How to securely erase your data on a NetApp

When drives in a NetApp are being obsoleted and replaced we need to make sure we securely erase all data that used to be on them. Unless you’re just going to crush your disks.

In this example we’ve got an aggregate of 14 disks (aggr0) that need to be wiped and removed from our NetApp so they can be replaced with new, much larger disks.

There are two methods that you can use to wipe disks using your NetApp. The first is to simply delete the aggregate they are a member of, turning them into spares and then running “disk zero spares” from the command line on your NetApp. This only does a single pass and only zero’s the disks. There are arguments I’ve seen where some people say this is enough. I honestly don’t know and we have a requirement to do a 7 pass wipe in our enterprise. You could run the zero command 7 times but I don’t imagine that would be as effective as option number two. The second option is to run the ‘disk sanitize’ command which allows you to specify which disks you want to erase and how many passes to perform. This is what we’re going to use.

The first thing you’ll need to do is get a license for your NetApp to enable the ‘disk sanitize’. It’s a free license (so I’ve been told) and you can contact your sales rep to get one. We got ours for free and I’ve seen forum posts from other NetApp owners saying the same thing.

There is a downside to installing the disk sanitization license. Once it’s installed on a NetApp it cannot be removed. It also restricts the use of three commands once installed:

  • dd (to copy blocks of data)
  • dumpblock (to print dumps of disk blocks)
  • setflag wafl_metadata_visible (to allow access to internal WAFL files)

There are also a few limitations regarding disk sanitization you should know about:

  • It is not supported in takeover mode for systems in an HA configuration. (If a storage system is disabled, it remains disabled during the disk sanitization process.)
  • It cannot be carried out on disks that were failed due to readability or writability problems.
  • It does not perform its formatting phase on ATA drives.
  • If you are using the random pattern, it cannot be performed on more than 100 disks at one time.
  • It is not supported on array LUNs.
  • It is not supported on SSDs.
  • If you sanitize both SES disks in the same ESH shelf at the same time, you see errors on the console about access to that shelf, and shelf warnings are not reported for the duration of the sanitization. However, data access to that shelf is not interrupted.
I’ve also read that you shouldn’t sanitize more then 6 disks at once. I’m going to sanitize our disks in batches of 5, 5 and 4 (14 total). I’ve also read you do not want to sanitize disks across shelves at the same time.

 

Licensing disk sanitization

Once you’ve got your license you’ll need to install it. Login to your NetApp via SSH and run the following:

 

Sanitizing your disks

1. Identify what disks you want to sanitize

Here I’ve got 13 disks in aggr0 and the 14th acting as a spare. I need to delete aggr0 to free up the disks to be sanitized.

 

2. Delete the aggregate the disks are part of

 

3. Verify all the disks you want to sanitize are now spares

 

4. Sanitize the first batch of disks (7 passes)

 

You can periodically check the status of the sanitization by running:

 

When the disks have been sanitized if you want to re-use them instead of replace them run this command:

This will add the sanitized disks to the spare pool.

 

There are a few options you can customize when ‘disk santize’ command.

 

References (NetApp login require)

19 thoughts on “How to securely erase your data on a NetApp

  1. Thanks! This is the only documentation I found that included both:

    – the requirement to make disks spares

    – the commands to make disks spares

  2. Great Post….

    Do you have supporting documentation going into the restrictions once its enabled…also I’ve seen some comments stating maximum number would be ((# of disks – # of shelves) – # disks in root volume) and Both SES (SCSI Enclosure Services) drives of a shelf cannot be sanitized at the same time. The command will allow one SES drive to be sanitized at a time.  You have to make a second pass to get the second SES drive.

    Can you maybe share your experience on those comments above?

    Thanks,

    B

    • Unfortunately when I was looking into this I couldn’t find much about the restrictions once this was enabled.

      I haven’t worked with our NetApp in quite a while since I was re-assigned ~2 years ago so I can’t offer you much more information than what is in the blog post.

      If you’re concerned about the limitations give NetApp support a call. I’m sure they can tell you.

  3. When i try to make aggregate offline it gives me the following error:

    aggr offline: Cannot offline aggregate ‘aggr0’ because it contains
    one or more flexible volumes.

     

    do you know a work around for this?

  4. Aggr has vol0, which contains the root:

    filer*> vol status
    Volume State Status Options
    vol0 online raid_dp, flex root, create_ucode=on,
    sis maxdirsize=28835

    Filer*> vol offline vol0
    vol offline: Offlining root volume ‘vol0’ is not allowed.

    Any suggestions would be greatly appreciated.

    • You can’t offline vol0 since that’s the root volume with the OS on it.

      You’ll have to Snapmirror it to another aggregate of leave it alone.

      • Ended up wiping the filers ( didn’t care if we lost the data on it).

        Your doc work once we did that.

        Thanks for posting the info.

      • Hello. We must delete all data, including those on the aggregate 0 that contains vol0. How to do ? Best regards

        • I think aggr0 and vol0 need to be around for the wipe commands to work.

          You might just have to physically destroy those drives if it won’t let you wipe them.

          You could try creating a new aggr1 with a default install of the OS on a fresh vol0 and then from there wipe aggr0 and the old vol0. Just make sure when you build the new vol0 you don’t re-use any sensitive data like passwords and such since you won’t be able to securely wipe it.

  5. Hi, can you post how long it took for the process to complete for your disk types and command used?  was it hours/days, etc.  Thanks.

    • I’ve done SAS (250gb) and SATA (don’t remember the size) on a FAS2020.

      Didn’t time it so I can’t say how long it took.

      Commands I used are documented in the article.

  6. What tool has been used to connect with netapp filer. I could see the output in different color and its nice looking.

    • That’s actually just the syntax highlighter I use for this site. It’s not the actual output of the NetAppl’s CLI. Sure would be awesome if it was though.

  7. I am a newbie to NetApp. I have a NetApp DS2246 NAJ-1001. Is there a way I can connect this enclosure to my PC and run KillDisk to sanitze hard disks?

  8. Hello Eric,

    Excellent post. Are you able to source any details with regards to what happens to “Failed Disks” for data protection and compliance. typically the failed drive will evacute the data over to the parity drives thus staying online etc and then the disk gets replaced but what actually happens to the failed drive itself – is it possible to sanitise this? although for obvious reason and as you rightly said – this may no be possible due to the reason the disk might of failed in the first place.

    Thus is the only real secure way to dispose of the data on the disks is to retain the disks (RMA) and then dispose of them yourself or via 3rd party. I wasn’t sure if there was any documentation to provide reasurance that due to the way WAFL works across disk and maybe some sort of background process that back be trigger (i.e. sanitiser) whether this would meet some compliance needs.

    Many thanks in advance,

    Adrian

    • You can always run a magnet over the disk before returning it to NetApp.

      Once the disk has failed I don’t think you can do much with it within the NetApp. They are just SAS/SATA disks. You could remove them from the caddie and dban them or something, return them to the caddie and then hope NetApp doesn’t notice when you ship the disk back.

      I’ve done some storage RFPs as part of my job and NetApp says they securely destroy the disks when they get them back from a RMA. Also depending on your service contract you can opt to keep the disks and then destroy them yourself.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.