How to perform NetApp Disk Sanitization for 7-Mode and Clustered ONTAP

The disk sanitize feature performs a disk format operation and uses 3 successive byte overwrite patterns per cycle and a default 6 cycles per operation, for a total of 18 complete disk overwrite passes, in compliance with the United States Department of Defense and Department of Energy security requirements.

How selective disk sanitization works

Disk sanitization is the process of physically obliterating data by overwriting disks with specified byte patterns or random data so that recovery of the original data becomes impossible. You use the disk sanitize command if you want to ensure that no one can recover the data on the disks.

The disk sanitize command uses three successive default or user-specified byte overwrite patterns for up to seven cycles per operation. Depending on the disk capacity, the patterns, and the number of cycles, the process can take several hours. Sanitization runs in the background. You can start, stop, and display the status of the sanitization process.

After you enter the disk sanitize start command, Data ONTAP begins the sanitization process on each of the specified disks. The process consists of a disk format operation, followed by the specified overwrite patterns repeated for the specified number of cycles.

Note: The formatting phase of the disk sanitization process is skipped on ATA disks.

If the sanitization process is interrupted by power failure, system panic, or a user-invoked disk sanitize abort command, the disk sanitize command must be re-invoked and the process repeated from the beginning in order for the sanitization to take place.

When the sanitization process is complete, the specified disks are in a sanitized state. You return the sanitized disks to the spare disk pool with the disk sanitize release command.

Selective disk sanitization

Selective disk sanitization consists of physically obliterating data in specified files or volumes while preserving all other data located on the affected aggregate for continued user access. Because a file can be stored on multiple disks, there are three parts to the process.

To selectively sanitize data contained in an aggregate, you must carry out three general tasks.

• Delete the files, directories or volumes from the aggregate that contains them.

You must also delete any volume Snapshot copies that contain data from those files, directories, or volumes.

• Migrate the data that you want to preserve to a new set of disks in a destination aggregate on the same storage system.

You migrate data using the ndmpcopy command.

• Destroy the original aggregate and sanitize all the disks that were RAID group members in that aggregate.

 

Tips for creating and backing up aggregates containing data that will be sanitized

If you are creating or backing up aggregates to contain data that might need to be sanitized, following some simple guidelines will reduce the time it takes to sanitize your data.

• Make sure your aggregates containing sensitive data are not larger than they need to be.

If they are larger than needed, sanitization requires more time, disk space, and bandwidth.

• When you back up aggregates containing sensitive data, avoid backing them up to aggregates that also contain large amounts of nonsensitive data.

This will reduce the resources required to move nonsensitive data before sanitizing sensitive data.

Before You Begin

Before you can use the disk sanitization feature, you must install the disk sanitization license.

Attention:

Once installed on a storage system, the license for disk sanitization is permanent.

The disk sanitization license prohibits the following commands from being used on the storage system:

• dd (to copy blocks of data)
• dumpblock (to print dumps of disk blocks)
• setflag wafl_metadata_visible (to allow access to internal WAFL files)

For more information about licenses, see the System Administration Guide

Considerations

You can sanitize any disk that has spare status.

If your storage system is using software-based disk ownership, you must ensure that the disks you want to sanitize have been assigned ownership. You cannot sanitize unowned disks.

Steps

1. Verify that the disks that you want to sanitize do not belong to a RAID group in any existing aggregate by entering the following command: sysconfig -r

The disks that you want to sanitize should be listed with spare status.

Note: If the expected disks are not displayed, they have not been assigned ownership. You must assign ownership to a disk before you can sanitize it.

1. Sanitize the specified disk or disks of all existing data by entering the following command:disk sanitize start [-p pattern1|-r [-p pattern2|-r [-p pattern3|-r]]] [-c cycle_count] disk_list

Attention:

Do not turn off the storage system, disrupt the storage connectivity, or remove target disks while sanitizing. If sanitizing is interrupted while target disks are being formatted, the disks must be reformatted before sanitizing can finish.

If you need to abort the sanitization process, you can do so by using the disk sanitize abort command. If the specified disks are undergoing the disk formatting phase of sanitization, the abort will not occur until the disk formatting is complete. Once the sanitizing is stopped, Data ONTAP displays a message informing you that sanitization was stopped.

-p pattern1 -p pattern2 -p pattern3 specifies a cycle of one to three user-defined hex byte overwrite patterns that can be applied in succession to the disks being sanitized. The default pattern is three passes, using 0x55 for the first pass, 0xaa for the second pass, and 0x3c for the third pass.

-r replaces a patterned overwrite with a random overwrite for any or all of the passes.

-c cycle_count specifies the number of times the specified overwrite patterns will be applied. The default value is one cycle. The maximum value is seven cycles.

disk_list specifies a space-separated list of the IDs of the spare disks to be sanitized.

1. To check the status of the disk sanitization process, enter the following command:
   disk sanitize status [disk_list]
2. To release sanitized disks from the pool of maintenance disks for reuse as spare disks, enter the following command:
   disk sanitize release disk_list

Data ONTAP moves the specified disks from the maintenance pool to the spare pool.

Note: Rebooting the storage system or removing and reinserting a disk that has been sanitized moves that disk from the maintenance pool to the broken pool.

The specified disks are sanitized, put into the maintenance pool, and displayed as sanitized. The serial numbers of the sanitized disks are written to /etc/sanitized_disks.

Examples

The following command applies the default three disk sanitization overwrite patterns for one cycle (for a total of 3 overwrites) to the specified disks, 7.6, 7.7, and 7.8:

disk sanitize start 7.6 7.7 7.8

The following command would result in three disk sanitization overwrite patterns for six cycles (for a total of 18 overwrites) to the specified disks:

disk sanitize start -c 6 7.6 7.7 7.8

After You Finish

You can monitor the status of the sanitization process by using the /etc/sanitized_disks and /etc/sanitization.log files:

• Status for the sanitization process is written to the /etc/sanitization.log file every 15 minutes.
• The /etc/sanitized_disks file contains the serial numbers of all drives that have been successfully sanitized. For every invocation of the disk sanitize start command, the serial numbers of the newly sanitized disks are appended to the file.

You can verify that all of the disks were successfully sanitized by checking the /etc/sanitized_disks file.