Secure Deletion of LUNs of Active High-End Storage Systems Part 1/3

04 September 2015 by Michael Nuncic


Data security in companies is paramount these days. This is why more attention is being given ensuring that data within LUNs is securely erased.

The fact that data erasure is of immense importance for a company’s security has already been explained in several articles here on this blog. No matter whether it is a desktop computer, a manager laptop or a new tablet, all devices have data stored that must be protected and deleted at the end of their lifecycle. We have also repeatedly pointed out that data erasure must be planned as part of a process. But what does such a process actually look like? And what happens particularly with data deletion when it has to be done not on “small” devices, but on highly complex and high-quality storage systems of known manufacturers such as EMC, HP or NetApp? And what should be considered if deletion has to be implemented during normal operation? This article tries to answer to give some answers to these questions.

Contrary to what one might think at first, the working out of a proper data erasure process for LUNs, i.e. the drives in a storage system, is not just a trivial matter but a quite tricky issue. Although in principle all storage vendors offer the possibility of integrated deletion algorithms to eliminate LUN contents, the most important part of the process is missing: a certified proof of the deletion performed. However, in most cases, a company needs suitable evidence concerning the proper performance of the deletions in the context of the observance of its own compliance policies or of service level agreements (SLAs) with external customers. Thus, the following principle applies: at the end of an erasure process, certified proof of erasure must always exist.

Three scenarios are possible for a necessary erasure of LUNs:

  1. Deletion of LUNs, because the data is no longer needed by internal or external customers and the storage medium is to be used again,
  2. Deletion of LUNs, because the hardware used (an HDD) no longer works optimally and is to be replaced, e.g. if a hard drive has exceeded the established threshold of bad blocks, and
  3. Deletion of LUNs when the existing storage system is to be replaced by a new one as part of a migration project.

LUN data erasure process 1: Used LUNs are to be cleared for new users and the data stored on them are to be previously erased securely

One of the typical examples of the need to erase one or more active LUNs, i.e. drives in a storage system, is when a customer decides to withdraw his data from his data-hosting service. This may for instance be the case if the customer has outsourced his data to an external data centre or a cloud provider and now wants to move with his data either back to his own company or to another provider. In this case, multiple LUNs were assigned on the rented storage system, and they now have to be deleted securely.

The need to clear company-internal LUNs also occurs when as part of the regular storage clean up, data that has reached the end of its life can be erased.


As shown in the image, the process in these cases is exactly the same: during active operation, the system administrator unmounts the LUN(s) in question – thus removing them from access by the storage system – and then he erases the corresponding drive with all the data it contains using an appropriate tool. Subsequently, certified proof of the erasure performed is created. In the final step, the now safely deleted LUN are again mounted to the active system and made available to a new internal or external customers or user. After this, the storage system continues running until the end of its own life is reached (EOL/End of Life).

One possibility of performing a secure data deletion of drives with detailed reporting, as outlined above, is provided by the LUN solution of Blancco, the global leader Data erasure software provider. Over a single management interface, the concerned storage device can be addressed, the LUNs in question be erased and an erasure report created while the rest of the system continues to run normally as before.

In the next part of this article, we shall deal with the other two scenarios and their processes...