Versions Compared

Old Version 7

changes.mady.by.user Ilkka Lindeman

Saved on

compared with

New Version 8

changes.mady.by.user Niko Puruskainen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description:

The Freeze Lock Removal (FLR) is a procedure that If drives are freeze locked, Blancco Drive Eraser / Blancco 5 attempts in order to remove special locks that have become popular on ATA drives (a.k.a. "freeze locks"). These locks prevent some low level commands (firmware-based erasure commands) from being executed successfully and can cause the erasure to fail. Such firmware commands are used in some erasure standards (e.g. "Blancco SSD Erasure", "NIST 800-88 Purge", "Cryptographic Erasure", "BSI-GS/E" or "BSI-2011-VS" to name a few), they are also required with some erasure options (e.g. selecting the option "Erase Remapped Sectors" on a drive that has remapped sectors): if your process mandates using one of these erasure standards or erasure options or has to achieve a ‘Purge’ level erasure as defined by NIST *, the success of your erasure process will depend on the outcome of the FLR procedure.

The FLR procedure will attempt removing the freeze locks by power cycling the machine will attempt to remove the locks by power cycling the machine: the screen turns black for few seconds before returning. Depending on boot booting option used to boot Blancco Drive Eraser / Blancco 5 (see the "Booting Options" chapter from the Blancco Drive Eraser user manual) or the configured erasure process process ("Manual", "Semi-automatic" or "Automatic", see the "Processes" chapter from the Blancco Drive Eraser user manual), the Freeze lock removal may occur may occur at boot time (before the GUI starts or right before an erasure process starts. Unfortunately is displayed) or right after pressing the "Erase" button. Unfortunately, in some hardware configurations the screen might not turn back on leaving the machine in a seemingly inoperable state (a.k.a. "black screen" issues), meaning that the freeze lock removal procedure FLR procedure is not properly supported by the machine. You will find below some ways to remediate such issues.


How to handle problematic hardware? 

The user will usually face three (3) situations with problematic hardware:

  1. The screen stays black and an erasure process starts in the background: the drive’s light starts
    blinking as the drive is being actively erased. In  In this situation, only the screen is missing, if the user wants to monitor the erasure a workaround a workaround consists in monitoring it via the Blancco Management Console. After the erasure, the report can also be fetchedbe fetched. Please refer to the Drive Eraser Configuration Tool and the Blancco Management Console user manuals for more information about this feature.

  2. The screen stays black and nothing starts in the background, however the machine is on
    (lights are on, fans are working). In this situation  Only the screen is missing but the drives are most likely detected and ready for erasurefor erasure, if the user wants to start and monitor the erasure a workaround consists in controlling it controlling it via the Blancco Management Console. After the erasure, the report can also be fetched from the Blancco Management Console. Please refer to the Drive Eraser Configuration Tool and the Blancco Management Console user manuals for more information about this feature.

  3. The screen stays black and the machine is unresponsive (lights are off, fans are not working). In  In this situation, the Freeze lock removal is most likely paused or has failed. There are three a few ways to proceed:

    1. With some old machines, the Freeze lock removal process may be paused because
    the machine
    1. the machine has not
    got
    1. had enough time to restart. Try to press any keyboard key (e.g. Enter) or push the machine’s power button for 1 second or so to wake up the machine and restart the software's user interface / begin the erasure (after this, you may end up with a working screen or in the case 1 or 2).

    2. Some laptops and tablets require to be connected to (or disconnected from) their docking station to allow the power cycling to succeed. Other manipulations may involve connecting/disconnecting the power cable during the power cycling process.

    3. On other machines, power cycling is a functionality that needs to be turned on. Check from the BIOS/UEFI settings that the machine can be suspended and restarted, the setting may correspond to:
      1. Enabling the "Suspend-to-RAM" or "S3 mode" functionality.
      2. Moving the "ACPI Standby State" to "S3".
      3. Unblocking the "Sleep" or "S3 State" functionality.

    4. The BIOS on some machines may not support the S3 sleep state. In that case, try upgrading/downgrading the BIOS version to enable S3 support. A few examples below:
      1. In case of the Microsoft Surface 3 Tablet older BIOS versions (e.g. 1.50410.218) does not allow the erasure to proceed, nevertheless newer BIOS versions (e.g. 1.51116.78) allow the FLR procedure to work and the drive to be securely erased without a glitch.
      2. In case of the Lenovo X1 Tablet (model 20GHS0S100) the BIOS versions 1.55 or lower do support the S3 sleep state, nevertheless the BIOS versions 1.57 and higher no longer support the S3 sleep state. If you need to remove the freeze locks on such machines, try to downgrade to the BIOS 1.55 or lower.

    5. If the previous does not work, the Freeze lock removal process has likely failed. Next, try to remove the drive from the machine and connect it to a motherboard that doesn’t enforce any Freeze lock (as the Freeze lock itself is an entirely BIOS dependent feature) or that can be suspended and restarted properly.
    Otherwise

    2. Otherwise, unplug either the signal or power cable of the drive. This requires that the

    1. following steps are performed:

      1. Shut down the computer system.
      2. Unplug the signal cable or four-wire power cable of the drive while leaving the
    signal cable
      1. signal cable plugged in.
     To
      1.  To eliminate the danger of Electro Static Discharge, always ground yourself
    when removing
      1. when removing the power cord. The signal cable is the preferred option and should be attempted first. If the freeze lock remains after attempting the boot with signal cable removed, attempt the boot with the power cord removed. This method is not recommended by Blancco, as the drive may result damaged in the process.
      2. Power on the system and boot the Blancco software.
      3. When the software is loading i.e. you see the progress bar, plug the signal/power
    cord of
      1. cord of the drive back in.


Some cases when the Freeze Lock Removal is not mandatory:

Most of the time, users follow a predefined policy to erase their company’s data storage devicesA machine and drive are usually deployed within a company or organization where policies for data sanitization are defined. The erasure process used must usually follow such policies. However, depending on the case, executing successfully firmware-based erasure commands (and therefore removing the freeze locks from the drives) can be seen as a good addition and not as a mandatory requirement (i.e. it the FLR procedure can be skipped). Some of these cases are listed below:

  1. The data sanitization policy of the organization does not require ‘Purge’ level erasure as defined by NIST. Instead, ‘Clear’ level erasure as defined by NIST (e.g. normal overwriting) is considered enough *.
  2. The machine and drive remain within the organization (redeployed internally) and the 'Clear' level erasure as defined by NIST is considered sufficient *.
  3. The machine displays a consistent “black screen” after attempting the FLR and the drive has a freeze lock that cannot be removed. In addition, the drive cannot be extracted from the machine (e.g. to be erased elsewhere).
  4. The drive is and HDD, it drive has a freeze lock, the machine does not restart after attempting the freeze lock -removal (screen stays black) and the machine cannot be remotely erased.The drive is in a good condition (no remapped sectors) .The drive and/or does not have any hidden area that needs to be removed.
  5. The drive does not contain data considered as sensitive data.:
    • Secret data often requires purging or sanitizing procedures that may involve the
    use of
    • use of firmware based erasure commands
    which
    • that are available only if the drive is
    not Freeze Locked
    • not freeze locked.
    • The user essentially requires erasing the user addressable area of the drive.
    The drive remains under organizational control in which case


In all the cases above a 'Clear' level erasure

...

as defined by NIST may be considered sufficient

...

. ‘Clear’ level erasure does not require the FLR to be attempted *.

Although Blancco Drive Eraser / Blancco 5 attempts to remove automatically remove the drives' freeze locks whenever detected, the user is given the possibility to prevent this mechanism from being triggered, as described in this article.


* For more information about NIST 800-88 Clear/Purge levels, read the chapter “Compliance with Updated NIST Guidelines” from the Blancco Drive Eraser user manual.