Decommissioning encrypted volumes

For SafeGuard Enterprise-protected computers we provide the command-line tool beinvvol.exe which can be used to safely decommission encrypted volumes (hard disks, USB sticks etc.). Our command-line tool is based on DoD Standard 5220.22-M, which can be used to safely delete key stores. This standard consists of seven overwrite cycles with random and alternative patterns.

This command-line tool is intended to be used on computers for which the following applies:

  • SafeGuard Enterprise is installed.

  • Some hard disk volumes have been encrypted.

You have to run this tool within a system where the SafeGuard Enterprise encryption driver is not active. This is to prevent data from being decommissioned by accident. Otherwise, the tool does not work and an error message is displayed.

Note We recommend that you start your system from an external medium like a Windows PE CD and use the tool according to the instructions available in the command line help.

After the relevant target volumes have been decommissioned, they are no longer readable.

According to DoD Standard 5220.22-M, the command-line tool permanently purges the boot sectors and the SafeGuard Enterprise Key Storage Areas (original KSA and backup) of each encrypted volume by overwriting them seven times. As the random Data Encryption keys of each volume are not backed up in the central database for SafeGuard Enterprise Clients, the volumes are perfectly sealed afterwards. Even a security officer cannot regain access.

The command-line tool also displays information about the available volumes on screen. This includes, for example, the name of the volume, the size of the volume and information about boot sectors and KSAs. This information can optionally be stored in a file. The path to this file should, of course, point to a volume that is not being decommissioned.

Note Data cannot be recovered after deletion.