FDRERASE; Scrubbing data from disks

We frequently hear horror stories about how the personal and financial details of thousands of customers have been lost due to computer media going astray. Protecting data is a big issue these days, and you often need to be able to prove that you have securely wiped all the data from disks after a disaster recovery test, when you are de-commissioning old disk subsystems or even when you stop using a set of disks for one application and want to use them for another.

It is a misconception to think that initialising a disk will remove all the data on that disk. In the case of a mainframe initialisation, a minimal ICKDSF initialisation of a volume would wipe out the VTOC but leave the data on the disk, where it can be retrieved quite easily by rebuilding the VTOC. The problem is two fold; you must ensure that all the data is completely erased, and you also want to do it in a minimum of time. Of course, you also want an audit trail that proves that the data has been erased, for your auditors.

    GFS Advert

Another factor that you need to consider is the standards that are adopted by your company. There are a few different standards out these for data erasure, two which spring to mind are the National Computer Security Center(NCSC) in the USA, and the NATO data destruction standard.

   EADM Advert

Accelerate DB2 Write with zHyperWrite and "EADM™ by Improving DB2 Logs Volumes Response Time:

One product that can do the job is FDRERASE. It has three principal operating modes, QUICKERASE, ERASE and SECUREERASE and these are summarised in the table below.

   QUICKERASE   ERASE   SECUREERASE
 Default Action  Hardware CKD erase  Overwrite every track on the selected disk devices with a single track-length record consisting of binary zeros.  Write three patterns to every disk track. The first write is a random byte pattern. The second write is the complement of the first pattern and the third write is a different random byte pattern.
 Certification level  None  CCRA certified, meets the NCSC definition of 'clearing' the disk  CCRA certified, complies with the NCSC definition for purging a disk
  Optional actions    can specify multiple passes using ERASEPASS=N, and a specific overwrite byte using ERASEPATTERN=  
 Typical use  Erasing data on disks that will be re-used internally   Erasing disks which will be sold, scrapped, or returned to the manufacturer, since it makes it difficult to recover the original data, even if the hard drives are removed, and especially if multiple passes and patterns are used.  SECUREERASE is ideal for sensitive data, especially when held on disks that will be scrapped or sold. This makes the original data unrecoverable even if the hard drives are removed from the control unit and may be used for sensitive data when the disks will be sold or scrapped.
 Performance  Very fast, very little impact on IO channel usage.  ERASE is quite fast, as very little data must be sent down the channel for each track, allowing many disks to be erased in parallel. Typically 2-3 mins. for a 3390-3  SECUREERASE will be slower than ERASE since it always writes a non-zero record, multiple times, to every track. Typically 7-8 mins for a 3390-3

FDRERASE can be controlled with batch jobs. By definition, the ERASE function is non-reversible, so there is also a SIMERASE function to let you test the process before you run it for real. This just checks that the control statements are valid, and lists out all the disks that will be processed, but it does not delete any data. Because you cannot backout from an FDRERASE, you must ensure that you are scrubbing the right disks, and the onus is on you to get it right. I'd suggest a visual check of the VTOC at an absolute minimum.
FDRERASE does offer you some protection against accidents. By default, FDRERASE operates on only disks that are offline to the LPAR that the job is running on. Also by default, those disks must either be FDRPAS source disks or the VTOC on the disk must be empty. However you can override these safety checks using CHECKTARGET=NO if you do not want to check the VTOC and ONLINE=VARYOFF if you don't care if a disk is online. In this case FDRERASE will vary an online disk offline. Typically, you would only use this when cleaning up after a DR test, However, this is not foolproof as it only applies to the LPAR that you are running on.

When initialising disks with ICKDSF I first have a quick look at the VTOC through 3.4 to make sure the disk is empty, then I take it offline with a route command RO *ALL,V 2080,OFFLINE which passes the vary command to every LPAR that has access to disk 2080. Then I check the SYSLOG to make sure that the disk came offline to every LPAR.

FDRERASE integrates well with FDRPAS. Typically you use FDRPAS to move a disk to a new location, and then you want the old data destroyed. You can licence FDRERASE as an option to FDRPAS and then when FDRPAS takes its source volume offline, it will use FDRERASE to wipe the data (If you are not an FDRPAS user then you licence FDRERASE as a stand-alone product).

SAMPLE JCL

This first example is a SIMERASE which will list out exactly which offline disks match the patterns A9*, AA* and AB* as well as checking the syntax of the control cards

//FDRERASE EXEC PGM=FDRERASE,REGION=0M
//STEPLIB DD DISP=SHR,DSN=your.fdrerase.loadlib
//SYSPRINT DD SYSOUT=*
//FDRSUMM DD SYSOUT=*
//SYSIN DD *
 SIMERASE TYPE=FULL
 MOUNT ERASEUNIT=(A9*,AA*,AB*)

This is a SECURE ERASE job that will do a certified wipe of all the data from an old disk subsystem in a single job with one set of control statements! The subsystem is defined to the system to use all addresses starting F*, and you have previously removed all the data from these disks and varied them offline everywhere. By default, FDRERASE will check that the disks are offline and empty. Notice that you can specify disks singly or by pattern mask. If you use a pattern mask and some disks in that pattern are online, FDRERASE will only work on the offline disks.

//FDRERASE EXEC PGM=FDRERASE,REGION=0M
//STEPLIB DD DISP=SHR,DSN=your.fdrerase.load lib
//SYSPRINT DD SYSOUT=*
//FDRSUMM DD SYSOUT=*
//SYSIN DD *
 SECUREERASE TYPE=FULL
 MOUNT ERASEUNIT=(F*)

This next example MUST be used with care. You have finished a DR test and you want to wipe all your data. A standard ERASE is adequate for this. You do not want to have to check that all the volumes are offline, and you know that the VTOCs contain data so you override the safety devices. Also, you want the disks back online at the end of the job.

In this example the disks must be available for use afterwards so they are re-initialised with VOLSERs starting with DR, followed by the 4 digit unit address. The job is also creating a 4 cylinder VTOC at the beginning of the disk.

//FDRERASE EXEC PGM=FDRERASE,REGION=0M
//STEPLIB DD DISP=SHR,DSN=your.fdrerase.load lib
//SYSPRINT DD SYSOUT=*
//FDRSUMM DD SYSOUT=*
//SYSIN DD *
 ERASE TYPE=FULL,CHECKTARGET=NO,MAXTASKS=64,
 ONLINE=VARYOFF,VARYON=AFTER
 MOUNT ERASEUNIT=(3*,4*,5*),CHANGEVOL=DR&UUU,
 VTOCLOC=1,VTOCSIZE=59

Using the FDRERASE ISPF Interface

The FDRERASE ISPF interface allows you to initiate, monitor and control FDRERASE operations on the system to which your TSO session is logged on. As I prefer batch jobs for running actual work, this will just show you how to monitor FDRERASE with the ISPF panels

The FDRERASE panel is displayed via option 'E' from the main FDR/ABR Primary Option menu option. Pressing ENTER checks to see if there are any FDRERASE tasks in progress on this system. If active tasks are found, they are automatically displayed. The status of ACTIVE indicates that the erase is in progress; the text following it indicates the type of erase (QUICK, ERASE, or SECURE). The status can also be ERASED (complete) ERROR (the erase had problems) SUSPEND (someone stopped it) or INACTIVE (no erase was ever started for the volume).
The display will also tell you how far the ERASE has got and the elapsed time so far.

To see an updated status position, just press ENTER again.

back to top