HP remote secure erase

HP Remote Secure Erase (RSE) lets you remotely and securely erase stored data on HP ElitePads. This function erases and overwrites all data on the device. This prevents recovery utilities from "undeleting" data.

RSE works at the BIOS level and uses public and private keys to ensure security. A public key that you generate is inserted into each ElitePads BIOS. The BIOS uses the public key to authenticate a digitally signed RSE command.

When an ElitePad receives the RSE command, it reboots and begins the storage device's built-in secure erase procedure. There's no way to bypass the RSE process. If a user turns the device off during an RSE, the next time the device is turned on, the RSE begins again. Depending on the storage device manufacturer and model, the secure erase may take seconds or over an hour to complete.

After RSE completes, the drive is left in an unpartitioned state. You'll need to repartition the drive and reinstall an operating system to be able to use the ElitePad once again.

You have to configure secure erase before you can use it.

  1. Use HP's RSE utility to create secure erase public and private keys and the first-time provisioning, re-provisioning, and reset BIOS packages.
  2. Make sure HP's CASL/DASL/BIOS client software and the standard Ivanti agent are installed on ElitePads that you want to be securely erasable.
  3. Manually install the first-time provisioning BIOS package on ElitePads that you want to be securely erasable.

Executing secure erase commands

In the Network view, right-click a supported HP device and click Inspector > Hewlett Packard. If the device hasn't been provisioned, the Secure Erase option is grayed out.

If the device isn't on the local network, the RSE command runs when the device checks in to the core server for commands to execute.

The time to complete an RSE varies based on drive type, model, and manufacture specifications. It may be seconds or hours. If the user tries to interrupt the process by turning the device off, the RSE will restart from the beginning when the device is turned back on.

HP remote secure erase data in inventory and reporting

In the inventory tree, RSE appears under Hewlett-Packard > Secure Erase. It contains these attributes:

  • Customer name
  • Permanently disabled, which indicates whether HP has disabled RSE support at the factory. Only HP can enable or disable RSE support on a device. This is enabled by default, but if it was shipped disabled you'll need to return the device to HP if you want them to enable this feature.
  • Public key hash

There's also an "HP Remote Secure Erase Provisioned Status report" that you can run from the reports tool under Standard reports > Vendor. The report shows provisioned devices, key descriptions, public key hashes, and installed versions of the software, including CASL, DASL, and BIOS versions.