Why security-erase command instead of rewritting?
Here is how to wipe all data from your HDD / SSD quickly and securely. This procedure uses the security-erase command / routine of the HDD firmware, this means that whole process is controled just by HDD's controller / firmware so it is faster than using for example dd like:
dd if=/dev/zero of=/path/to/the/device bs=16M
just because the SATA bus it not transfering all that "zeroes" in this case, but is just used to check if the security-erase command has finished or not.
In case you are wiping SSD using security-erase command it usually lasts seconds to finish, because the controller trims all cells at once :-)
When NOT to use this method
This method is not recommended when connecting HDDs / SSDs via USB. Didn't tried out myself, always connecting directly to SATA port or using ThinkPad bay which connects the HDD instead of CD-ROM.
How to wipe HDD / SSD using security-erase command?
First of all check if your HDD is able to use this command, use following command (replace sdX with your HDD and run as root):
hdparm -I /dev/sdX
in the output search for "Security" section, there will be something like this:
Security: Master password revision code = 65534 supported not enabled not locked frozen not expired: security count supported: enhanced erase 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
...which means that this device supports security erase, it is able to erase itself under 2minutes, the security is not enabled (= there is no HDD password set) and the security settings are frozen (will be explained).
To be able to use security-erase command you need to set HDD password. To be able to set HDD password, the security needs to be NOT FROZEN.
The security is FROZEN because BIOS froze it using special command as the computer boots, this should prevet unwanted / accidental changes in password and other stuff related to HDD security. To unfroze it you need to perform power-cycle of the HDD - means you need to turn the power for the HDD off and on again but without rebooting the computer. This can be easily done by putting computer into sleep or hibernation and waking it up again.
After that hdparm -I should read:
Security: Master password revision code = 65534 supported not enabled not locked not frozen not expired: security count supported: enhanced erase 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Now we need set the HDD password, use simple password like 1234 - it makes no sense to use strong and complicated password here, because the security-erase command we are going to use in next step will remove that password :-)
To set password to "rasta" use following command (again replace sdX and run as root):
hdparm --user-master u --security-set-pass rasta /dev/sdX
After that hdparm -I should read:
Security: Master password revision code = 65534 supported enabled not locked not frozen not expired: security count supported: enhanced erase 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Now you can finally start the erase procedure using:
hdparm --user-master u --security-erase rasta /dev/sdX
Wait until the procedure finish - it will take approximatelly that amount of time mentioned in the output of "hdparm -I" in the "security" section. My experience is that SSDs are always reporting 2minutes, but it takes like 5-20seconds, so most propably 2minutes is the shortest time the HDD/SSD can report? For example for 1TB Seagate HDD, model "ST1000VX000-1ES162" reports 98minutes to erase and it takes about hour and half to wipe it (didn't measured exact time, sorry), so I think it is quite accurate for mechanical HDDs.
Like my blog? What about to buy me a beer?
Bitcoin address: 1LzmUcwHK5Ys4zGPRoxYodjzpJsWiG61JY
Please Donate To Bitcoin Address: [[address]]
Donation of [[value]] BTC Received. Thank You.