Cryptographic Erase, also known as Crypto Erase, is a data sanitization method that’s gaining popularity, especially on storage devices with built-in encryption.
As compliance with data protection regulations is now something all organizations must follow, businesses must choose reliable methods to permanently remove their confidential information. Along with data erasure and physical destruction, cryptographic erase is 1 of 3 approved methods that can be used to achieve data sanitization. But is cryptographic erase the best option?
In this blog, we’ll answer that question. You will find out what cryptographic erase is, how it works, when it can be used and how it compares with data wiping. Finally, we’ll take a look at best practices for keeping your data fully protected.
What Is Cryptographic Erase?
Cryptographic Erase (CE) is a secure method for sanitizing entire drives and storage devices that works by deleting the encryption keys used to protect it.
When a drive is encrypted, all the data stored on it is scrambled using a cryptographic algorithm. To access that data, you need a key—typically a Media Encryption Key (MEK). With cryptographic erase, the data isn’t removed from the disk. Instead, the MEK is securely deleted or overwritten. Without the key, the encrypted data becomes unreadable and effectively lost.
In short, it’s like locking your data in a safe and throwing away the only key. The data is still there, but no one can open it.
How Cryptographic Erase Works
Here’s what needs to happen for cryptographic erase to succeed:
- Encryption must be active before data is written to the drive
- Strong encryption algorithms with a minimum key length of 128 bits are required for the process to be successful
- The old encryption key must be securely replaced with a new one, leaving any data encrypted with the old key impossible to recover
- Verification of key destruction is also necessary and, depending on the manufacturer of your drive, can be obtained by generating a certificate that confirms the key removal has been successful
This method is typically supported by Self-Encrypting Drives (SEDs) and drives with Instant Secure Erase (ISE) capabilities.
Because the data itself isn’t being overwritten, cryptographic erase is incredibly fast, often completing in just a few seconds.
When Crypto Erase Works & When It Doesn’t
When the right conditions are in place, cryptographic erase can be a fast and effective method of data sanitization. Using this method does require specific hardware and encryption settings, however, which means it’s not always an option for every device or situation.
You can use cryptographic erase if:
- Your drive has built-in encryption
- Encryption is active and correctly configured
- You have access to the function or API that allows key deletion
You can’t use cryptographic erase if:
- Your storage device doesn’t include built-in encryption features, which is common in older drives or lower-end models
- The data was never encrypted to begin with
- You can’t verify that the encryption key was securely destroyed, which is possible if a device’s built-in software doesn’t provide logging
In the latter cases, cryptographic erase alone is not enough to sanitize data. Instead, you will need to use traditional data wiping software to get the job done.
Cryptographic Erase vs. Traditional Data Erasure: What’s the Difference?
Not sure which data sanitization method to use? Here’s how cryptographic erase compares to traditional data wiping.
Cryptographic Erase
Cryptographic erase sanitizes data by deleting encryption keys. It’s fast and efficient, but only when used correctly.
👍 Pros:
- Instant or near-instant sanitization
- Devices remain usable after operation is complete
- Ideal for modern drives with built-in encryption
- Great for repurposing or reselling drives
👎 Cons:
- Only works on drives that are encrypted by default
- Verifying key destruction can be problematic
- Data remains on the disk, meaning recovery may be possible
- Poor implementation can leave gaps in security
- May fall short of compliance standards due to lack of verification and certification steps
Traditional Data Erasure
Traditional erasure overwrites each sector of a drive with random data or patterns, removing all traces of the original content. It doesn’t rely on encryption, making it a more accessible solution.
👍 Pros:
- Works with all storage types, whether they are encrypted or not
- Easier to audit and verify with wiping reports
- Complies with all major regulatory standards (GDPR, NIST 800-88, HIPAA)
- Doesn’t depend on encryption or key management
- Wipes data beyond forensic recovery, unlike crypto erase that deletes encryption keys and allows data to remain
👎 Cons:
- Slower than cryptographic erase, especially for large drives
- SSDs may have hidden sectors that are harder to wipe, although there are solutions that are certified to effectively remove data from SSDs
Crypto Erase vs. Traditional Data Erasure: Head-to-Head Comparison
| Category | Cryptographic Erase | Traditional Data Erasure |
|---|---|---|
| High Security (if implemented correctly) | ✔️ | ✔️ |
| Drive Reusability | ✔️ | ✔️ |
| Device Compatibility | Only for encrypted drives (SEDs, ISE) | Works on any storage media |
| Verifiability | Difficult to confirm key removal | Easy to verify with detailed logs |
| Speed | Instant or near-instant | Can take hours |
| Use when: | – Time is of the essence – Encryption is active | – An erasure report is needed – Crypto Erase isn’t supported – Complete data removal is required |
Best Practice: Combine Crypto Erase & Data Erasure for Maximum Security
While cryptographic erase is fast and effective, it doesn’t actually remove data from hard drives. In some cases, this can leave the door open for data to be recovered. For a more secure solution that leaves nothing to chance, it’s best to follow up cryptographic erasure with wiping from a trusted data erasure tool.
Here’s how to get the best from both worlds:
- Start with cryptographic erase to instantly make encrypted data inaccessible
- Then use BCWipe Total WipeOut to sanitize the entire drive, including:
- Encryption keys left in unallocated space or temporary storage
- Cached or residual data in logs, system files or backups
- Free space on the drive
This layered approach helps you comply with privacy regulations like GDPR and CCPA, while ensuring no recoverable traces of sensitive data are left behind.
If your device doesn’t support cryptographic erase, BCWipe Total WipeOut can also be used on its own to securely wipe the drive.
Is Cryptographic Erase a Secure Option for Data Sanitization?
Crypto erase is a fast and efficient solution, but it must be implemented properly. It relies entirely on encryption, so for it to be effective:
- Drives must be encrypted by default
- Keys must be securely and permanently destroyed
But even when carried out correctly, cryptographic erasure is a solution that doesn’t actually remove data from hard drives, meaning that there is the possibility for it to be recovered.
️Quantum computing, while not a threat today, could also eventually weaken encryption algorithms like AES-128, which is the minimum standard for cryptographic erasure. This raises concerns about “harvest now, decrypt later” attacks, where encrypted data is stored now and decrypted once quantum capabilities catch up.
For peace of mind, especially for highly sensitive or long-retention data, it’s recommended to combine cryptographic erase with an end-of-life wiping solution like BCWipe Total WipeOut to ensure the entire drive is sanitized.
Need help choosing the right method for your organization? Contact our Data Protection Specialist to learn more, or to request a free trial or demo.
Looking for more info? Find out how to securely wipe your Windows 11 computer in our dedicated blog.
Frequently Asked Questions (FAQs)
What is cryptographic erase and how does it work?
Cryptographic erase makes data unrecoverable by deleting the encryption keys used to access it. The data remains on the drive, but without the key, it’s unreadable.
Which devices support cryptographic erase?
Only certain drives, like Self-Encrypting Drives (SEDs) and Instant Secure Erase (ISE)-capable devices, support CE.
What if my device doesn’t support cryptographic erase?
Use BCWipe Total WipeOut to perform a complete drive wipe, even on systems that no longer boot or lack built-in encryption.
Can I generate compliance reports with crypto erase?
Not easily. For audit-ready documentation, combine CE with BCWipe Total WipeOut, which creates verifiable wipe logs.