[Cryptography] Magnetic media destruction question

Kent Borg kentborg at borg.org
Tue Jan 13 18:00:49 EST 2026 

On 1/13/26 2:14 PM, Jerry Leichter wrote:
> The details have no doubt changed, but in Google datacenters 15 years ago or so, the process was:
>
> 	- Every new disk entering the data center is given a unique 	identifier, visible on the outside.
> 	- The life history of every disk in the data center is tracked - where 	it goes, what it's used for, and ultimately when it dies.
> 	- No disk that ever entered the data center as a functioning device 	ever leaves except as destroyed material.
>
> I don't recall the exact mechanism used for destruction, but it was quite violent and didn't, as far as we could tell, leave anything recoverable behind.
>
> All potentially sensitive data (probably all data) was also encrypted before being written, but for stuff actually leaving the data center, physical destruction was the name of the game.

I was wondering about that.

Google, Amazon, Meta, Microsoft, etc.…they each must go through a large 
number of disks, it would make sense they set up a good destruction 
procedure. (Which I guess means MS maybe doesn't bother, the same way 
they sometimes don't bother to expire keys, etc.)

How would I go about it? First, delete encryption keys.

But how to do physical destruction? I suppose grind them up into little 
pieces. Isn't there a virtuous cycle here? Extra small naturally means 
considerable heating, which has its own destructive value.

There must be existing industrial equipment that can easily cut 
electronics into barely identifiable fine gravel, and different 
industrial equipment that can turn such gravel into a powder. Good 
enough for me. Would actually be kind of fun to be put on the task of 
figuring it out. There is certainly mining equipment that could do it, 
but it might all be on too large a scale. Maybe materials science labs 
have equipment on a more suited scale.

That's a question: How much storage equipment does a typical data 
warehouse site need to dispose of in a week?

And now that unique identifier seems particularly important—too easy to 
fail to remove some storage component, but if the purpose isn't to 
"remove" but to "recover" then any missing components means keep 
disassembling, until they are all accounted for.

I wonder whether they even bother to replace failed components, or 
whether a bad SSD or spinning rust is taken to indicate that whole 
box/sled is too iffy to bother with, decommission the larger part. Very 
interesting economic tradeoff questions operating at such scales.

-kb

More information about the cryptography mailing list