3) Shredding events are for purchased systems and failed drives. We scan all the barcodes of all the drives into a spreadsheet ourselves ahead of time. Then we contract a company that sends a truck with a shredder - we give them the pallet of disks and they shred them, they also scan all the barcodes. After the event we compare the lists to make sure all drives were accounted for in both spreadsheets. Shredding events happen every 2 to 3 years depending on need. For our company laptops, they are all secured with bitlocker or whatever and are also leased. When laptop are returned the TPM is cleared which erases the decryption key for the drive and that's all there is to it, also a ticket for each laptop indicating that work was completed.

Reply

[-]

Right_Tangelo_2760@reddit (OP)

The NWipe script approach is interesting - has anyone ever questioned whether that log capture was sufficient during an audit, or does the ticket + log path satisfy reviewers without pushback?

Reply

[-]

skreak@reddit

We just went through a 3rd party audit with full compliance, which included samples from those logs. NWipe is just a fork of DBAN (Derik's Boot and Nuke) which even the Gov't has used for forever. The "Fancy" part of this script is that it uses some LVM magic to shift the root filesystem entirely in RAM prior to wiping the underlying disks, which keeps the OS alive and well during the wiping process until the machine is powered off. [https://linux.die.net/man/1/nwipe](https://linux.die.net/man/1/nwipe)

Reply

[-]

Secret_Account07@reddit

It really depends on what your budget is and what kinda data we are dealing with. When I worked helpdesk we used to use degauser and DBAN but then started using shredder. In theory PII/HIPAA shouldn’t be on endpoints but to be safe we shredded. We would auction all equipment at end. Now for servers we shred them. No exceptions. Usually save em up until we get a decent amount then get a pro to bring shredder to site. Tbh this is a management decision. Risk vs reward, considering cost too. As a tech this isn’t your decision. Communicate best practice, aka shredding, then let mgmt make the call.

Reply

[-]

justaguyonthebus@reddit

The inventory or transfer paperwork indicates "disk drive removed". If they ask about the drives, I can tell them about the box in storage waiting to be destroyed.

Reply

[-]

JerryBoBerry38@reddit

Shred.

Reply

[-]

Jaegermeiste@reddit

Never had to deal with any accountability for wiping drives, but if anyone ever cared we'd have just tossed them in a (storage) bin after proper processing with a mini-sledge.

Reply

[-]

Motor-Marzipan6969@reddit

We do a software wipe with DBAN and then the drives just kinda pile up in boxes until we have enough laying around to justify paying a company to come shred them and provide documentation.

Reply

[-]

rubbishfoo@reddit

I document the SecureATA erase output w/ a screenshot in the ticket. Then securely store until drive destruction via vendor & obtain CoD. Yes, probably overkill.

Reply

[-]

PoeTheGhost@reddit

I’m in a much smaller shop/company that shifted to cloud storage shortly after I was onboarded. After the final delta sync and migrating users, decommissioning drives was simple DBAN the drives overnight (all weekend for decomm’d servers, I had bootable USB’s and thunderbolt enclosures for this) take a photo of the HDD label, use the drill press to make it a #5 domino through it, take another photo, toss it in the electronics recycling crate, repeat. Once a quarter, I’d drive to the electronics recycling drop off, quietly recorded their staff doing the demag and shred, uploaded all the proof of destruction to our new NAS, which also backs up to our cloud storage.

Reply

[-]

Vesalii@reddit

We dispose of our hardware and the recycling destroys the data or drive, with certificate.

Reply

[-]

landob@reddit

if the hard drive is stil working we wipe it it then goes into a bin in the server room. when we have enough of them we call out our shreddng company, they take them away and destroy them

Reply

[-]

randomman87@reddit

Some firmware have secure erase function, some also generate a report when done.

Reply

[-]

Glue_Filled_Balloons@reddit

We had around 500 hard drives so we paid a company to come on site and we supervised while they scanned every drive and ran it through the shredder and then they provided us a report afterwards.

Reply

[-]

systonia_@reddit

We have a metal box where we throw drives into. When fully a company collects that box and then destroys the drives. You get a list of the drive SNs and certificate of destruction. They basically throw it all into a big metal shredder

Reply

[-]

BatemansChainsaw@reddit

remove the drives and donate the units.

Reply

[-]

Humpaaa@reddit

Via certified third partys, for compliance reasons. Proof via ticket.

Reply

Reply to Post

86 Comments