Zeroization consists of erasing any and all potentially sensitive information in the device. This includes erasure of Main memory, cache memories, and other memories containing packet data, NVRAM, and Flash memory. The process of zeroization is launched upon the initiation of a user command and a subsequent trigger.

Important

service declassify erase-nvram is NOT guaranteed to securely and completely erase the data from the underlying file system. The data may be recoverable by forensic analysis techniques. Consider using service declassify erase-all to securely delete all data on the device

Important

IOS cannot securely erase an SD Card, so integrators that want secure erasure must not include the SD Card.

By default, the device will have the zeroization feature disabled. SPI: Flash, I2C, mSATA SSD and ACT2 are not impacted by this feature.

Note	Ensure that you are familiar with the Emergency Recovery Installation procedure BEFORE attempting to test the Zeroize feature.

When zeroization is functionally active, the SYS LED indicates blinking yellow until the device reloads.

The term Reset Button does not have the same meaning as with other devices. There is no actual button on the device, and the system integrator must configure their platform with a push button. Reset on a device does not cause the device to reboot, but initiates the configured level of Zeroization.

Zeroization can be triggered by the push button, or software-triggered by a privilege 15 user with console access. There is no remote access for security reasons. On triggering zeroization, the eMMC, NVRAM will be erased completely.

The zeroization process starts as soon as the push button is pressed down or the command is triggered. The CLI command, service declassify , is used to set the desired action in response to push button press. To prevent accidental erasure of the system configuration/image, the default setting is set to no service declassify .

Note

While Cisco IOS and Cisco IOS-XE use the command line text of “declassify” in the command line interface (CLI) to enable the zeroize feature, in no way does this represent any specific endorsement or acknowledgment of a Government approved flash erasure methodology. Device Zeroization Declassification procedures are unique to each Government organization. Cisco solely provides the technical detail of the erasure operation here, not the policy distinction or any specific recommendation per classification. Please refer to your respective Government Agency policies, procedures, and recommendations for the handling of sensitive data to see if this procedure meets with those requirements.

There is a zeroization function available on the device when the system integrator has configured their platform with a push button.

• When the system is running in IOS mode, pressing this push button for 4+ seconds will cause files erase in flash, and will reset to factory-default mode on boot up.
• The button must be pressed while the system is turned on at the same time.
• The push button must continue to be held for more than 4 seconds after the power is turned on.
• Config-reg setting is in NVRAM, not changed by the push button.
• Pressing the push button when in rommon mode has no effect.
• Pressing the push button when in IOS mode causes a syslog message to appear and triggers a reload.
• Pressing the push button for more than 4+ seconds after power up displays the following message when reset has been triggered:

System Bootstrap, Version 1.4(DEV) [vandvisw-vandvisw 113], DEVELOPMENT SOFTWARE 
Copyright (c) 1994-2019 by cisco Systems, Inc. 
Compiled at Mon Jun 3 10:56:19 2019 by vandvisw 
ESS-9300-CON-K9 platform with 4194304 Kbytes of main memory 
MCU Version - Bootloader: 8, App: 10 
MCU is in application mode. 
Reset button push detected

The MCU is part of the device hardware. It performs the following functions:

• Monitors the Push button status at power up
• Monitors the system hardware watchdog output
• Maintains Reset Reason register
• Controls the SYS LED

The MCU versions are displayed using show version. Details on MCU version and upgrade status are also stored in Flash: as boothelper.log. The MCU is automatically upgraded by the software.

Router#show ver | i MCU
MCU bootloader version: 8
MCU application version: 10
Router#cat flash:boothelper.log
Logging at Fri Nov 15 05:00:54 Universal 2019
boot loader upgrade enabled
Bootloader is up-to-date
Current MCU App version is 10
MCU firmware is up-to-date

In the event the MCU Application is corrupt, or does not match the Release Notes version, this has to be repaired. Steps to recover from this state: Reload router, hit Ctrl+C to break into rommon mode.

Rommon>set MCU_UPGRADE=IGNORE
 - 
Ignore MCU firmware upgrade errors
.
Rommon>sync
Rommon>reset
Rommon>boot bootflash:<image>

Once the MCU successfully upgrades, you can disable/unset this IGNORE option in rommon. Details on other MCU setting rommon options follow: (there are no available IOS configuration options or linux shell mode troubleshooting measures)

set MCU_UPGRADE=SKIP
 – 
Prevents MCU firmware upgrade from taking place
.
set MCU_UPGRADE=FORCE
 – 
Forces MCU firmware upgrade to take place
.
unset MCU_UPGRADE
 – 
Normal operation. Allows automatic upgrade
.

Zeroization can be triggered by either software or by the push button. In either case, there are a series of commands that need to be entered.

Router#config terminal
Router(config)#service declassify {erase-nvram | erase-all}

To confirm if service declassify is enabled:

Router#show declassify
 
Declassify facility: Enabled=Yes  In Progress=No
                     Erase flash=Yes  Erase nvram=Yes
  Declassify Console and Aux Ports
  Shutdown Interfaces
  Reload system

To remove declassification, use the following command:

Router(config)#no service declassify