HP SSD, eMMC Technical Manual
Technical white paper
HP FutureSmart Firmware Device Hard Disk,
SSD and eMMC Security
Table of contents |
|
Overview.................................................................................................................................................................... |
2 |
Hard Disk Drive Security Overview......................................................................................................................... |
2 |
Hard Disk Architecture ............................................................................................................................................. |
2 |
Secure Erase Commands ........................................................................................................................................ |
2 |
Disk Initialization Commands.................................................................................................................................. |
5 |
SSD and eMMC Security Overview .......................................................................................................................... |
6 |
Secure Erase Data Overwrite Functionality Not Supported on SSD/eMMC ....................................................... |
6 |
Secure Volatile Storage Feature with SSD and eMMC ......................................................................................... |
6 |
SSD and eMMC Impact to Disk Management Features........................................................................................ |
7 |
Accessory Hard Disk Drive Option .......................................................................................................................... |
9 |
Disk Erase confirmation........................................................................................................................................ |
10 |
Government Erase Standards.............................................................................................................................. |
11 |
Appendix A: Secure Erase Data Overwrite and Specifications ......................................................................... |
11 |
Appendix B: Device Hard Drive Support .............................................................................................................. |
13 |
Appendix C: Device SSD and eMMC Support ...................................................................................................... |
16 |
Appendix D: ATA secure erase not supported ................................................................................................... |
19 |
Appendix E: Optional HDD Accessory capable devices...................................................................................... |
19 |
Overview
This document discusses secure erase options and hard disk, SSD and eMMC security on HP FutureSmart Firmware printing devices. It replaces previous security documents HP FutureSmart Firmware Device Hard Disk Security, Solid State Drive Security for HP Printing Devices and eMMC Security for HP Enterprise Printing Device.
Hard Disk Drive Security Overview
To protect customer data on devices using hard disk drives, all data written to the data disk areas are encrypted using AES-128 or AES-256 encryption (on products manufactured after November 2012). The section of the hard disk containing job data can be securely erased on demand, instead of performing an entire disk wipe (See Erase Job Data). Industry standard ATA Secure Erase is an available option which securely wipes all data including spared and reallocated sectors for decommissioning devices (See Secure Disk Erase).
Hard Disk Architecture
The printing device Hard Disk is divided into different sections for different classes of data
Job Data: Contains all job data, including temporary files for print and scan jobs, and Stored Jobs.
Configuration Data: Contains printing device dependent configuration settings and system information. Information stored here includes printing defaults, authentication configuration, and some customer specific configuration settings.
System Data: Contains the HP FutureSmart Firmware operating system code. This code must be present on the hard disk for the printing device to boot. Previous HP printing device operating systems booted from a compressed image stored in non-volatile memory.
Repository: This area contains a compressed copy of the device operating system installation code, providing a way to restore a corrupted operating system image or recover from a failed firmware upgrade.
Secure Erase Commands
HP FutureSmart Firmware printing devices support four different data erase features to securely erase ongoing job data, and for device decommissioning or redeployment.
1.Managing Temporary Job Files
The feature controls how temporary job files are erased at the completion of print, copy, fax, or digital send jobs.
Temporary job files include:
o Temporary data for print jobs
o Temporary data for copy, fax, e-mail, and send to network folder jobs
The File Erase Modes available are:
o Non-secure Fast Erase (No overwrite) o Secure Fast Erase (Overwrite 1 time)
o Secure Sanitizing Erase (Overwrite 3 times)
Note: For File Erase mode specifications see Appendix A
PUBLIC |
2 |
Figure 1: Managing Temporary Job Files settings in the Embedded Web Server (EWS)
Figure 2: Secure File Erase Mode settings in Web Jetadmin
Note: This setting corresponds to Managing Temporary Job Files setting in EWS
2.Erase Job Data
This feature will erase and overwrite all job data files stored on the disk including: o Temporary data for print jobs
o Temporary data for copy, fax, e-mail, and send to network folder jobs
o Stored Jobs, Stored Fax jobs
The File Erase Modes available are:
o Non-secure Fast Erase (No overwrite) o Secure Fast Erase (Overwrite 1 time)
o Secure Sanitizing Erase (Overwrite 3 times)
Figure 3: Erase Job Data settings in the Embedded Web Server
Figure 4: Erase Customer Data settings in Web Jetadmin
NOTE: This setting corresponds to Erase Job Data setting in EWS
3.Secure Disk Erase
This feature securely erases all data on the hard disk, including disk sectors spared and relocated sectors. This erase operation, also known as ATA Erase, is executed directly by the hard disk controller.
Secure Disk Erase meets the “Purge” erase standard defined in NIST Special Publication 800-88, Guidelines for Media Sanitation. (See the Government Erase Specifications.)
This erase mode is only accessible from the pre - boot menus for the main system disk. It is available for accessory disks in EWS and Web Jetadmin. If the erased disk contained the system firmware, performing an Erase/Unlock will render the device inoperable, and a new firmware image must be installed to the disk before the device can be used again.
1 Secure Erase
2 Erase / Unlock
3 Get Statuses
Figure 5: Secure Disk Erase in device Pre - boot Menu
4.Erase / Unlock Encrypted Disk
The HP High Performance Secure Hard Disk supports a special erase referred to as a “Crypto Erase”. Selecting the Erase/Unlock option for one of these disks forces its encryption keys to be destroyed and new keys generated. This instantly renders all the encrypted data on the disk unreadable. There is no method to recover the encryption keys and no method to recover the encrypted data once the keys have been changed.
This erase mode is only accessible from the pre - boot menus for the main system disk. It is available for accessory disks in EWS and Web Jetadmin. If the erased disk contained the system firmware, performing an Erase/Unlock will render the device inoperable, and a new firmware image must be installed to the disk before the device can be used again.
1 Secure Erase
2 Erase / Unlock
3 Get Status
Figure 6: Erase / Unlock in device Pre - boot Menu
PUBLIC |
4 |
Disk Initialization Commands
These commands reinitialize the hard disk or sections of the disk to provide troubleshooting and diagnostic capabilities. The commands are similar to disk formatting commands and do not provide sector level data overwrite. These erase commands are not recommended for securely removing customer data.
These commands are only accessible from the device pre - boot menus.
Clean Disk removes all data from the disk. This command will render the device inoperable. The device firmware must be re-installed to the disk before the device can be used again.
+1 Download
2 Clean Disk
3 Partial Clean
4 Change Password
Figure 7: Clean Disk in device Pre - boot Menu
Partial Clean removes all data from the disk except for the compressed operating system installation code in the repository and initiates a reload of the device operation system.
+1 Download
2 Clean Disk
3 Partial Clean
4 Change Password
Figure 8: Partial Clean in device Pre - boot Menu
SSD and eMMC Security Overview
Some models of HP printing devices use Solid State Drive (SSD) or embedded MultiMediaCard (eMMC) mass storage devices as the system disk (See Appendix C for these models). SSD and eMMC are mass storage devices that use NAND-based flash memory instead of spinning disks used in traditional hard disk drives (HDD). These memory-based drives appear to the printing device operating system as a traditional Hard Disk Drive.
SSDs and eMMCs have operational characteristics that affect some security features available in traditional HDD enabled devices. For high security environments and security sensitive applications, HP recommends
Selecting models that include a HDD (See Appendix B Device List)
Adding an optional HDD when supported (See Accessory Drive Option for Job Data)
Secure Erase Data Overwrite Functionality Not Supported on SSD/eMMC
Due to the nature of Flash memory operation, SSDs and eMMCs are not able to securely delete files by directly overwriting their data as can be done with a hard disk drive. The following SSD and eMMC read / write characteristics prevent the implementation of HP’s Secure Erase Data Overwrite feature using Secure Fast Erase (1- pass) or Secure Sanitize Erase (3-pass) algorithms to securely delete files on an ongoing basis.
SSD and eMMC controllers use a technique called “wear leveling” to evenly distribute data across all flash blocks in the SSD. This causes data previously written to be moved dynamically to different locations when writing new data. The previous data locations cannot be tracked for overwriting.
SSD and eMMC “write amplification” behavior also causes the memory controller to dynamically relocate previously written data. Data is written to flash locations using 4 to 8 KB pages but must be erased in blocks of typically 256KB. Existing data is relocated to free entire blocks for erasure, as flash needs to be erased before it can be written again.
Secure Volatile Storage Feature with SSD and eMMC
To protect customer data on devices using SSD and eMMC, HP uses firmware encryption to specific areas of the storage device containing customer job data. All files written to the customer job data disk areas are encrypted using AES-128 encryption. This can be configured to AES-256 encryption, if desired (Figure 9).
Data stored on the encrypted partition includes: Stored print jobs, temporary print job files, PJL and PostScript filesystem files including downloaded fonts, and extensibility customer data (if stored there by the extensibility solution).
Figure 9: Managing Job Data Encryption on an SSD or eMMC system disk in the Embedded Web Server (EWS)
PUBLIC |
6 |
Loading...