The P35S needs to be connected to a computer with a USB-C cable, and that button functions as a two-stage sliding switch. Sliding it to the first stage, partially revealing a red warning sign, requires a bit of force. While pushing it to the second stage, which starts the self-destruction, requires even more force.
Once the self-destruction is started it will continue until the drive is blanked and dead, even if it’s disconnected from a computer.
So the drive can’t start wiping itself unless it’s plugged in, but it’ll wipe itself completely even if someone detains you and takes the drive and your computer, as long as you have time to hit the button.
Initially I thought this was silly for the same reasons you did, but consider: if you’re using proper encryption it’s going to be difficult or impossible to decrypt the files on the drive, so the data should be secure even if the drive is stolen, copied, etc.
However, when you’re actively using the drive and have files decrypted, and then you lose physical access to your devices, you have a problem. IIRC that’s how they got Ross Ulbricht’s files - monitored him until he unlocked his laptop in a cafe and then grabbed it (and him). If you’re worried about that specific threat profile it makes a little more sense to have an easily accessible physical DELETE EVERYTHING NOW button that only operates when the drive is running.
Thought honestly I think this is security theater to make upper management feel like James Bond when giving PowerPoint presentations to external stakeholders, and in that case you want to minimize the possibility of accidental data wiping because the chance you’ll need to deliberately wipe the data is almost zero 😆
(And that being said I don’t see anything in the user manual explicitly stating “the delete button only works if the drive is connected to a computer”, and that seems like a VERY IMPORTANT piece of information to share, so I suspect the delete button does work at all times and the article made a mistake. Shrug 😆)
if you’re using proper encryption it’s going to be difficult or impossible to decrypt the files on the drive, so the data should be secure even if the drive is stolen, copied, etc.
Encryption should always be the last line of defence, encryption that is unbreakable today may be trivially broken tomorrow. Which is why I also I still prefer to overwrite drives with random data instead of just trusting the sanitise command (Even though I know that a big chunk of the data stays unoverwritten as part of the drive’s “provisional area”.
(Which raises another issue that “deleting” a luks keyslot or the whole header doesn’t actually warranty it’s deleted, may have just be moved to the provisional area. So if a key somehow is compromised it becomes nessesary to physically destroy the drive.)
However, when you’re actively using the drive and have files decrypted, and then you lose physical access to your devices, you have a problem. IIRC that’s how they got Ross Ulbricht’s files - monitored him until he unlocked his laptop in a cafe and then grabbed it (and him). If you’re worried about that specific threat profile it makes a little more sense to have an easily accessible physical DELETE EVERYTHING NOW button that only operates when the drive is running.
In that case I rather use something that will reboot the computer and shred the ram as it would serve the same purpose with the bonus that contents can’t also be recovered from ram. Something like an usb drive with a string wrapped around the wrist.
Now, in the situation that the keys have leaked somehow, (like recording the keyboard from afar while the user types the passphrase) then the self-erasing hard drive makes a lot more sense, assuming the user has time to trigger the mechanism.
Now the issue is, that overwriting even a fast ssd takes time, so I’m assuming the device works by destroying or erasing a security chip that holds the keys for the main storage, however the data is still there if the adversary cuts the power before overwriting the whole drive. Ofc encrypted, but like I said before, encryption may be broken tomorrow. A physical or chemical solution that grinds or dissolves the chip somehow seems to me a better option, with the bonus that it can be made to work without electricity.
So the drive can’t start wiping itself unless it’s plugged in, but it’ll wipe itself completely even if someone detains you and takes the drive and your computer, as long as you have time to hit the button.
Initially I thought this was silly for the same reasons you did, but consider: if you’re using proper encryption it’s going to be difficult or impossible to decrypt the files on the drive, so the data should be secure even if the drive is stolen, copied, etc.
However, when you’re actively using the drive and have files decrypted, and then you lose physical access to your devices, you have a problem. IIRC that’s how they got Ross Ulbricht’s files - monitored him until he unlocked his laptop in a cafe and then grabbed it (and him). If you’re worried about that specific threat profile it makes a little more sense to have an easily accessible physical DELETE EVERYTHING NOW button that only operates when the drive is running.
Thought honestly I think this is security theater to make upper management feel like James Bond when giving PowerPoint presentations to external stakeholders, and in that case you want to minimize the possibility of accidental data wiping because the chance you’ll need to deliberately wipe the data is almost zero 😆
(And that being said I don’t see anything in the user manual explicitly stating “the delete button only works if the drive is connected to a computer”, and that seems like a VERY IMPORTANT piece of information to share, so I suspect the delete button does work at all times and the article made a mistake. Shrug 😆)
Encryption should always be the last line of defence, encryption that is unbreakable today may be trivially broken tomorrow. Which is why I also I still prefer to overwrite drives with random data instead of just trusting the sanitise command (Even though I know that a big chunk of the data stays unoverwritten as part of the drive’s “provisional area”.
(Which raises another issue that “deleting” a luks keyslot or the whole header doesn’t actually warranty it’s deleted, may have just be moved to the provisional area. So if a key somehow is compromised it becomes nessesary to physically destroy the drive.)
In that case I rather use something that will reboot the computer and shred the ram as it would serve the same purpose with the bonus that contents can’t also be recovered from ram. Something like an usb drive with a string wrapped around the wrist.
Now, in the situation that the keys have leaked somehow, (like recording the keyboard from afar while the user types the passphrase) then the self-erasing hard drive makes a lot more sense, assuming the user has time to trigger the mechanism.
Now the issue is, that overwriting even a fast ssd takes time, so I’m assuming the device works by destroying or erasing a security chip that holds the keys for the main storage, however the data is still there if the adversary cuts the power before overwriting the whole drive. Ofc encrypted, but like I said before, encryption may be broken tomorrow. A physical or chemical solution that grinds or dissolves the chip somehow seems to me a better option, with the bonus that it can be made to work without electricity.