How to securely wipe all data from HDD / SSD

Why security-erase command instead of rewritting?

Here is how to wipe all data from your HDD / SSD quickly and securely. This procedure uses the security-erase command / routine of the HDD firmware, this means that whole process is controled just by HDD's controller / firmware so it is faster than using for example dd like:

dd if=/dev/zero of=/path/to/the/device bs=16M

just because the SATA bus it not transfering all that "zeroes" in this case, but is just used to check if the security-erase command has finished or not.

In case you are wiping SSD using security-erase command it usually lasts seconds to finish, because the controller trims all cells at once :-)

When NOT to use this method

This method is not recommended when connecting HDDs / SSDs via USB. Didn't tried out myself, always connecting directly to SATA port or using ThinkPad bay which connects the HDD instead of CD-ROM.

How to wipe HDD / SSD using security-erase command?

First of all check if your HDD is able to use this command, use following command (replace sdX with your HDD and run as root):

hdparm -I /dev/sdX

in the output search for "Security" section, there will be something like this:

Security: 
    Master password revision code = 65534
        supported
    not enabled
    not locked
        frozen
    not expired: security count
        supported: enhanced erase
    2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT. 

...which means that this device supports security erase, it is able to erase itself under 2minutes, the security is not enabled (= there is no HDD password set) and the security settings are frozen (will be explained).

To be able to use security-erase command you need to set HDD password. To be able to set HDD password, the security needs to be NOT FROZEN.

The security is FROZEN because BIOS froze it using special command as the computer boots, this should prevet unwanted / accidental changes in password and other stuff related to HDD security. To unfroze it you need to perform power-cycle of the HDD - means you need to turn the power for the HDD off and on again but without rebooting the computer. This can be easily done by putting computer into sleep or hibernation and waking it up again.

After that hdparm -I should read:

Security: 
    Master password revision code = 65534
        supported
    not enabled
    not locked
    not frozen
    not expired: security count
        supported: enhanced erase
    2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT. 

Now we need set the HDD password, use simple password like 1234 - it makes no sense to use strong and complicated password here, because the security-erase command we are going to use in next step will remove that password :-)

To set password to "rasta" use following command (again replace sdX and run as root):

hdparm --user-master u --security-set-pass rasta /dev/sdX

After that hdparm -I should read:

Security: 
    Master password revision code = 65534
        supported
        enabled
    not locked
    not frozen
    not expired: security count
        supported: enhanced erase
    2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT. 

Now you can finally start the erase procedure using:

hdparm --user-master u --security-erase rasta /dev/sdX

Wait until the procedure finish - it will take approximatelly that amount of time mentioned in the output of "hdparm -I" in the "security" section. My experience is that SSDs are always reporting 2minutes, but it takes like 5-20seconds, so most propably 2minutes is the shortest time the HDD/SSD can report? For example for 1TB Seagate HDD, model "ST1000VX000-1ES162" reports 98minutes to erase and it takes about hour and half to wipe it (didn't measured exact time, sorry), so I think it is quite accurate for mechanical HDDs.