How do I wipe an encrypted USB flash drive?

Question

My company has issued an encrypted USB flash drive which I stored my personal data in it. I am resigning from the company and I wanted to wipe the data in the usb drive but I have forgotten the password.

I tried using dban and nuke to wipe the data but it is an unrecognised device shown in dban.

The USB flash drive comes with an EXE program which I need to enter a password before the drive can be mounted.

How do I remove my personal data in the encrypted USB flash drive?

Updates

I tried gpart and the disk couldnt be found
I tried diskpart and the disk was 0 bytes, neither can I find any partition or able to clean it.
I did a live ubuntu cd boot and the usb thumb drive was detected as a cd-rom

There is no way of wiping the data and I have returned the device and trust the sysadmin to have integrity of wiping the device.

Lesson learnt: Never store your personal data on company device.

Why do you need to wipe encrypted data? Do they have the encryption keys and can unlock the encrypted data? If you really want to wipe it, have you investigated using disk partition editors to delete the encrypted partition then create a regular FAT/NTFS partition that can be wiped? — jehad, Jun 26 '16 at 10:32
I don't trust the IT Admin to wipe the data. It is possible that they decrypt the drive and view the data. I have tried to use some partition tools to delete the partition, but it couldnt detect the disk/partition. — ilovetolearn, Jun 26 '16 at 11:02
Do you know how to use Linux, or boot up a live CD? Linux's tools (such as GParted) will certainly not fail to delete the partition. — jehad, Jun 26 '16 at 11:15
Maybe you should ask this question on Information Security Stack Exchange? Just a suggestion... — palsch, Jun 26 '16 at 15:30
You can use a fire, that always works. Flash drives are like cheap, just buy another one. In the future, there might always be a new way of reading private data. [tag:tin-foil-hat-security] — noɥʇʎԀʎzɐɹƆ, Jun 26 '16 at 20:16
@CrazyPython: Proactively destroying company property is not something you are typically allowed to do. Likewise proactively smuggling new devices into the company. — phresnel, Jun 26 '16 at 22:34
Please describe the steps required to access the data regularly and how it appears (separate drive etc). Do you perhaps know the make and model? — Daniel B, Jun 27 '16 at 04:41
... and this is one reason why you do not store or transmit personal bits on or across company property. — Eric Towers, Jun 27 '16 at 07:10
If you have forgotten the password, it's obviously something you don't normally use in the line of your job. If it's not, the company should not be surprised if employees misplace these small devices. I'm not suggesting that you _accidentally_ misplace it but.. — pipe, Jun 27 '16 at 11:05
I see some people telling you to reformat and then write zeros to the disk using `dd`. I just want to warn that if you specify the wrong device with `dd` (e.g. `sdb` instead of `sdc` or something depending on what your setup looks like) you can do SERIOUS and IRREPPARABLE damage to your actual operating system, so please be careful! — Liam, Jun 27 '16 at 18:58
I need specific Information on how the drive was encrypted, edit your question (do not comment) and provide that information, the current answers are not really that great because your failed to provide this information — Ramhound, Jun 27 '16 at 22:19
Does anyone else at your company know the password? If yes, then ask them for it. If no, then the drive is encrypted, and they are unlikely to recover its contents anyway (unless they are very determined and want to go through the trouble of trying to brute force it). — jamesdlin, Jun 28 '16 at 10:48
Ofcourse the drive is recognized as a cd-rom. The USB drive contains a partition that acts as a cd-rom and an encrypted partition that contains your data. You don't want to flash the first partition, you just want to clear your data from the second or change the encryption key/password used to decrypt it. (see my answer) — BlueCacti, Jun 28 '16 at 13:43

RedGrittyBrick · Accepted Answer · 2016-06-28T20:01:52.947

72

How do I remove my personal data in the encrypted thumb drive? ... I have forgotten the password … unrecognised device

Crush it to small particles using a large hammer then buy your employer a new one (or ask them to deduct the replacement cost from your wages).

It is always a mistake to store personal data on the property of someone who you do not (or in future might not) wish to have access to your personal data.

A note on overwriting USB devices that use Flash memory.

Formatting any kind of storage device does not completely destroy data, it normally just recreates the filesystem structures without affecting much of the data contents.

For a hard disk, overwriting every data sector once with zeroes (or any character/octet) is sufficient to erase data. However this does not apply to flash-memory based devices such as typical USB memory sticks.

Flash memory devices use a concept known as wear-levelling, this means that some areas of storage will be rotated out of use and will not normally be accessible when using normal filesystem operations like writing a file. This makes erasing these devices more complicated. You need to make sure that any erasure tool you use is designed to work with devices that use wear-levelling.

A note on encrypted USB drives

I have an old Sandisk Cruzer device that uses the infamous U3 encryption system. When you first plug this in, all your computer sees is a small "CD-ROM" device that contains the U3 software and an autorun file. The encrypted data is in a non-visible "device" that the computer cannot see.

Only when you enter the password into the U3 software does the software make the encrypted device visible to the computer - which then assigns it a separate drive-letter (in the case of Windows) to that assigned to the pseudo-CD-ROM.

So if you don't enter the password, your computer cannot see the encrypted storage at all. Therefore no recovery/formatting/overwriting software can help.

U3 has some security weaknesses which allow you to bypass the password (Google will find this) but it is likely your device is better than U3.

A note on corporate USB drives.

Large serious companies that take security seriously are likely to purchase devices that can be centrally managed. Part of this is making provision for lost passwords by having a separate administrative password that can allow an administrator to regain full access to a device where the user's personal password has been lost.

This means that, just because you have forgotten the password, it doesn't mean a corporate administrator can't gain access to the data secured on the device.

A note on professionalism.

I would give some consideration to explaining the situation to your employer and working with them to resolve the issue to mutual satisfaction. This would be the "right" thing to do.

However, having stored personal data on a corporate resource, I sense that you are now looking for a solution that doesn't take corporate ethics and professionalism as a key point of reference.

A note about Rottweilers.

All in all, someone might regard it as a ~~lucky blessing~~ unfortunate minor disaster if their sister's Rottweiler chewed the device up and crushed the storage chips inside before they could rescue it. Make sure that doesn't happen to you.

If that happened to me, I'd offer to pay my employer the costs (hardware and administrative) to them caused by my foolish carelessness. Taking responsibility for their actions and paying for mistakes is something that adults are expected to do.

edited Jun 28 '16 at 20:01

answered Jun 26 '16 at 12:05

RedGrittyBrick

81,981
20
135
205

2

Yes, I made a mistake and I had learnt my lesson. They might inflate the cost and charge some administrative fees, which I have no reasons to pay for. I am looking to wipe/destroy the data. – ilovetolearn Jun 26 '16 at 12:28
7

The smaller the pieces get, the better. One way to do it: https://www.youtube.com/watch?v=y2eNhPC8wCQ – asdmin Jun 26 '16 at 18:33
3

But if pieces are too small, accidental breath is possible. And I don't think that's much healthy. Same for burning gases. – Oriol Jun 26 '16 at 21:59
4

This shouldn't be done without the company's consent, though. And many company's register every hardware's serial number. – phresnel Jun 26 '16 at 22:35
Destroying the device would be a bit overkill as there are viable ways to do it with software. Then you can return the undamaged device to your employer. – kisk Jun 26 '16 at 23:55
6

Alternatively, he could just tell them company he lost it and not get into the details of destroying it. He may still have to pay for the loss, of course. @asdmin Are you sure that won't damage the blender? They're not designed for solid, hard, metalic items. – jpmc26 Jun 27 '16 at 04:08
i am pretty sure it will damage the blender, also that it is destoying the drive itself. but what other advice can you give, when the data needs to be destroyed, encryption method is not known, and it wasn't written in the question, that the device must remain intact? – asdmin Jun 27 '16 at 04:15
@asdmin perhaps just destroy the data, e.g. overwrite – Hi-Angel Jun 27 '16 at 06:35
1

@Hi-Angel: there are parts on an MTD which you can not address (and access), for example the wear-leveling area. Overwrite therefore won't give 100% result. – asdmin Jun 27 '16 at 07:14
@asdmin well, it's possible, but it have to be *very* specialized flash-drive, and I very doubt it is the case; in fact it's easy to check. I'm sure it works this way: the USB-stick broken to two partitions: one, say, ≈10Mb with the executable to decrypt and mount, and the second is the encrypted one of the left size. If what you said the case, such stick would be seen in GParted upon opening as of 10Mb size *(the single partition possible to access)*. Otherwise — which I think the case — the encrypted partition would look like either «unknown filesystem» or «free space», and is easy to erase. – Hi-Angel Jun 27 '16 at 07:46
2

I never thought about "wear-levelling". If I am right, the same is true for SSD too? – Jun 27 '16 at 11:12
1

Why do you guys think that there is some kind of 'partition' visible that's just encrypted? What about the drive's hardware making the other 'partition' visible/accesible only after authentication? – JimmyB Jun 27 '16 at 14:54
1

@asdmin with a (properly) encrypted drive, only encrypted data is written. If some traces of it remain, with the relationship between those traces undefined and the key lost, the data should be useless. After all, many drives erase encrypted data by discarding the means of generating the decryption key from the password leaving all the data intact. So in a well-implemented scheme (a big assumption I know) a partial overwrite should do. – Chris H Jun 27 '16 at 15:29
@jpmc26 unless if it is a blendtec blender. – Rod_Algonquin Jun 27 '16 at 21:41
@Rod_Algonquin - I think that claim warrants [proof](https://youtu.be/y2eNhPC8wCQ) – Johnny Jun 28 '16 at 15:30
Hey! Rottweilers are great! (But +1 anyway). – Peter K. Jun 28 '16 at 21:36
I think my usb drive functions like what you mentioned. It starts with a cdrom and executes an exe, prompting for a password, before I can see the actual disk drive – ilovetolearn Jun 29 '16 at 00:32

score 13 · Answer 2 · answered Jun 26 '16 at 12:09

13

As @jehad mentioned, use gparted utility. It is an open-source utility for disk managment, supporting a bunch of file systems.

You didn't mention what OS are you using — for most of them you can get it with package manager. Otherwise, you can download Live CD, burn it to a disk, and boot from it.

There's a few possible ways to get rid of the data — one of them is to just remove the partition with gparted, and create a new empty one. Note, that theoretically it is still possible to restore the data, in this case you can use something like dd utility, but you have to mention specifically if that's the case.

answered Jun 26 '16 at 12:09

Hi-Angel

506
7
13

I am using Windows 10. – ilovetolearn Jun 26 '16 at 12:27
@optimus well, then you have to download a LiveCD, and boot from there. The image ≈300 Mb, as I recall. – Hi-Angel Jun 26 '16 at 12:29
3

You'll need to identify the device file on your system. To to that, run the command `df` before and after plugging it in. The new line that appears for the second run is your thumb drive. It will be something like /dev/sdc. To use `dd` as Hi-Angel suggested, the syntax is `dd if=/dev/urandom of=/dev/sdX` where sdX is the device file that you identified earlier. – picobit Jun 26 '16 at 18:06
1

Usually, when someon mentions .EXE files, it's a windows platform :D – DaMachk Jun 27 '16 at 09:11
@DaMachk first, the mention of EXE file [was missing when I answered the question](http://superuser.com/revisions/1093653/1), second, [not necessarily](https://www.winehq.org/). – Hi-Angel Jun 27 '16 at 09:23
1

There's no reason to believe that the device will show up as a USB block device before running the proprietary unlocking tool. – pipe Jun 27 '16 at 11:02
@pipe there is. Creating a specialized device where you have to run a proprietary utility just to get an access to its memory doesn't seem to be very profitable, given you can do the same with a usual usb-stick, as [I commented here](http://superuser.com/questions/1093653/how-do-i-wipe-an-encrypted-usb-flash-drive/1093673?noredirect=1#comment1550571_1093672). – Hi-Angel Jun 27 '16 at 11:39
fry it :-). hook the power connectors up to a nice high charge to short circuit it. it will be broken, and most companies instate a damaged devices policy(destroy and replace) when it's broken. Recovering data from broken devices is extremely expensive(easely 500 dollar at least) so most companies don't bother. just play dumb when they ask how it got broken. might have been that thunderstorm last wednesday – Tschallacka Jun 27 '16 at 13:02
@Hi-Angel It is trivial to create such a device with any microcontroller that can talk USB. The reason for doing so is exactly for the case presented here - The user can't even wipe the data without knowing the encryption key, without physically tearing it apart. Pointless arguing about though since OP neglected to tell us any details. – pipe Jun 27 '16 at 15:27
@pipe I didn't say it is non-trivial, I said it is non-profitable, because as a manufacturer you'd have to create thousands of those. Now think for a second: if such specialized usb-drive would have a very important data, can't you just take the memory away? Yes, you can, because creating a stick where the memory would've been destroyed upon tearing it apart — is what non-trivial. And a person interested in that most probably would have resources to take the memory away, and get its content. Who needs it then, if the security falls down to simply cyphering the memory? – Hi-Angel Jun 27 '16 at 16:20

Ben N · Answer 3 · 2016-06-26T23:52:11.290

Since you're using Windows 10, you might be able to use DiskPart, depending on how the encryption works. If the flash drive doesn't even present the encrypted partition's storage space to the OS without unlocking it via some special low-level mechanism, then the only thing you can do is physical destruction, but this might help somebody:

Run diskpart.
Type list disk to see the disks available to Windows.
Type select disk N, where N is the number of the flash drive, e.g. select disk 2 if it was listed as Disk 2 in the previous step. Danger! Be very careful that you get the right drive, otherwise you'll blow away something important in the next step.
Type clean all to scribble over every sector of the drive with zeroes. If your data destroyer can handle the drive now, you can stop following these steps. If it needs a normal volume, read on.
Do list disk again to see the amount of free space the drive now has.
Run create partition primary size=N where N is the free space in megabytes.
Type list partition to see the ID of the new partition (it's probably 1).
Type select partition N where N is the partition number you just got.
Type format fs=ntfs quick to create a new NTFS volume.
Exit DiskPart with exit.
Use your data destroyer of choice to obliterate any chance of recovering the data that was under the space now occupied by this new partition.

I repartioned office pen drive using this. Pen drive was not encrypted but have many hidden partions created. — devprashant, Jun 27 '16 at 00:57

score 5 · Answer 4 · edited Jun 27 '16 at 20:34

5

The thumb drive comes with an EXE program which I need to enter a password before the drive can be mounted.

If it is just an .exe file that auto-runs on startup, just arrange a Linux PC (or download -- it's free) from someone and format. Wine can run .exe files fairly well.

edited Jun 27 '16 at 20:34

var firstName

1,777
10
18

answered Jun 26 '16 at 13:59

VIPER

59
1

@optimus Linux can't rune exe - and you can always delete the exe program. I think you have misunderstood how the thumb drive works. You can also use VMWare. – noɥʇʎԀʎzɐɹƆ Jun 26 '16 at 20:18
8

@CrazyPython The point isn't to run the exe, the point is to format the volume that contains the encrypted data. – fluffy Jun 27 '16 at 05:37

score 3 · Answer 5 · edited Jun 26 '16 at 19:10

3

If is a dedicated drive, you may try a few runs of:

cat /dev/urandom > /dev/usbdevicetowipe

...issued from a Linux live CD of your choice.

It may take a while if the drive is big, but you will get a wiped drive.

edited Jun 26 '16 at 19:10

Ben N

40,045
17
140
181

answered Jun 26 '16 at 17:22

Paolo

129
5

2

Doesn't `dd if=/dev/urandom of=/dev/usbxxx` seem like a considerably better choice than `cat`? – oldmud0 Jun 26 '16 at 17:24
I don't think so. There are answers on SE network explaining differences of cat vs dd but for such a simple task they are not relevant. Anyway I prefer to use cat because I find the syntax easier to remember... – Paolo Jun 26 '16 at 17:30
1

There is more than one way to spin a *cat*. – Jun 27 '16 at 18:08
To add to your answer, unplug all other USB flash drives to narrow the results and use `ls -l /dev/disk/by-uuid/` or `ls -l /dev/disk/by-id/` to see which dev file is associated with the USB drive. – user38537 Jun 28 '16 at 07:42
Or run `lsblk`. – gerrit Jun 28 '16 at 16:06

score 3 · Answer 6 · answered Jun 27 '16 at 10:42

IMHO there's no need for a Linux disk or similar. If you can see the Exe on the USB stick, the USB stick has already been mounted.

In that case you can:

Go into Windows' disk partition management (diskmgmt.msc)
Delete all partitions on the USB stick (there might be some without drive letter)
Create a new single partition that uses all USB disk space
Use SDelete -z to wipe all disk space

Due to the nature of Flash memory, some data may remain on the disk, but if I understood you correctly, the data was encrypted anyway, so there should not be something that can be recovered.

BlueCacti · Answer 7 · 2016-06-28T09:24:43.710

At the company I work at, we use similar encrypted USB keys to transfer data. The drive contains a partition which presents itself as being an optical drive. This partition contains the executable files to decrypt and mount the second encrypted "data" partition to the system.

The software included on our USB keys has a 'forgot password' functionality, which wipes the data off the data partition.
I suppose that the tool actually changes the encryption keys used to decrypt the data partition, making the data irretrievable for anyone who didn't know the private encryption key of the data partition.

Check whether your key's software has an option to flash the drive or to reset the password.
Actually, as long as your company doesn't know the passphrase used to unlock the decryption (private) key or the decryption key itself, there's no risk of the company being able to extract your data from the key (unless the encryption scheme is really weak and trivially reversible, which would defy the purpose of those encrypted keys).

Maybe you could edit your post to include some information on the process you would have to go through to access the data on your key, if you did remember the password.

How is the USB key presented to the host? Does it act like an optical drive, like mine?
How do you open the tool to decrypt the key?
Where/When do you need to enter the passphrase?
Is the decrypted drive mounted as a new USB drive, or is it browseable through some sort of software?
...

+1 Pretty much all the USB disks that have an EXE on a CDFS partition, that I've used, have exactly this... a "Forgotten password" function that securely wipes the disk and presents you with the ability to start again and enter a new password as if the disk were new. — Kinnectus, Jun 28 '16 at 13:14
yes, it works like a cd-rom drive, after entering the password, the disk drive appears — ilovetolearn, Jun 29 '16 at 13:37

score 2 · Answer 8 · answered Jun 28 '16 at 20:32

What type of disk? If it's like an IronKey, where the drive renders itself unreadable after a number of failed attempts, you can just enter an incorrect password enough times to trigger the self-destruct mechanism.

If it's just a standard encrypted drive, one where you chose the encryption password and no other password will unlock it, no problem. If you don't know the password, they don't know it either - so the data on it is secure even if you do turn it in.

If it has multiple passwords (e.g. like my work computer, where more than one user has a password that will unlock the full-disk encryption), in that case (and in that case ONLY) should you consider physically destroying the drive.

asdmin · Answer 9 · 2016-06-27T06:24:13.647

You could use an utility for magnetic disks (nwipe for example), but the several hidden layers between the USB/SCSI layer and the actual memory cell will prevent making a perfect job.

On top, the reserved area used for wear leveling is only accessible for the wear leveling logic, not for the USB/SCSI layer directly.

To make sure, that you remove all data from a memory technology device, meanwhile you are not in control of the encryption, is unfortunately to physically destroy the device itself.

score 1 · Answer 10 · answered Jun 27 '16 at 17:12

You can explain the situation, refuse to give the disk back, and accept to assume the replacement cost, if any.

Since it is a matter of personal data, you don't need to go into any detail. Simply state you have some personal information on the disk, and therefore are not able to give the disk back.

This is similar to having lost the disk, and the company should be able to deal with the situation.

How this goes depends a lot on the type of relation you maintain with the company and the type of personnel you are dealing with for this.

How do I wipe an encrypted USB flash drive?

10 Answers10