Secure Erase in Linux

Recently I was tasked with wiping a computer hard drive. The drive was a 128GB Samsung SSD. My normal tool of choice is DBAN (Darik’s Boot and Nuke), but to my surprise it did not support erasing SSD drives. As always Google came to my rescue and I found an easy way to wipe the drive called ‘secure erase’.

Not Frozen
The first thing you have to do is ensure that the drive is not ‘frozen’.

sudo hdparm -I /dev/sdb

[…]
Security:
Master password revision code = 65534
supported
not    enabled
not    locked
not    frozen
not    expired: security count
supported: enhanced erase
106min for SECURITY ERASE UNIT. 106min for ENHANCED SECURITY ERASE UNIT.
[…]

Frozen

sudo hdparm -I /dev/sda

[…]
Security:
Master password revision code = 65534
supported
not    enabled
not    locked
frozen
not    expired: security count
supported: enhanced erase
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

[…]

If the drive is frozen it might be possible to ‘un-freeze’ the drive by suspending the computer and then waking it up. This works in the cases where the bios issues a lock command on boot up. A power cycle of the drive clears that states.

Set The Password
Once the drive is not in a ‘frozen’ state you can move on the next step. In order to issue the erase command the drive needs have a password set.

sudo hdparm –user-master u –security-set-pass password /dev/sda
security_password=”password”

/dev/sda:
Issuing SECURITY_SET_PASS command, password=”password”, user=user, mode=high

Check the drive again should indicate that the password is now enabled.

sudo hdparm -I /dev/sdb

[…]
Security:
Master password revision code = 65534
supported
enabled
not    enabled
not    locked
not    frozen
not    expired: security count
supported: enhanced erase
106min for SECURITY ERASE UNIT. 106min for ENHANCED SECURITY ERASE UNIT.
[…]

Erase The Disk
Now, you can execute the secure erase command:

sudo hdparm –user-master u –security-erase password /dev/sdb
security_password=”password”

/dev/sdb:
Issuing SECURITY_ERASE command, password=”password”, user=user

Check The Results
After the command executes the password should automatically be cleared.

sudo hdparm -I /dev/sdb

[…]
Security:
Master password revision code = 65534
supported
not    enabled
not    locked
not    frozen
not    expired: security count
supported: enhanced erase
106min for SECURITY ERASE UNIT. 106min for ENHANCED SECURITY ERASE UNIT.
[…]

Your drive should be securely erased now. I found the process to be easy and quick.

This entry was posted in Information Security, Linux, Ubuntu. Bookmark the permalink.

2 Responses to Secure Erase in Linux

  1. Pingback: 1p – Secure Erase in Linux – Exploding Ads

  2. Pingback: 1p – Secure Erase in Linux – blog.offeryour.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s