Securely Erasing a Disk
Here are some tools and methods to wipe a disk securely.
Tools
dd
Write zeros or pseudorandom data:
# dd if=/dev/zero of=/dev/sda bs=4K status=progress
# dd if=/dev/urandom of=/dev/sda bs=4K status=progress
dcfldd
dcfldd
is based on an old version of dd
and has some extra features. It hasn't been updated since 2006. If you only want to write a bit pattern, also look at badblocks
.
You can specify a bit pattern:
# dcfldd pattern="00" of=/dev/sda
# dcfldd pattern="FF" of=/dev/sda
shred
Shred comes as part of coreutils
. It will overwrite a file with random data.
# shred /dev/sda
badblocks
Badblocks can be used to write to and verify a storage device.
# badblocks -v -w -s -b 4096 -t 0xff /dev/sda
Options are:
-v
: verbose-w
: write-s
: show progress-b
: block size-t
: test pattern
ATA Secure Erase
Modern ATA devices support a security feature which allows for the firmware to initiate a security erase. Depending on the manufacturer and type of media, an ATA secure erase may wipe the entire device or wipe only the encryption key rendering the data unusable as it can no longer be decrypted. For SSDs, both security erase and enhanced security erase will overwrite the encryption key and is the ideal way to wipe a SSD without inducing unnecessary wear.
The following output from a hdparm -I /dev/sdX
command on a SSD shows a both a security erase and enhanced secure erase will take 2 minutes.
Security:
Master password revision code = 65534
supported
enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
Security level high
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
An enhanced secure erase will overwrite the entire disk several times with a distinct bit pattern including reallocated sectors that have previously triggered an I/O error. However, I have a Hitachi 3TB disk which reports a 508+ minute security erase but only a 2 minute enhanced security erase which suggests an enhanced security erase doesn't overwrite the entire drive for this model.
more than 508min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Doing the erasure
An ATA secure erase can be accomplished with hdparm
.
- Ensure the device is
not frozen
. If it is frozen as is the case below, either restart the computer or power cycle the disk (via hibernation or something)You can only proceed if you see 'not frozen' like below:# hdparm -I /dev/sda ... Security: Master password revision code = 65534 supported not enabled not locked frozen not expired: security count supported: enhanced erase 928min for SECURITY ERASE UNIT. 928min for ENHANCED SECURITY ERASE UNIT.
# hdparm -I /dev/sda ... Security: Master password revision code = 65534 supported enabled not locked not frozen not expired: security count supported: enhanced erase 928min for SECURITY ERASE UNIT. 928min for ENHANCED SECURITY ERASE UNIT.
- Enable security using
hdparm
.If you get an error like "# hdparm --user-master u --security-set-pass password /dev/sda
SG_IO: bad/missing sense data, sb[]: 70 00 05 00 00 00 00 0a 04 51 40 01 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
", then you're possibly in a frozen state and need to power-cycle the hard drive. - Verify security is enabled. It should say "
Security level high
"# hdparm -I /dev/sda ... Security: Master password revision code = 65534 supported enabled not locked not frozen not expired: security count supported: enhanced erase Security level high 928min for SECURITY ERASE UNIT. 928min for ENHANCED SECURITY ERASE UNIT.
- Issue the ATA secure erase command. Use
--security-erase-enhanced
. The hard drive will stop responding until the erase command completes. You may interrupt the operation by powering off the drive midway through, but the drive will not be completely erased and may remain in a high security level.# hdparm --user-master u --security-erase password /dev/sda
- Once erased, security should be automatically disabled.
# hdparm -I /dev/sda
DBAN
Darik's Boot and Nuke. A live disk which will automatically wipe any connected storage devices. This doesn't appear to be updated anymore and newer hardware might not be supported.
DBAN supports the following wipe methods:
- Quick Erase
- Canadian RCMP TSSIT OPS-II Standard Wipe
- American DoD 5220-22.M Standard Wipe
- Gutmann Wipe
- PRNG Stream Wipe
Methods
Here are some common wipe methods explained.
DoD 5220.22-M (C)
The DoD 5220.22-M (C) requires overwriting an entire device with a pseudo-random bit pattern once.
DoD 5220.22-M (E)
The DoD 5220.22-M (E) standard, also referred to as the DoD 3-pass method, requires the following:
- Overwrite with binary 0's
- Overwrite with binary 1's
- Overwrite with a random bit pattern
DoD 5220.22-M ECE
DoD 5220.22-M ECE combines DoD 5220.22-M E, C, and E to form a 7-pass variant.
Canadian RCMP TSSIT OPS-II
The Canadian RCMP TSSIT OPS-II wipe method is a 7-pass process:
- Overwrite with binary 0's
- Overwrite with binary 1's
- Overwrite with binary 0's
- Overwrite with binary 1's
- Overwrite with binary 0's
- Overwrite with binary 1's
- Overwrite with a random bit pattern and verify the write
Gutmann
For the overly paranoid, the Gutmann method uses 35-passes using pseudo-random and bit patterns to wipe a device. This is done with the assumption that intelligence agencies can somehow detect the previous bit values using magnetic force microscopes and image analysis.
See: https://en.wikipedia.org/wiki/Gutmann_method
Schneier
A 7-pass method by Bruce Schneier.
- Overwrite with binary 1's
- Overwrite with binary 0's
- Overwrite with a random bit pattern
- Overwrite with a random bit pattern
- Overwrite with a random bit pattern
- Overwrite with a random bit pattern
- Overwrite with a random bit pattern