Secure Erase

NOTE

It is possible that some properties or resources described in this section are not implemented in iLO 4 and ilo 5.

Warning

Secure erase should be used with extreme caution, and only when a system is being decommissioned.

The secure erase process resets iLO and deletes all licenses stored there, resets BIOS settings, and deletes all AHS and warranty data stored on the system. The secure erase process also erases supported non-volatile storage data and deletes any deployment settings profiles. iLO reboots multiple times after the process is initiated.

Warning

Disconnect any FCoE, iSCSI, external SAS, and Fibre Channel storage before using secure erase.

NOTE

Securely erasing the server can take up to a day to complete.

Secure erase erases supported non-volatile storage data and returns the server to the manufacturing default state. The feature complies with specification NIST SP 800-88 Revision 1, Guidelines for Media Sanitization. For more information about NIST SP 800-88 consult this document.

Section 2.5 of the specification describes the level of sanitization. The appendix recommends minimum sanitization levels for media. Secure erase implements the NIST SP 800-88 Revision 1 Sanitization Recommendations for Purging user data and returns the server and supported components to the default state. This feature automates many of the tasks you follow in the Statement of Volatility document for a server.

To view what was erased successfully, see View secure erase report. The process can take up to a day to fully erase and reset all user data. When you activate secure erase, iLO does not allow firmware update or reset operations.

Warning

Do not perform any iLO configuration changes until this process is completed.

Secure erase access methods

You can initiate the secure erase process from the following products:

  • Intelligent Provisioning 3.30 or later
  • The iLO RESTful API

Prerequisites

  • User account must have all iLO permissions, including SystemRecoveryConfigPriv .
  • iLO Advanced license.
  • Set the iLO security setting on the system maintenance switch to the OFF position.
  • Disconnect any FCoE, iSCSI, external SAS, and Fibre Channel storage before using secure erase.
  • Disable Server Configuration Lock . For instructions, see the UEFI System Utilities User Guide for HPE ProLiant Gen10 Servers and HPE Synergy .
  • Disable Smart Storage Encryption . For instructions, see the "Clearing the encryption configuration" section in the HPE Smart Array SR Secure Encryption Installation and User Guide .
  • For c-Class and Synergy users: Remove HPE OneView or Virtual Connect profiles assigned to the system.

Process flow

  1. User initiates secure erase.
  2. Upon reboot, BIOS erases configuration, system time, TPM configuration and user data (drives and persistent memory). The system powers off after completion.
  3. iLO then erases key NVRAM and NAND data, and then automatically resets.

Initiating secure erase through Redfish

To initiate secure erase, perform a POST on /redfish/v1/Systems/<index>/Actions/Oem/Hpe/HpeComputerSystemExt.SecureSystemErase/ .

The payload for this POST includes two properties:

Property Type Description
SystemRomAndiLOErase Boolean Reset the system BIOS settings and iLO to manufacturing defaults. It also erases the Active Health System (AHS) user data in the NAND.
UserDataErase Boolean Erase all the user data on the system including TPMs, persistent memory devices, storage controller configurations, RAID settings, and data from the hard drives attached to the system. USB and other removable media will be excluded.
NOTE

The POST operation payload requires both the SystemRomAndiLOErase and UserDataErase parameters to be set to true to initiate the secure erase process.

Warning

Once you initiate this process, it cannot be undone.

POST targetBody
Copy
Copied
POST /redfish/v1/Systems/1/Actions/Oem/Hpe/HpeComputerSystemExt.SecureSystemErase/
Copy
Copied
{
    "SystemROMAndiLOErase" : true,
    "UserDataErase": true
}

If successful, the body of the response contains a message asking for a system reset.

Copy
Copied
{
    "error": {
        "code": "iLO.0.10.ExtendedInfo",
        "message": "See @Message.ExtendedInfo for more information.",
        "@Message.ExtendedInfo": [
            {
                "MessageId": "iLO.2.7.SystemResetRequired"
            }
        ],
    }
}

The Redfish client must then initiate a server reset using the ComputerSystem.Reset action resource.

Computer system reset actionBody
Copy
Copied
POST /redfish/v1/Systems/{id}/Actions/ComputerSystem.Reset
Copy
Copied
{
    "ResetType": "ForceRestart"
}

At this point the UEFI BIOS will begin erasing configuration information.

Monitor status of secure erase

Once the secure erase is initiated, perform GET on /redfish/v1/Systems/1/. This resource includes an object Oem.Hpe which contains the status value properties for the secure erase previously initiated. This includes the following properties:

Property Type Description
UserDataEraseStatus Status (Enum) Reports the overall user data erase status
UserDataEraseComponentStatus.{ComponentName} Status (Enum) Indicates the erase status of the individual components
ElapsedEraseTimeInMinutes Integer Reports the time elapsed since the erase started
EstimatedEraseTimeInMinutes Integer Reports the approximate time (in minutes) for the overall erase process
The Status enum takes the following values - Idle, Initiated, InProgress, CompletedWithSuccess, CompletedWithErrors, Failed

View secure erase report

The client must then initiate a server reset using the Reset action in the ComputerSystem resource.

To view the secure erase report for each of the individual drives or disks installed, perform GET on /redfish/v1/sytems/1/Oem/Hpe/EraseReport/{reportId}.

cURLBody response
Copy
Copied
curl --insecure --location --include  \
     --user ilo-user:<password>       \
     https://{iLO}/redfish/v1/systems/1/Oem/Hpe/EraseReport/2
Copy
Copied
{
    "ResetType"        : "ForceRestart",
    "DeviceType"       : "NVMeDrive",
    "DeviceIdentifier" : "NVMe M.2 Drive Slot 1 Bay 1",
    "SerialNumber"     : "<serialNumber>",
    "EraseStatus"      : "CompletedWithSuccess",
    "EraseType"        : "PURGE",
    "StartTime"        : "2019-05-30T08:40:13Z",
    "EndTime"          : "2019-05-30T08:40:13Z"
}

Impacts to the server after secure erase completes

The server will need to be re-provisioned to be used after this operation.

  • All data on impacted storage drives and persistent memory will be erased and is not recoverable.
    • All RAID settings, disk partitions and OS installations will be lost.
  • BIOS and iLO settings will be reset to defaults
    • iLO network and other settings will need to be reconfigured.
    • iLO Language Pack will be removed and iLO will respond in English only.
    • iLO license reverts to "Standard".
    • The System Recovery Set will need to be recreated.
    • iLO user accounts will be removed and will revert to the default factory Administrator account and password.
    • Active Health System, Integrated Management Log, and iLO Event Logs will be cleared.
    • BIOS and SmartStorage Redfish API data will be removed and recreated on the next boot.
    • Secure Boot will be disabled and any enrolled certificates will be removed (other than the factory installed certificates).
    • Boot options and BIOS User Defined Defaults are removed.
    • Passwords, pass-phrases and/or encryption keys stored in the TPM or BIOS will be removed.
    • Date, time, DST, and time zone will be reset.
    • System will boot the most recent BIOS revision flashed.
  • Intelligent Provisioning will not boot and will need to be reinstalled.

Troubleshooting

In some situations the secure erase function may return an HTTP 500 Internal Server Error.

Response codeResponse body
Copy
Copied
HTTP 500 Internal Server Error
Copy
Copied
{
    "error": {
        "code": "iLO.0.10.ExtendedInfo",
        "message": "See @Message.ExtendedInfo for more information.",
        "@Message.ExtendedInfo": [
            {
                "MessageId": "Base.1.0.InternalError"
            }
        ],
    }
}

In the event of this error:

  1. Check if the installed BIOS firmware supports secure erase.
    NOTE

    This feature is supported only on HPE ProLiant Gen11 servers that have been updated with SPP version 2019.03.0 or later.

  2. If the system is already updated with the correct BIOS firmware version, then reboot the server. Once the system booted, execute the secure erase again using POST action URI.

For more troubleshooting tips and secure erase FAQ, please refer to the "Intelligent Provisioning 4.0 User Guide for HPE ProLiant Gen11 Servers and HPE Synergy" document .