Skip to main content
Code42 Support

Configuring Secure Delete

Applies to:
  • CrashPlan PROe

Overview

The secure delete feature of the Code42 environment instructs the enterprise server to securely wipe archives that have been permanently removed or deleted. This feature can be enabled or disabled from the command-line interface available in the administration console.

Considerations

  • Secure delete is available in version 3.6.2.1 and later.
  • Archives in cold storage are not securely wiped until after the cold storage period has expired.
  • The temporary zip files created on your enterprise servers during web restores are not securely wiped.
  • Secure delete uses significant disk I/O overhead. It is important to take this into consideration when planning your Code42 environment deployment, as it may affect the number of users that can be supported on each enterprise server.
  • Secure delete is a best-effort multi-pass overwrite of all positions 0-n in a file. Secure delete does not audit the kernel, drivers, or firmware of the enterprise server and its disks. Therefore, it cannot be guaranteed that the overwrite is actually occurring on the same physical block(s) as the original data.

The need for secure delete

Secure delete offers the ability to permanently remove data in a way that makes recovery of the data impracticable through computer forensics or common filesystem utilities. Secure delete also minimizes data remanence on enterprise server hard drives that may be discarded or recycled by a third-party vendor.

Standards supported

The secure delete feature implements the recommendations of NIST Special Publication 800-88, Guidelines for Media Sanitization, as outlined in Appendix A, "Minimum Sanitization Recommendations." The single-pass shredding method suffices for both clearing and purging data. The triple-pass method is also available.

When to use whole device versus partial sanitization

Section 2.8 of NIST Special Publication 800-88, Guidelines for Media Sanitization states: "Due to the difficulty in reliably ensuring that partial sanitization effectively addresses all sensitive data, sanitization of the whole device is preferred to partial sanitization whenever possible." The secure delete feature accomplishes partial sanitization of the targeted archives. Whole device sanitization should be considered where appropriate, including physical destruction of the disk.

However, the secure delete feature can be highly customized for cases in which partial sanitization is desired.

How secure delete works

Deleted archives are moved to a special directory at the top level of each store point. This directory is named CrashPlanArchive_SHRED. One shred process per store point performs the actual shredding operation by writing a character to each addressable location in the archive.

Securely deleted files
Files placed in the CrashPlanArchive_SHRED directory are securely deleted--immediately and permanently. Once the secure delete process starts to remove a file, recovery of that file is not possible.

There are four possible shredding methods available:

  • Single-pass of zeroes: the shred process writes the character "0" to every location.
  • Single-pass of ones: the shred process writes the character "1" to every location.
  • Single-pass of random characters: the shred process writes a random character to every location.
  • Triple-pass: the shred process performs a single pass of zeroes, a single pass of ones, and a single pass of random characters to each location. This option requires the greatest amount of disk I/O overhead. Most research has indicated that a single pass is adequate, so this option may not be worth the extra I/O overhead.

If an enterprise server is rebooted or restarted in the middle of the shredding process, the shredding process will resume upon restart.

Limitations

Types of environments

The secure delete feature is available in private cloud environments only.

Types of files

Files that can be securely deleted

Most archive files can be securely deleted, including:

Files that cannot be securely deleted

Some files are not securely deleted, including:

To avoid these situations:

  • Configure your version retention settings to retain older file versions
  • Don't perform web restore operations so that files only exist on your enterprise servers in their secured archives

Solid-state drives (SSDs)

Secure delete doesn't support archives stored on solid-state drives (SSDs). Due to the physical basis of data storage on SSDs, data cannot be as reliably scrubbed from a solid state drive as it can be from a traditional (spinning platter) hard drive. See External Resources for more information on SSD storage.

Enable secure delete

In order to enable secure delete, you must use the command-line interface (CLI).

Step 1: Access the command-line interface

  1. Sign in to the administration console of the master server
  2. Double-click the logo in the administration console's upper-left cornerStarting the CLI

Step 2: Enable secure delete

  1. Enter the following command to set the system property c42.shred.enabled to true, which enables secure delete on the master server and all currently online storage servers in the Code42 environment:
    prop.set c42.shred.enabled true save all
    The command-line argument "all" specifies that secure delete is enabled on all enterprise servers. Consult the full list of command-line arguments for the prop.set command, along with descriptions, before modifying the example command.
  2. The CLI responds with the following message:
    The system property has been set.
    Some system properties require a restart before they are recognized.
    c42.shred.enabled=true (saved)
    
  3. Enter the following command to restart the enterprise server from the CLI:
    node.restart
  4. The enterprise server process restarts, and you are temporarily disconnected from the administration console
  5. Repeat the restart command for each storage server using one of two methods:
    • Sign in to each storage server separately, and enter the command node.restart from the command-line
    • Sign in to the master server and enter the node.restart command for each storage server guid, replacing <guid> with the actual guid of your storage servers:
      node.restart <guid>

Step 3: Set the shredding strategy (optional)

By default, secure delete uses the "triple pass" shredding strategy.

To change the shredding strategy, you must set the system property c42.shred.strategy. In the CLI, enter one of the following commands, depending on the level of secure shredding you wish to implement:

Single pass of zeroes

  1. Enter prop.set c42.shred.strategy ZeroFillShredStrategy save all
  2. The CLI responds with the following message:
    The system property has been set.
    Some system properties require a restart before they are recognized.
    c42.shred.strategy=ZeroFillShredStrategy (saved)
    
  3. Enter the following command to restart the enterprise server from the CLI:
    node.restart
  4. The enterprise server process restarts, and you are temporarily disconnected from the administration console
  5. Repeat the restart command for each storage server using one of two methods:
    • Sign in to each storage server separately and enter the command node.restart from the command-line
    • Sign in to the master server and enter the node.restart command for each storage server guid, replacing <guid> with the actual guid of your storage servers:
      node.restart <guid>

Single pass of ones

  1. Enter prop.set c42.shred.strategy OneFillShredStrategy save all
  2. The CLI responds with the following message:
    The system property has been set.
    Some system properties require a restart before they are recognized.
    c42.shred.strategy=OneFillShredStrategy (saved)
    
  3. Enter the following command to restart the enterprise server from the CLI:
    node.restart
  4. The enterprise server process restarts, and you are temporarily disconnected from the administration console
  5. Repeat the restart command for each storage server using one of two methods:
    • Sign in to each storage server separately and enter the command node.restart from the command-line
    • Sign in to the master server and enter the node.restart command for each storage server guid, replacing <guid> with the actual guid of your storage servers:
      node.restart <guid>

Single pass of random characters

  1. Enter prop.set c42.shred.strategy RandomShredStrategy save all
  2. The CLI responds with the following message:
    The system property has been set.
    Some system properties require a restart before they are recognized.
    c42.shred.strategy=RandomShredStrategy (saved)
    
  3. Enter the following command to restart the enterprise server from the CLI:
    node.restart
  4. The enterprise server process restarts, and you are temporarily disconnected from the administration console
  5. Repeat the restart command for each storage server using one of two methods:
    • Sign in to each storage server separately and enter the command node.restart from the command-line
    • Sign in to the master server and enter the node.restart command for each storage server guid, replacing <guid> with the actual guid of your storage servers:
      node.restart <guid>

Triple pass of zeroes, ones, & random characters

  1. Enter prop.set c42.shred.strategy TriplePassShredStrategy save all
  2. The CLI responds with the following message:
    The system property has been set.
    Some system properties require a restart before they are recognized.
    c42.shred.strategy=TriplePassShredStrategy (saved)
    
  3. Enter the following command to restart the enterprise server from the CLI:
    node.restart
  4. The enterprise server process restart, and you are temporarily disconnected from the administration console
  5. Repeat the restart command for each storage server using one of two methods:
    • Sign in to each storage server separately, and enter the command node.restart from the command-line
    • Sign in to the master server and enter the node.restart command for each storage server guid, replacing <guid> with the actual guid of your storage servers:
      node.restart <guid>

Disable secure delete

To disable secure delete, open the CLI as described above, then:

  1. Enter the following command to set the system property c42.shred.enabled to false, which disables secure delete:
    prop.set c42.shred.enabled false save all
  2. The CLI responds with the following message:
    The system property has been set.
    Some system properties require a restart before they are recognized.
    c42.shred.enabled=false (saved)
    
  3. Enter the following command to restart the enterprise server from the CLI:
    node.restart
  4. The enterprise server process restarts and you are temporarily disconnected from the administration console
  5. Repeat the restart command for each storage server using one of two methods:
    • Sign in to each storage server separately, and enter the command node.restart from the command-line
    • Sign in to the master server and enter the node.restart command for each storage server guid, replacing <guid> with the actual guid of your storage servers:
      node.restart <guid>

Logs

The Code42 environment history log contains messages that indicate when secure delete shredding jobs start and complete:

  • Starting a secure delete job example:
    11/06/13 12:54AM starting shred on /var/opt/proserver/backupArchives/CrashPlanArchive_SHRED/1383720859729/608822655981715713
  • Completing a secure delete job example:
    11/06/13 12:54AM completed shred on /var/opt/proserver/backupArchives/CrashPlanArchive_SHRED/1383720859729/608822655981715713 -- 13 files shredded using com.code42.io.shred.TriplePassShredStrategy

The log file locations differ based on platform.