ATA Secure Erase (SE) and hdparm
Posted on Di 01 Mai 2012 in Notebook
Warning
The instructions below will irretrievably destroy data. Moreover, as the hdparm manpage explains, "these switches are DANGEROUS to experiment with, and might not work with every kernel. USE AT YOUR OWN RISK."
Explanation
According to National Institute of Standards and Technology (NIST) Special Publication 800-88: Guidelines for Media Sanitization, Secure Erase is "An overwrite technology using firmware based process to overwrite a hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure." The guidelines also state that "degaussing and executing the firmware Secure Erase command (for ATA drives only) are acceptable methods for purging."
Benefits
- Can quickly and securely wipe most PATA/SATA hard drives manufactured this century
- Reportedly restores peak performance to SSD drives (though SE fails to securely wipe some SSDs)
- hdparm/Linux offers much better hardware support than HDDErase/MS-DOS
- Overwrites blocks marked as bad by the hard drive (which DBAN and similar tools ignore)
Suggestions
Boot from RIP Linux or any distro which includes hdparm 9.31 or greater (prior versions would timeout after 2 hours, leaving the disk only partially erased) If you must use a version prior to 9.31, you'll want to increase the timeout by changing const int timeout_2hrs = (2 x 60 x 60); in the source code to something like const int timeout_6hrs = (6 x 60x 60); and recompiling, as explained by KnifeWrench. - Connect drive directly to PATA/SATA interface; do not use USB, Firewire, etc - Do not have any other drives connected other than the one you want to wipe For the truly paranoid: - Wipe drive with ATA Secure Erase - Follow with block erase wiping tool (DBAN, etc) - Physically destroy drive
Directions
If drive is frozen, unfreeze
$ sudo hdparm -I /dev/sdx Security: Master password revision code = 65534 supported not enabled not locked frozen not expired: security count supported: enhanced erase 168min for SECURITY ERASE UNIT. 168min for ENHANCED SECURITY ERASE UNIT.
The drive is currently frozen. Sleep and wake computer to unfreeze.† Your output should now show:
$ sudo hdparm -I /dev/sdx Security: Master password revision code = 65534 supported not enabled not locked not frozen
Set password (req'd for using SE)
$ sudo hdparm --user-master u --security-set-pass p /dev/sdx security_password="p" /dev/sdx: Issuing SECURITY_SET_PASS command, password="p", user=user, mode=high
Security should now be enabled:
$ sudo hdparm -I /dev/sdx Security: Master password revision code = 65534 supported enabled not locked not frozen not expired: security count supported: enhanced erase Security level high
Erase drive
$ sudo hdparm --user-master u --security-erase p /dev/sdx security_password="p" /dev/sdx: Issuing SECURITY_ERASE command, password="p", user=user
If your drive supports enhanced erase, you may want to substitute security-erase-enhanced for security-erase. The difference, according to the HDDerase.exe FAQ:
Secure erase overwrites all user data areas with binary zeroes. Enhanced secure erase writes predetermined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to reallocation.
If drive is locked, unlock & disable security
Upon completion, security should automatically switch back to disabled. If not, you will need to disable it manually. However, note that in such a case, Secure Erase likely did not complete successfully, leaving the drive only partially wiped. This can be caused by the 2 hour timeout in versions prior to 9.31, for example.
$ sudo hdparm -I /dev/sdx Security: Master password revision code = 65534 supported enabled locked not frozen not expired: security count supported: enhanced erase Security level high 168min for SECURITY ERASE UNIT. 168min for ENHANCED SECURITY ERASE UNIT.
Let's unlock it:
$ sudo hdparm --user-master u --security-unlock p /dev/sdx security_password="p" /dev/sdx: Issuing SECURITY_UNLOCK command, password="p", user=user
and disable security:
$ sudo hdparm --user-master u --security-disable p /dev/sdx security_password="p" /dev/sdx: Issuing SECURITY_DISABLE command, password="p", user=user
Now we're good:
$ sudo hdparm -I /dev/sdx Security: Master password revision code = 65534 supported not enabled not locked not frozen
Footnotes
- †-From the terminal: sudo pm-suspend or echo -n mem > /sys/power/state. Toby Ovod-Everett shares that hot plugging SATA drives may also unfreeze them - check UEFI/BIOS for support or try eSATA. And David Clayton reminds us that AHCI must be enabled for SATA hotplugging to function.
- ‡-HDAT2 offers an "Auto Remove Hidden Areas" function as well.