Swapping out locks on a GSA security container

  • Tue 18 February 2020
  • misc

In the DC area, surplus Class 5 and 6 GSA security containers are often available through the usual channels (DRMO, craigslist, etc). They're great for storing things like hard drives waiting to go to get destroyed, laptops with your CA on them, trays of expensive RAM sticks, handguns, etc. The correct search term, like so many things, is to go for the brand name - "Mosler" and to a lesser extent "Diebold" will minimize irrelevant hits.

They're not quite as beefy as something like a gun safe but are entirely up to the task of securing most things against unauthorized access. After all, Uncle Sam trusts them for storing classified documents, right? They have the added benefit of not being a fire safe, so you won't have humidity issues.

Back in the day, these came with Group 1R combination locks on them. The 1 means tight tolerances, don't want to be off by even a half digit. The R is for "resistant to radiological attack". In practice this means plastic combination wheels so that x-raying the safe is a non-starter.

In 1991, Mas-Hamilton (now part of Kaba-Mas) in collaboration with IBM released the X-07 combination lock, the first electronic lock certified by the feds for protecting top secret information. It was succeeded by the X-08, X-09, and today the X-10 which is current manufacture and the only model which is not EOL.

Why an electronic lock? In the mid 80s, with the advent of small computers, it was apparent to people in the security business that devices which would automatically dial all possible combinations in a 3-wheel mechanical combination lock (a bit less than 100^3 or one million) would become increasingly available, particular among the usual gang of spooks. Today, they are a popular Maker project. An electronic lock can take countermeasures against such robots via countermeasures such as going to sleep for an interval after a certain number of bad combinations, imposing speed limits, and randomizing the start point for each digit so that the spindle position no longer corresponds to a number, in absolute terms.

Like any electronic device, these were not without their bugs. I was bitten last summer by my X-07 exhibiting the bit flip behavior for which they're known. I had to "neutralize" the container (that's Navy-speak for using power tools to cut the bolts on the control drawer so you can open it). I was able to find a damaged safe with a good control drawer for a good deal via a friend, so that's the route I took rather than paying a locksmith to drill the lock out.

PTI (the Public Technical Identifiers arm of ICANN, the group that among other things maintains the DNS root and by extension the DNSSEC trust anchor) was recently bitten by a problem with their X-09 locks, ironically on the exact day an upgrade was planned.

My problem last summer was enough to force a reconsideration of my threat model. What are my real risks? Big surprise - they don't involve nation-state actors. They also don't involve Lock Picking Lawyer (who astute fans will point out isn't a safe lock guy) or Bosnian Bill. What are my threats then? Common house burglars I guess... but how about "went 15 years without maintenance" as an ingredient in the threat model? It seems that I should prioritize reliability over absolute level of security.

It became clear to me that a less-precise but still reasonably secure safe lock was the answer. Group 2 combination locks fill this requirement and have the added advantage of being reasonably inexpensive. I don't care that the container is technically no longer GSA certified - in fact the black-label security containers like the ones I have are no longer GSA certified anyway - only the current manufacture red-label ones are.

With that as background, here's the BOM for my conversion:

You can get either a spy-proof or a non-spy-proof (front reading) dial. The SG6730-200 is the more expensive one (at $116.24) with the spy-proof dial. You want the spy-proof dial because you read it from the top rather than from the front, and so it is more convenient in applications where you’re looking down on it from above… like a two drawer file cabinet.


Order two extra spline keys. You’re not supposed to reuse them, and you may have to take things back apart again to get it “just so”. At a buck thirty four apiece it’s cheap insurance.

Extra Spline Keys

You need a Mosler style replacement lock bolt for the S&G lock. If $61 seems too expensive to you and you know someone with a milling machine that can take off 0.100 inches from the face of the bolt so it will retract flush with the body - that works too. I would have considered layout dye or a sharpie and a grinder or file if I didn't know someone who could do this for me. The length dimension is not critical; it just needs to be "approximately flush".

Mosler-spec flush retracting bolt

Lastly (and it’s a little frustrating that this isn’t an item on the web site), there are two lengths of screws that can be used to mount these locks - the short ones pretreated with threadlocker and the long ones. Used to be that both flavors came in the box with the lock. Now only the long ones do. You need the short ones. You can call the people at the vendor and see if you can get the short ones. You can also grind/cut/whatever the long ones you've got. The "long" flavor is 0.405" thread / 0.575" overall length. while the short flavor is 0.261" thread / 0.454" overall length. The screws that were used to mount a Kaba-Mas X-series lock are not suitable for use with an S&G lock.

YouTube video on how to install them.

They are DEATHLY SERIOUS about not sticking the change key in with the back off the lock. I’ve done it, I’ve messed the lock up, and I’ve managed to set it straight again, but I was hating life for a while there.