This week, I had the chance to experience something that is a rare occurrence: returning a laptop to my employer. Microsoft has been good to me, and I wanted to make sure I properly returned the laptop to them and saved both them and me from hassle.
In this blog, I will describe a process for properly wiping a laptop of data and making it ready for a new owner. You may want to use this advice if you plan to sell an old machine to a friend too.
Optional Step: Set an Out of Office
If you are leaving a company, set an out of office message on your corporate mail. As a minimum, it should state:
- When your last day is/was
- Who to contact after you leave (your boss, co-workers, etc.)
- Optionally: How to get in touch with you for private matters if your company allows this information to be added.
Step 1: Secure your private stuff
There are typically quite a few things you want to copy out of the machine before you wipe it. These are:
- All private documents (don’t take anything belonging to your company with you!)
- The serial number of any privately purchased software you put on your machine. These are typically available in the “about” box in the menu of the program.
- Registry keys or other settings, if any, you have manually changed (for example, I set a key to disable CAPS lock on my box and change a few windows settings).
If you use Skydrive, GDrive, DropBox, EverNote or other cloud storage systems, it is also a good idea to make sure everything has been synced into the cloud before you proceed.
Step 2: Decrypt drives and wipe TPM chip if used
Modern machines for professional use typically encrypt hard drives using technologies like BitLocker. This encryption may be set up in such a way that even your corporate IT cannot decrypt it. This may prevent the machine from getting a new operating system and a new owner – even AFTER you have wiped all content on it. Because of this, you should decrypt your machine before you wipe the content.
To decrypt a Windows BitLocked machine, use “Manage Bitlocker” and turn off BitLocker for all drives. This will take some time, depending on the drive size. If you can delete any large files you have already secured or no longer need (for example, your old mail folders) it is a good idea to do this before you decrypt the drive, as it will speed up the process.
Because you are exposing your drive in an unencrypted state for a short period, you should decrypt the machine on a safe site, for example your company’s office location.
Once have decrypted the drive, you need to turn off the TPM chip, if it was enabled. This will make the machine ready for its next owner so they can enter their own encryption key for the machine. Turning the TPM chip off is done using tpmadmin.msc from the command line as documented here: Turn the TPM on or Off.
Step 3: Nuke the machine
In this final step you should completely wipe the machine in such a way that all data on it is unrecoverable. Note that simply formatting the drives will NOT make the content unrecoverable. The full removal of the data on the drive is bit more complicated. If you are interested you can find more information in this Wikipedia Article.
Fortunately, there is military grade wipe software available for free that allow you to do this, the infamous DBAN (Darik’s Boot And Nuke)
WARNING: Before you proceed any further, please understand that the following steps WILL destroy all data on the machine and make it permanently unrecoverable. The process is non reversible! Make sure you have copied everything you need away from the machine first.
What you need to do to wipe the machine safely is this:
- Get yourself a cheap USB stick (I found a 4GB stick for 3 GBP)
- Download the Universal USB Installer.
- Download DBAN iso-image (the beta version is fine)
- Using the USB Installer, install DBAN as a bootable image using the downloaded iso file to from step 3 on your USB stick from step 1
- Plug in your machine to a wall socket (don’t run it on battery from now on)
- Turn off your machine
- Insert the USB Stick with the DBAN installed on it
- Boot the machine from USB (how to do this varies by hardware vendor, but it should be easy to find documentation on the web). Some machines boot automatically into USB, other will need a simple change in the BIOS.
- Use the DBAN utility to wipe all drives. You can either use the “autonuke” feature which also deletes the USB stick, or you can control the utility manually to wipe each drive. One wipe pass through the drive should be enough for most use cases.
- Once the wipe is complete, reboot the machine. Validate that the machine can no longer start up its original operating system. It should simply give you a message indicating that there is no way to boot it.
- Note that the disk nuke can take a long time. You should probably let the machine run for a couple of hours and go to lunch while you wait for it. Remember to secure the machine while it nukes, since this is the only time it exists in an unencrypted state.
Step 4: Hand back machine to new owner
After you have run the nuke, all data on the machine is irrevocably lost. Remember to remove any SD cards, DVD/CD disks or USB sticks on the machine before you hand it back. The machine should now be ready for a new owner with no trace left of its old owner.