Wiping HD

george1421

@lostitguy From a data security perspective FOG does not wipe a hard drive before imaging. FOG destroys the partition tables than lays down a new partition table and data onto the disk.

The term to “wipe a hard drive”, is a specific and intentional action. I might be reading more into your question, but you used a specific trigger phrase.

For example, lets say you had 100GB of data on a hard drive and you reimage with FOG, and your image is 25GB in size. FOG will destroy the partition table and then download 25GB of data back to the hard drive. The data beyond 25 GB is still really on the disk media, but its not accessible unless you use forensic tools. So this data is not securely erased before reimaging.

I want to make a point that there is a difference between securely wiping a HD and simply reimaging make it difficult to access the data. If you need to securely wipe a hard drive fog does have tools to do that, or you can use pxe boot to boot into deban if you need a certificate of destruction type wipe.

lostitguy

Good Evening George,

Could you explain the other wipe optioms. Or send me a link explaining how it is done.

george1421

@lostitguy You must have the target computer registered with FOG. When you do go into the host management page, select the target host of interest and open its profile. On the basic tab at the top there is a wipe disk option.

When you deploy that task if the target computer has the fog client installed the target will reboot and then once it reboots and connects to the fog iPXE menu it will begin wiping the hard drive.

If you need something else, please explain.

lostitguy

Tgank you for the information is there a way to do it without the fog client. What Im hoping to do is beimg able to select sn image once that image had been selected it would run a dban or dod wipe and oncd the fill wipe was completed it would deploy the imsge.

george1421

@lostitguy Sorry about the 20 questions here but I’m trying to dive to an actionable answer.

Do you specifically need a dod or mil standard wipe or is something like a 3 pass random write work?

The wipe (dban or fog) and imaging is currently a three step process. Wipe, reboot, Deploy. If you could do that all from the fog ipxe menu would that work?

Is this a requirement for every system you deploy?

Will you use FOG in a system builder role (image with FOG then never see the hardware again)?

lostitguy

@george1421 The setup would be to meet CMMC standards for wiping a drive. And then deploy the image.

lostitguy

@george1421 Also is there a way to add wipe options to the fog menu to complete the wipe instead of having to register it to fog first and trigger the wipe within the web interface.

george1421

@lostitguy said in Wiping HD:

Also is there a way to add wipe options to the fog menu to complete the wipe instead of having to register

Yes there is. I looked into dban and it hasn’t been updated since 2015. So it might have issues with nvme drives (I don’t know, just a guess). If its dban or FOG wipe drive we can call it from the FOG iPXE menu. (this is a bit off topic, but I have a tutorial on how to call different OS installers from the FOG iPXE menu here: https://forums.fogproject.org/topic/10944/using-fog-to-pxe-boot-into-your-favorite-installer-images while the actions will be different its the concept that we will use )

If we want to use FOG Wipe to perform the disk cleaning there are three modes.

nvme = reformat drive
full and normal uses linux shred program, Where full used 3 passes and normal uses 1 pass.
fast wipe uses dd to zero out all of the blocks.

ref: https://github.com/FOGProject/fos/blob/8abc49dfaa17353411698f81115387a3a4f9743e/Buildroot/board/FOG/FOS/rootfs_overlay/bin/fog.wipe#L17

For deban its a little different in that we will use the concepts of the previous link for booting different OS installers. If you download the deban iso we can copy the dban.bzi file from the iso image to the /tftpboot directory on the fog server. Then we would create a custom iPXE FOG menu that would look like this:
Menu Item: app.dban
Description: DBAN Disk Eraser Tool
Parameters:
kernel tftp://${fog-ip}/dban.bzi
imgargs dban.bzi nuke=“dwipe --autonuke --method dod522022m” silent vga=785
boot || goto MENU
Menu Show with: All Hosts

Again this will be a two step process,

1. Wipe the hard drive
2. Image the computer using the iPXE Image Deploy menu. You will not need to touch the FOG web ui.

lostitguy

@george1421 For fog wipe can i do that from the fog menu or do I need to register and than create a task to wipe

george1421

@lostitguy We you will need to make up your own fog ipxe menu to specifically call the wipe function.

I am not 100% sure I have the stanza right but it should look like this

Menu Item: fog.wipeit
Description: FOG builtin Disk Eraser Tool
Parameters:
kernel tftp://${fog-ip}/bzImage
initrd tftp://${fog-ip}/init.xz
imagargs bzImage initrd=init.xz root=/dev/ram0 rw ramdisk_size=256000 ip=dhcp web=${fog-ip}/fog/ consoleblank=0 loglevel=4 mode=wipe wipemode=full
imgfetch init.xz
boot ||
goto MENU
Menu Show with: All Hosts

If you ALWAYS want to wipe before a deploy in one step that is also possible but you will need to “hack” the fog deploy script to include the shred command. That is a bit more complicated than creating a fog ipxe menu, but modifying the fog deploy script is not that difficult either. There are just more steps involved.