Secure data wipe is a Cisco wide initiative to ensure storage devices on all IOS XE based platforms are properly purged using
NIST SP 800-88r1 compliant secure erase commands.
This feature is supported in Cisco IOS XE 17.11.1 and later on the following IoT switches for all license levels:
When secure data wipe is enabled, everything in flash, SDflash, and USB flash is erased, including:
The switch will be in rommon prompt with default factory settings (baud rate 9600) after the command is executed. The internal
flash memory will not get formatted until the IOS image is rebooted.
Note
|
If an sdflash/usbflash with a valid image inserted, the device will boot with the image in the external media based on the
boot precedence. The device will be in rommon only if no external media with an image is inserted in the device.
|
Performing a Secure Data Wipe
To enable secure data wipe, enter the factory-reset all secure command in priviledged exec mode, as shown in the following example:
Switch#factory-reset all secure
The factory reset operation is irreversible for securely reset all. Are you sure? [confirm]
The following will be deleted as a part of factory reset: NIST SP-800-88r1
1: Crash info and logs
2: User data, startup and running configuration
3: All IOS images, including the current boot image
4: OBFL logs
5: User added rommon variables
6: Data on Field Replaceable Units(USB/SD/SSD/SATA)
7: License usage log files
Note:
Secure erase logs/reports will be stored in flash.
The system will reload to perform factory reset.
It will take some time to complete and bring it to rommon.
DO NOT UNPLUG THE POWER OR INTERRUPT THE OPERATION
Are you sure you want to continue? [confirm]
Protection key not found
Switch#
Chassis 1 reloading, reason - Factory Reset
Jan 13 03:17:21.551: %PMAN-5-EXITACTION: C0/0: pvp: Process manager is exiting: reload cc action requested
Jan 13 03:17:21.645: %PMAN-5-EXITACTION: F0/0: pvp: Process manager is exiting: reload fp action requested
Jan 13 03:17:23.672: %PMAN-5-EXITACTION: R0/0: pvp: Process manager is exiting: rp processes exit with reload switch code
Enabling factory reset for this reload cycle Switch booted with Switch booted with flash:packages.conf
Switch booted via packages.conf
% FACTORYRESET - Started Data Sanitization...
% FACTORYRESET - Unmounting sd1
% FACTORYRESET - Unmounting sd2
% FACTORYRESET - Unmounting sd3
% FACTORYRESET - Unmounting sd4
% FACTORYRESET - Unmounting sd5
% FACTORYRESET - Unmounting sd6
% FACTORYRESET - Unmounting sd7
% FACTORYRESET - Unmounting sd8
% FACTORYRESET - Unmounting sd9
% FACTORYRESET - Unmounting sd10
% FACTORYRESET - Unmounting sd11
% FACTORYRESET - Unmounting sd12
Executing Data Sanitization...
eMMC Data Sanitization started ...
!!! Please, wait - Reading EXT_CSD !!!
!!! Please, wait - Reading EXT_CSD !!!
!!! Please, wait - Erasing(Legacy) /dev/mmcblk0p1 !!!
!!! Please, wait - Erasing(Legacy) /dev/mmcblk0p7 !!!
!!! Please, wait - Erasing(Legacy) /dev/mmcblk0p8 !!!
!!! Please, wait - Erasing(Legacy) /dev/mmcblk0p9 !!!
!!! Please, wait - Erasing(Legacy) /dev/mmcblk0p10 !!!
!!! Please, wait - Erasing(Legacy) /dev/mmcblk0p11 !!!
!!! Please, wait - Erasing(Legacy) /dev/mmcblk0p12 !!!
!!! Please, wait - Sanitizing /dev/mmcblk0 !!!
!!! Please, wait - Validating Erase for /dev/mmcblk0p1 !!!
!!! Please, wait - Validating Erase for /dev/mmcblk0p7 !!!
!!! Please, wait - Validating Erase for /dev/mmcblk0p8 !!!
!!! Please, wait - Validating Erase for /dev/mmcblk0p9 !!!
!!! Please, wait - Validating Erase for /dev/mmcblk0p10 !!!
!!! Please, wait - Validating Erase for /dev/mmcblk0p11 !!!
!!! Please, wait - Validating Erase for /dev/mmcblk0p12 !!!
eMMC Data Sanitization completed ...
Data Sanitization Success! Exiting...
% FACTORYRESET - Data Sanitization Success...
% FACTORYRESET - Making File System sd1 [0]
Discarding device blocks: done
Creating filesystem with 131072 4k blocks and 32768 inodes
Filesystem UUID: 80a9c93f-544c-4d27-93c7-3d5d4a422d76
Superblock backups stored on blocks:
32768, 98304
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
% FACTORYRESET - Mounting Back sd1 [0]
% FACTORYRESET - Handling Mounted sd1
% FACTORYRESET - Factory Reset Done for sd1
% FACTORYRESET - Making File System sd3 [0]
Discarding device blocks: done
Creating filesystem with 662528 4k blocks and 165648 inodes
Filesystem UUID: a9dd813b-c690-4346-914e-6dfb22d477ad
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
% FACTORYRESET - Mounting Back sd3 [0]
% FACTORYRESET - Handling Mounted sd3
% FACTORYRESET - Factory Reset Done for sd3
% FACTORYRESET - Making File System sd4 [0]
Creating filesystem with 2048 4k blocks and 2048 inodes
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
% FACTORYRESET - Mounting Back sd4 [0]
% FACTORYRESET - Handling Mounted sd4
% FACTORYRESET - Factory Reset Done for sd4
% FACTORYRESET - Making File System sd5 [0]
Creating filesystem with 2048 4k blocks and 2048 inodes
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
% FACTORYRESET - Mounting Back sd5 [0]
% FACTORYRESET - Handling Mounted sd5
% FACTORYRESET - Factory Reset Done for sd5
% FACTORYRESET - Making File System sd6 [0]
Discarding device blocks: done
Creating filesystem with 32768 4k blocks and 32768 inodes
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
% FACTORYRESET - Mounting Back sd6 [0]
% FACTORYRESET - Handling Mounted sd6
% FACTORYRESET - Factory Reset Done for sd6
% FACTORYRESET - Making File System sd11 [0]
mkfs.fat 4.1 (2017-01-24)
% FACTORYRESET - Mounting Back sd11 [0]
% FACTORYRESET - Handling Mounted sd11
% FACTORYRESET - Factory Reset Done for sd11
% FACTORYRESET - Making File System sd12 [0]
mkfs.fat 4.1 (2017-01-24)
% FACTORYRESET - Mounting Back sd12 [0]
% FACTORYRESET - Handling Mounted sd12
% FACTORYRESET - Factory Reset Done for sd12
act2 cleaning ...
% act2 cleaning success
act2 logging ...
% act2 logging success
% FACTORYRESET - Restore lic0 Files
Factory reset Secure Completed ...
FACTORYRESET - Secure Successfull
% FACTORYRESET - Check if sdflash is mounted...
% FACTORYRESET - sdflash detected..
fstype is vfat
% FACTORYRESET - Proceed with Unmounting the SD card...
% FACTORYRESET - Cleaning Up /mnt/usb2
% FACTORYRESET - In progress.. please wait for completion...
% FACTORYRESET - Making File System sdflash [0]
mkfs.fat 4.1 (2017-01-24)
mkfs result 0
% FACTORYRESET - Mounting Back sdflash
% FACTORYRESET - Factory reset done for sdflash
% FACTORYRESET - Check if usbflash is mounted...
Factory reset successful. Rebooting...
watchdog: watchdog0: watchdog did not stop!
reboot: Restarting system
factory-reset command options:
-
factory-reset all: Remove everything from flash
-
factory-reset all secure : Remove everything from flash, and also unmount and sanitize the partitions before mounting back. This ensures that the data
from those partitions cannot be recovered.
Important
|
The factory-reset all secure operation may take hours. Please do not power cycle.
|
To check the log after the switch executes the command, boot up IOS XE and enter the following show command:
Switch#sh platform software factory-reset secure log
Factory reset log:
#CISCO IE9K DATA SANITIZATION REPORT#
START : 03-02-2023, 08:15:42
END : 03-02-2023, 08:19:18
-eMMC-
MID : 'Micron'
PNM : 'S0J56X'
SN : 0x00000001
Status : SUCCESS
NIST : PURGE
Switch#