How Many Passes?
Frequently, I think of the little boy who consulted the owl to find out how many licks it takes to get to the Tootsie Roll center of the Tootsie Pop. The owl’s response: “Let’s find out. One… two-hoo-hoo… three. Three!” I think about that sage old owl each time the topic of “disk wiping” comes up. It seems that the jury is still out on just how many passes of a disk wiping utility it takes to make the data on a disk unreadable.
Mr. Scott & the Laws of Physics
The question also seems to come up more from a concern about the time involved in this task than it does the security achieved in the process. Many times the question is raised by someone who has 25 leased computers to be returned before lunch and the 3 – 4 hours per machine it takes to wipe a modern hard drive just never got factored into the process. “So how can we do this quicker?” is often the desperate plea. As Scotty would say to Captain Kirk, “You cannot change the laws of physics.” The task of overwriting the data is a simple function of disk size and disk speed – or in a word – time.
Wiping vs. Scrambling
The problem is – so many seem to have missed the point. Everyone has become wrapped around the axel of “number of passes” as if that is the measure of effectively “removing” the data. It’s not. The goal is to render the data irretrievable not invisible. There’s a reason that 35-pass wipes are used. It’s because the technology exists to “see” a remnant of the data even after 34 passes. So does one more pass really make a difference? Not really. It is accurate to say that with each wipe the data has faded just a bit more but with “nation state-level resources” (think NSA) that data may still be recoverable.
On the other hand, if we focus on rendering the data irretrievable vs. invisible we can perform this task with much less effort (time) and expense. Encryption solves this problem too. If it’s good enough to protect our data from known thieves (i.e. those who would steal the asset) then it should be considered good enough to protect the data from trusted vendors. Oh yeah, and encryption works with just one pass. Therefore, encryption is a better answer for both problems; the amount of time involved and the strength of protection provided. So, encrypt it with an excellent 64-character random key and don’t bother to write it down or memorize it. Just throw away the key.
Take it Outside
So if you’re still wondering how many wipes does it really take, may I humbly suggest 3 are plenty for most situations. Apple computers have a disk wiping utility included but it won’t let you erase the disk you’re using. Whether you choose to wipe or encrypt you still need to do it from “outside” the operating system so that you can do the entire disk and not just the data portion. Either way, don’t forget to budget some time for the task. Even the owl quit after three tries.
An excellent (and free) disk wiping utility: DBAN