FDRERASE, Mainframe data destruction
FDRERASE; Scrubbing data from disks
We frequently hear horror stories about how the personal and financial details of thousands of customers have been lost due to computer media going astray. Protecting data is a big issue these days, and you often need to be able to prove that you have securely wiped all the data from disks after a disaster recovery test, when you are de-commissioning old disk subsystems or even when you stop using a set of disks for one application and want to use them for another.
It is a misconception to think that initialising a disk will remove all the data on that disk. In the case of a mainframe initialisation, a minimal ICKDSF initialisation of a volume would wipe out the VTOC but leave the data on the disk, where it can be retrieved quite easily by rebuilding the VTOC. The problem is two fold; you must ensure that all the data is completely erased, and you also want to do it in a minimum of time. Of course, you also want an audit trail that proves that the data has been erased, for your auditors.
Another factor that you need to consider is the standards that are adopted by your company. There are a few different standards out these for data erasure, two which spring to mind are the National Computer Security Center(NCSC) in the USA, and the NATO data destruction standard.
One product that can do the job is FDRERASE. It has three principal operating modes, QUICKERASE, ERASE and SECUREERASE and these are summarised in the table below.
|Default Action||Hardware CKD erase||Overwrite every track on the selected disk devices with a single track-length record consisting of binary zeros.||Write three patterns to every disk track. The first write is a random byte pattern. The second write is the complement of the first pattern and the third write is a different random byte pattern.|
|Certification level||None||CCRA certified, meets the NCSC definition of 'clearing' the disk||CCRA certified, complies with the NCSC definition for purging a disk|
|Optional actions||can specify multiple passes using ERASEPASS=N, and a specific overwrite byte using ERASEPATTERN=|
|Typical use||Erasing data on disks that will be re-used internally||Erasing disks which will be sold, scrapped, or returned to the manufacturer, since it makes it difficult to recover the original data, even if the hard drives are removed, and especially if multiple passes and patterns are used.||SECUREERASE is ideal for sensitive data, especially when held on disks that will be scrapped or sold. This makes the original data unrecoverable even if the hard drives are removed from the control unit and may be used for sensitive data when the disks will be sold or scrapped.|
|Performance||Very fast, very little impact on IO channel usage.||ERASE is quite fast, as very little data must be sent down the channel for each track, allowing many disks to be erased in parallel. Typically 2-3 mins. for a 3390-3||SECUREERASE will be slower than ERASE since it always writes a non-zero record, multiple times, to every track. Typically 7-8 mins for a 3390-3|
FDRERASE comes in two flavours, Mainframe and FDRERASE/OPEN
The Mainframe version
Mainframe FDRERASE can be controlled with batch jobs. By definition, the ERASE
function is non-reversible, so there is also a SIMERASE function to
let you test the process before you run it for real. This just checks
that the control statements are valid, and lists out all the disks that
will be processed, but it does not delete any data. Because you cannot
backout from an FDRERASE, you must ensure that you are scrubbing the
right disks, and the onus is on you to get it right. I'd suggest a visual
check of the VTOC at an absolute minimum.
FDRERASE does offer you some protection against accidents. By default, FDRERASE operates on only disks that are offline to the LPAR that the job is running on. Also by default, those disks must either be FDRPAS source disks or the VTOC on the disk must be empty. However you can override these safety checks using CHECKTARGET=NO if you do not want to check the VTOC and ONLINE=VARYOFF if you don't care if a disk is online. In this case FDRERASE will vary an online disk offline. Typically, you would only use this when cleaning up after a DR test, However, this is not foolproof as it only applies to the LPAR that you are running on.
When initialising disks with ICKDSF I first have a quick look at the VTOC through 3.4 to make sure the disk is empty, then I take it offline with a route command RO *ALL,V 2080,OFFLINE which passes the vary command to every LPAR that has access to disk 2080. Then I check the SYSLOG to make sure that the disk came offline to every LPAR.
FDRERASE integrates well with FDRPAS. Typically you use FDRPAS to move a disk to a new location, and then you want the old data destroyed. You can licence FDRERASE as an option to FDRPAS and then when FDRPAS takes its source volume offline, it will use FDRERASE to wipe the data (If you are not an FDRPAS user then you licence FDRERASE as a stand-alone product).
This first example is a SIMERASE which will list out exactly which offline disks match the patterns A9*, AA* and AB* as well as checking the syntax of the control cards
//FDRERASE EXEC PGM=FDRERASE,REGION=0M //STEPLIB DD DISP=SHR,DSN=your.fdrerase.loadlib //SYSPRINT DD SYSOUT=* //FDRSUMM DD SYSOUT=* //SYSIN DD * SIMERASE TYPE=FULL MOUNT ERASEUNIT=(A9*,AA*,AB*)
This is a SECURE ERASE job that will do a certified wipe of all the data from an old disk subsystem in a single job with one set of control statements! The subsystem is defined to the system to use all addresses starting F*, and you have previously removed all the data from these disks and varied them offline everywhere. By default, FDRERASE will check that the disks are offline and empty. Notice that you can specify disks singly or by pattern mask. If you use a pattern mask and some disks in that pattern are online, FDRERASE will only work on the offline disks.
//FDRERASE EXEC PGM=FDRERASE,REGION=0M //STEPLIB DD DISP=SHR,DSN=your.fdrerase.load lib //SYSPRINT DD SYSOUT=* //FDRSUMM DD SYSOUT=* //SYSIN DD * SECUREERASE TYPE=FULL MOUNT ERASEUNIT=(F*)
This next example MUST be used with care. You have finished a DR test and you want to wipe all your data. A standard ERASE is adequate for this. You do not want to have to check that all the volumes are offline, and you know that the VTOCs contain data so you override the safety devices. Also, you want the disks back online at the end of the job.
In this example the disks must be available for use afterwards so they are re-initialised with VOLSERs starting with DR, followed by the 4 digit unit address. The job is also creating a 4 cylinder VTOC at the beginning of the disk.
//FDRERASE EXEC PGM=FDRERASE,REGION=0M //STEPLIB DD DISP=SHR,DSN=your.fdrerase.load lib //SYSPRINT DD SYSOUT=* //FDRSUMM DD SYSOUT=* //SYSIN DD * ERASE TYPE=FULL,CHECKTARGET=NO,MAXTASKS=64,ONLINE=VARYOFF,VARYON=AFTER MOUNT ERASEUNIT=(3*,4*,5*),CHANGEVOL=DR&UUU,VTOCLOC=1,VTOCSIZE=59
Using the FDRERASE ISPF Interface
The FDRERASE ISPF interface allows you to initiate, monitor and control FDRERASE operations on the system to which your TSO session is logged on. As I prefer batch jobs for running actual work, this will just show you how to monitor FDRERASE with the ISPF panels
The FDRERASE panel (see below) is displayed via option 'E' from the main FDR/ABR
Primary Option menu option. Pressing ENTER checks to see if there are
any FDRERASE tasks in progress on this system. If active tasks are found,
they are automatically displayed. The status of ACTIVE indicates that
the erase is in progress; the text following it indicates the type of
erase (QUICK, ERASE, or SECURE). The status can also be ERASED (complete)
ERROR (the erase had problems) SUSPEND (someone stopped it) or INACTIVE
(no erase was ever started for the volume).
The display will also tell you how far the ERASE has got and the elapsed time so far.
To see an updated status position, just press ENTER again.
The Open version
FDRERASE/OPEN runs from a bootable CD. It can access any disk that can be attached to an Intel (x86) or compatible platform, SCSI or FIBRE attached.
When you boot up the CD you get a typical Windows GUI that you use to control
FDRERASE. You are presented with a number of Icons at the top of the
window, and these allow you to select the ERASE, SECUREERASE or Verify
options, or let you display the current log data. FDRERASE will automatically
detect all attached disks and then present these as a list so you can
select which disks you want to process.
The VERIFY option checks a selected disk to see if it contains data patters as used by FDRERASE/OPEN.
The Logfile options will display a list of activity logs for a given disk.
There is also an ICON to display the history records for FDRERASE. These detail all actions taken by FDRERASE for auditing purposes and are kept on a USB memory stick.
FDRERASE/OPEN run times depend on the disk sizes and amount of parallel processing, but 10GB per minute is typical.