Sstrhsrtj

I'm not sure if it's even feasible, but I have a server farm in my book, of a size that puts it on par with Google's. I want to wipe out all the data stored on the hard drives, without destroying the servers themselves, most likely using an EMP device. This is assuming the device is within the farm itself, basically an emergency wipe.

An example data center is Pryor Creek (Mayes County), Oklahoma , 980,000 square feet. Google, for security purposes, doesn't release a lot of data. Let's say at least a few hundred thousand servers, as that matches what I have in my book.

If this is possible:

1. What sized capacitors would it need? How long would it take to charge said capacitors?


2. What are we looking at for coils? I've read 10-12 coils of copper tubing would create a rather massive field.

If it is not possible, I'd have basically the same questions, but for destroying the server farm. I'd prefer to leave the hardware intact, but can live with it if not.

Another idea beyond EMP would be welcome, as well, if an EMP device were not feasible. If this is the case, it would have to be something that is hidden from all the techs working on the farm, installed in secret by an extremely small team in the case of emergencies.

Effectively, the owner(s) want a secure way to instantaneously wipe every bit of data stored on the server, hardware based and in no way connected to the system. A kill switch. Better if they could kill it without destroying a farm's worth of servers.

An EMP is probably not the right mechanism here - it will almost certainly result in large amounts of the precious smoke escaping from the sensitive electronics in the servers (and drives) but assuming it's a typical google data center then the bulk of the data is going to be stored on spinning rust and therefore will likely survive. It will be difficult, expensive and time consuming to recover since you'll need specialist forensics experts working on it though so this might be "good enough" for your purposes.

What you want is a pulse degausser - basically these create a rapidly alternating, incredibly powerful magnetic field that demagnetizes the drive platters rendering it an unrecoverable paperweight. The drives will have to be replaced afterwards (technically the manufacturer could recreate the servo track to make the drive re-usable but it's probably be cheaper just to buy new drives!) but the majority of the other components should survive. This though does have the opposite problem to the EMP idea - SSD drives and other flash-storage technology will shrug it off so you'll need to have an alternative strategy in place for those.

If we're into the realms of money being no object then a bespoke setup where each SSD was mounted in a modified version of a crusher like this would do the job - again the drives will be toast but there's very few other ways to destroy an SSD securely in rapid fashion, and 9 secs is going to take some serious beating.

Edit: Just seen an update from the OP on criteria.

What I'm looking for is a hardware based solution to wiping out all the hard drives that's not likely to be detected by people working on the hardware. Software could, and would in the context of the story, be found and purged.

If secrecy surrounding at least the existence of the "fail safe" hardware prior to the "wipe" is required then the degausser option would still work - build it into the frame of the racking, sure it'll look a bit more robust than your average server rack but the owners could fob any questions off as it being for "Earthquake hardening" or something. Obviously post-wipe anyone with access to the drives is going to know what happened - a complete lack of data and the telltale demise of the servo track is a dead give away that the drive has been degaussed.

It does make any SSD drives more difficult to deal with though - crusher devices aren't exactly svelte and most techs are going to wonder why the "drive enclosure" for each SSD drive is a 12" or so tall. So for this I'd suggest a slightly different approach:

Have all data on the SSD drives be encrypted with something along the lines of AES, keep the key for that encryption on a separate drive that you keep out of the path of the day to day techs that is located in a crusher. When the fail safe is triggered you have key drive crushed at the same time as terminating power to any systems with the key in memory.

With the key gone the SSDs are left perfectly intact (saves on your BCDR budget a little bit :P ) but the data is, to all intents and purposes lost.

If you're wanting to use the EMP for The Rule of Cool you could have that take out the systems that have the key in memory if you want :)

It isn't only a question of how big, but a question of where. EMP on the data bus is a different beast from EMP in the power supply, which is a different beast from a simple EMP generator within the room but not connected to anything.

Case 1: EMP in the data buses

The most difficult to create, but also the most devastating. You are supplying a high voltage in the cables through which the data passes. Assuming no intermediate devices burn out, your EMP will make it all the way to the storage drives and work their damage there. No guarantees that nothing can be recovered by forensic examination of the disks, but the disks themselves will be unusable.

Getting a high voltage pulse into those cables is near impossible, unless you have physical access to them, as the cables are shielded against EMP for precisely this reason. If you do have physical access, introducing malware or something similar is a better way to do things. If you're a three-letter agency, for instance, you'll find it more rewarding to spy on people's data, rather than deleting it.

Case 2: EMP in the power supply

By far easier than case 1 and far more likely to happen, given exposed transmission lines. Except that any data centre will have decoupling and power conditioning systems before the power supply gets anywhere near the data, to ensure no unwanted spikes or dips get through. Unless you're actually inside the data centre,or better yet, inside the actual server room, in case they have a final redundant decoupling system, you're not likely to do much damage.

Assuming everything goes your way, and you do successfully set off an EMP after bypassing all the protections, you'll destroy the servers, but probably not most of the data. They will need forensics to recover it, but it can be recovered. The electronics will be slagged, however, so the servers will probably be unusable.

Case 3: EMP inside the server room

Comparatively, the easiest way to cause some damage, but overall likelihood of causing less damage than a successful attempt at Case 1 or 2. Your EMP will weaken with the square of distance, so a million volts or so will be needed to get the whole room, given that the server enclosures will act as Faraday cages and protect their insides. With less voltage, you'll destroy everything nearby, with damage tapering off as you go further from ground zero. This depends on the geometry of the room and the kind of earthing in place. A rectangular room will take less damage than a square room; an L-shape will take less damage, unless the EMP goes off in the crook of the L.

Small and easy!

Every piece of data stored in Google is actually split into multiple chunks. Each chunk is encrypted using a different key!

That's a lot of keys? How are they managed? Well, there are Key management servers that take all those keys and encrypt them to ensure they are safe. Of course the keys used to encrypt these keys also need to be encrypted. This goes until you get to the Root KMS key. This key exists on only a few machines in the datacenter... and if you can take all of these out (keep in mind, resiliency is built in by design) then nobody can decrypt any keys underneath it! All the data is still there, but meaningless and lost forever. This is similar to @nzaman's thinking, but already done, only requires impacting a few machines rather than every machine.

So it's not the size of the bomb, but the location(s) that makes all the difference.

https://cloud.google.com/security/encryption-at-rest/default-encryption/

Or is it?

Google isn't silly enough to trust all its keys to a single data center. There is always a risk that some massive power outage etc. would compromise the keys (stored in memory only) and losing that data would be disastrous. So there are two fail safes:

The Root KMS Master Key Distributor, essentially a P2P backup with other datacenters:

Root KMS in turn has its own root key, called the root KMS master key, which is also AES2564 and is stored in a peer-to-peer infrastructure, the root KMS master key distributor, which replicates these keys globally. The root KMS master key distributor only holds the keys in RAM on the same dedicated machines as Root KMS

And the Safes:

To address the scenario where all instances of the root KMS master key distributor restart simultaneously, the root KMS master key is also backed up on secure hardware devices stored in physical safes in highly secured areas in two physically separated, global Google locations. This backup would be needed only if all distributor instances were to go down at once; for example, in a global restart. Fewer than 20 Google employees are able to access these safes.

Now whether or not these backup strategies exist in your world, or can be avoided through other means (e.g. more than one 'bomb') is entirely up to your world-building.

As others discuss, EMP will damage the machines that access the data, but not the data. You mention that your forces are owners or insiders, who can alter the design to suit, but need to conceal it from line staff who work there. I cannot see a non-detectable way to wipe the software without damaging your hardware. If you use internal malware, and even one backup survives, you are exposed. But to an evil genius, hardware is cheap. Let insurance buy you new hardware and that opens you up to many options. For instnace

Plain old fire

Burn the place to the ground. Simple as that. Build the place out of materials that'll squeak by the fire codes, but then store things in there that will subtly add to and sustain the conflagration. By "subtle" I mean that what fuels office building fires is the office trim and file cabinets full of paper. The trim can be made endothermic, the paper cannot. What's ironic about 9/11 is the jet fuel flashed off quickly, the paper sustained the fire.

Likewise, start the fire with liquid or gaseous fuel and let the paper finish the job. Of course you'd need to either damage the sprinkler system or subvert it to your purposes. Also strive to use more burnable materials where excusable, such as you will want servers with plastic cases, and SSD rather than HDD.

Lastly you'll want what steel mills and refineries actually do need: fire-truck-proof gates. Those industries don't want the F.D. yokels charging in and throwing a water hose on a hot metal bottle or sodium fire. In your case you are worried about terror attacks, or some other thing. And make sure to have onsite security doors which get F.D. Approval, but then frustrate their entry. Just build your building to make it hard to fight fires in, so they switch to 'let it burn out' and containment.

Locating in an unfinished nuclear reactor would be a fun way to do it.