Cryptographic erase is a data sanitization method that leverages encryption to delete data from storage media securely. Rather than physically erasing data, which can take considerable time and wear on the device, cryptographic erase makes the data inaccessible by changing or deleting the encryption keys. This process leaves only the encrypted data (ciphertext) on the storage media, rendering the data effectively sanitized as it becomes unrecoverable without the encryption key.
Key features and requirements of cryptographic erase include:
- Encryption: All data intended for cryptographic erase must be encrypted prior to recording on the storage media.
- Key Strength: The strength of the cryptographic algorithm used to encrypt the target data must be at least 128 bits, and the level of entropy of the encryption key used must also be at least 128 bits.
- Key Sanitization: All copies of the encryption keys used to encrypt the target data must be sanitized. If the target data’s encryption keys are encrypted with one or more wrapping keys, it’s acceptable to perform cryptographic erase by sanitizing a corresponding wrapping key.
- Speed and Efficiency: Cryptographic erase can provide significant benefits in both timeliness and assurance. It can facilitate rapid eradication of sensitive data (in seconds versus hours or days), reduce wear on the storage device, and make it easier to safely repurpose storage devices, instead of destroying them.
- Implementation: Cryptographic erase should only use a well-vetted cryptographic implementation to avoid potential errors or use of weak cryptographic algorithms.
- Inappropriate Use Cases: Cryptographic erase is not appropriate if the encryption was enabled after sensitive data were stored on the storage device without being sanitized first, or if it is unknown whether sensitive data were stored on the device without being sanitized prior to encryption.