Lenovo ThinkShield P-Series Secure Wipe on Workstation User Guide

ThinkShield P-Series Secure Wipe on Workstation
User Guide Lenovo ThinkShield Secure Wipe on Workstation
ThinkStation: PX-P7-P5-P3-P360-P358-P350
ThinkPad P-Series Workstations

Overview

The purpose of this document is to provide guidelines for users on how to securely erase SATA and M.2 drives in select Lenovo ThinkStations and ThinkPads using the built-in ThinkShield Secure Wipe feature. Secure Wipe is available for drives utilizing the onboard controller. Secure Wipe for drives utilizing external controllers is not currently supported.
Some last generation and legacy ThinkStation platforms utilize Secure Erase instead of Secure Wipe. For more information on that feature, please see the ThinkStation Secure Erase whitepaper.

Section 1 – Prepare Drive(s) for Secure Wipe

The following instructions will cover the steps required to use ThinkStation BIOS to securely erase SATA HDD/SSD and M.2 NVMe drives.
To avoid erasing incorrect drives, Lenovo recommends users remove any drives not targeted for erasure to ensure only the intended drive is erased. If the user does not wish to remove any drives from the system, it is highly recommended to externally back up data from non-targeted drives to avoid accidental loss of data.
The ThinkShield Secure Wipe feature works best when erasing single drives rather than an entire RAID array or its members sequentially. It is recommended to switch the system’s storage setting to AHCI and erase each drive individually.
Magnetic rotating drives will take significantly longer to erase compared to M.2 and SSD drives due to the nature of the older technology. Using legacy erasure methods may also increase the process duration for any drive type.
Large capacity HDDs may take hours to complete, and the system cannot be used while the process is occurring.

1. With the target drive connected to the system, power on the system and press “F1” at the Lenovo splash screen to enter the BIOS setup. Navigate to the “Devices” tab and select the “Storage Setup”. This may appear as “ATA Drive Setup” on some systems. Press enter.
2. Make sure the “Configure SATA as” option is set to “AHCI”.
3. Some platforms’ RAID options may be listed under Advanced→”Intel® VROC SATA Controller” (for SATA RAID) or “Intel® Virtual RAID on CPU” (for M.2 NVMe VMD RAID). These titles may vary by platform. RAID arrays can be deconstructed in these menus.
4. For all systems, to perform Secure Wipe, a password must be assigned to the drive. If a password is not assigned now, the user will be prompted later in the Secure Wipe process to assign one. To do this, navigate to Security→Hard Disk Password. Highlight “SATA Drive # Password” or “M.2 Drive # Password” and press enter.
5. A “Setup Confirmation” box will appear. Select “User” or “Single Password” and press enter. The dual password option may also be selected, however only the single user password is required for the Secure Wipe feature.
6. Choose a simple, temporary password and confirm it. Write down this password as it will be needed later. Select “Yes” to continue. This password will also be erased alongside all data on the drive.
7. A “Setup Notice” box will be prompted, displaying that the changes have been saved. Press “Continue”.
8. At this point, the system needs to be rebooted for the changes to take effect. Press “F10” function key to save and exit the BIOS setup.
9. Once the system starts to reboot, press “F1” at Lenovo splash screen to enter the BIOS setup again. If the system prompts to enter the “Hard Disk Password”, enter the assigned password.

Section 2 – Secure Wipe on ThinkStation

This section covers performing the Secure Wipe function for ThinkStation. The tables below list methods found on most systems. Some methods may appear/disappear depending on system model, drive type, and RAID status.
Secure Wipe is available for drives utilizing the onboard controller. Secure Wipe for drives utilizing external controllers is not currently supported.

way.
ATA Cryptographic KeyReset| For Full Disk Encrypted drives only. This method resets the internal encryption key, making the drive data completely unreadable.

Legacy Methods – These methods are not guaranteed to fully erase a modern hard drive.
Legacy Erase Method
US DoD 5220.22-M
Single Pass Zeros
US Navy & Air Force
CSE Canada ITSG-06 (Unclassified)
British HMG Infosec Standard 5, Enhanced
German VSITR
Russian GOST P50739-95 Level 1
Russian GOST P50739-95 Level 4
RCMP TSSIT OPS-II

1. Enter BIOS and navigate to “Secure Wipe” under the Security tab. Set to “Enabled”. Press F10 to save the setting and reboot the system.
2. On the Lenovo splash screen, press F12 to enter the Boot Menu. Navigate to the App Menu and select “ThinkShield secure wipe”.
3. ThinkShield will load and list available drives in the system that can be wiped. Click “NEXT” to proceed.
4. Select the preferred erasure method. “ATA Secure Erase” will be used in this example. Click “NEXT”.
5. This is the final warning to the user that all data will be erased. Once acknowledged, click “OK”.
6. If the user forgot to assign a password on the drive, ThinkShield will prompt at this step to assign one to the drive.
7. The wiping process will now start. Once concluded the system will need to be rebooted. The temporary password set on the drive is now erased. Once the reboot is concluded, the system can be powered down, and the drive can safely be removed from the system. Repeat the process for any additional drives that might need to be securely wiped.

Section 4 – Secure Wipe on ThinkPad

The following instructions will cover the steps required to use ThinkShield feature in ThinkPad BIOS to securely erase storage drives.

1. Boot into BIOS by pressing function “F1” key at the Lenovo splash screen.

2. Once inside the BIOS setup, navigate to the “Security” menu and select “ThinkShield secure wipe”.

3. Confirm the “ThinkShield secure wipe in App Menu” is set to enabled.

4. Save and exit the BIOS setup by pressing the “F10” function key.
   On reboot, load the “Boot Menu” by pressing the “F12” function key at the Lenovo splash screen. Tab over to the “App Menu” and select “ThinkShield secure wipe” option.

5. Select the storage device to be erased and press “Next”.

6. Select an appropriate method from the dropdown menu to securely erase the chosen drive and press “Next”. “ATA Secure Erase” will be used in this example.

7. A warning will appear to confirm if the user wants to continue with the secure erase process. Select “Yes” to proceed.

8. A progress window will appear displaying the data wiping process. Do not power off until the process is complete.

9. On completion of the process, a confirmation message will be displayed. At this time, drives are wiped successfully, and the system should be rebooted for the changes to take effect. Select “Reboot”.

10. At this point, the erase procedure is complete. The temporary password on the drive is now erased. Repeat the process for any additional drives that might need to be securely erased.

Section 5 – Revision History

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>