tinyapps.org / docs / ATA Sanitize and hdparm


(Note: This is a follow-up to ATA Secure Erase (SE) and hdparm, which includes suggestions for working around frozen drives and more. See also NVMe Secure Erase and NVMe Sanitize in this series.)

0. Warning

These procedures will irretrievably destroy data (and potentially media as well - see section 7).

1. Introduction

According to NIST,

The ATA Sanitize Device feature set commands are preferred over the [...] ATA Security feature set SECURITY ERASE UNIT command when supported by the ATA device.

Microsoft concurs:

For new applications, it is recommended to use the CRYPTO SCRAMBLE EXT command from the SANITIZE feature set. This is preferred over the SECURITY ERASE UNIT command since SANITIZE is supported in both the T10 standard (SCSI) and the T13 standard (ATA), and for all derived busses.

Finally, SanDisk states:

Secure Erase is different from Sanitize because it only deletes the mapping table but will not erase all blocks that have been written to. Sanitize will delete the mapping table and will erase all blocks that have been written to. Therefore, Secure Erase is faster to complete than Sanitize. After you erase the drive using Secure Erase or Sanitize, all user data will be permanently destroyed on the selected drive. This data cannot be recovered

2. Check for SANITIZE support

A supported drive:

# hdparm --sanitize-status /dev/sdx

/dev/sdx:
Issuing SANITIZE_STATUS command
Sanitize status:
    State:    SD0 Sanitize Idle
    Last Sanitize Operation Completed Without Error

An unsupported drive:

# hdparm --sanitize-status /dev/sdx

/dev/sdx:
SANITIZE feature set is not supported

This drive supports SANITIZE BLOCK ERASE:

# hdparm -I /dev/sdx
...
Commands/features:
    Enabled    Supported:
       ...
       *    SANITIZE feature set
       *    BLOCK_ERASE_EXT command
       ...

while this drive supports SANITIZE CRYPTOGRAPHIC SCRAMBLE and SANITIZE OVERWRITE:

# hdparm -I /dev/sdx
...
Commands/features:
    Enabled    Supported:
       ...
       *    SANITIZE feature set
       *    CRYPTO_SCRAMBLE_EXT command
       *    OVERWRITE_EXT command
       ...

3. SANITIZE BLOCK ERASE

The SANITIZE OPERATION START EXT - BLOCK ERASE command shall start a sanitize operation which shall cause Block Erase operations on all user data. The SANITIZE BLOCK ERASE operation shall also remove user data held in caches and pin setting attributes (see 4.16).

The SANITIZE OPERATION START EXT- BLOCK ERASE shall only be reported as supported if the internal media supports Block Erase operations (e.g. NAND FLASH, see [ONFI]).

After a successful SANITIZE BLOCK ERASE operation, the contents of the user data area are indeterminate.

The SANITIZE OPERATION START EXT - BLOCK ERASE shall only be processed if:

  a) the Sanitize Device feature set is supported;
  b) the BLOCK ERASE method is supported; and
  c) the device is in the Sanitize Idle state, the Sanitize Operation Failed state, or the Sanitize Operation Succeeded state .

—Section 7.x.4.2 of T13's Sanitize Device Command Proposal, Revision 67

# hdparm --yes-i-know-what-i-am-doing --sanitize-block-erase /dev/sdx

/dev/sdx:
Issuing SANITIZE_BLOCK_ERASE command
Operation started in background
You may use `--sanitize-status` to check progress

4. Check status

# hdparm --sanitize-status /dev/sdx

/dev/sdx:
Issuing SANITIZE_STATUS command
Sanitize status:
    State:    SD0 Sanitize Idle
    Last Sanitize Operation Completed Without Error

5. Verify

# dd if=/dev/sdx bs=8192 status=progress | hexdump
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
...
250059350016 bytes (250 GB, 233 GiB) copied, 904.6 s, 276 MB/s

6. SANITIZE CRYPTOGRAPHIC SCRAMBLE

The SANITIZE OPERATION START EXT - CRYPTOGRAPHIC SCRAMBLE command shall start a sanitize operation which shall change the internal encryption keys that are used for user data. The SANITIZE CRYPTOGRAPHIC SCRAMBLE operation shall also remove user data held in caches and pin setting attributes (see 4.16).

The SANITIZE OPERATION START EXT- CRYPTOGRAPHIC SCRAMBLE shall only be reported as supported if all user data is affected by changing internal encryption keys.

After a successful cryptographic scramble, the contents of the user data area may be indeterminate.

The SANITIZE OPERATION START EXT - CRYPTOGRAPHIC SCRAMBLE shall only be processed if:

  a) the SANITIZE DEVICE feature set is supported;
  b) the CRYPTOGRAPHIC SCRAMBLE method is supported; and
  c) the device is in the Sanitize Idle state, the Sanitize Operation Failed state, or the Sanitize Operation Succeeded state .

—Section 7.x.3.2 of T13's Sanitize Device Command Proposal, Revision 67

# hdparm --yes-i-know-what-i-am-doing --sanitize-crypto-scramble /dev/sdx

/dev/sdx:
Issuing SANITIZE_CRYPTO_SCRAMBLE command
Operation started in background
You may use `--sanitize-status` to check progress
# hdparm --sanitize-status /dev/sdx

/dev/sdx:
Issuing SANITIZE_STATUS command
Sanitize status:
    State:    SD0 Sanitize Idle
    Last Sanitize Operation Completed Without Error

7. SANITIZE OVERWRITE

WARNING: This command destroyed two good 8TB HGST hard drives (each in a different computer) after running for ≈15 hours and only progressing to ≈5% complete. Immediately beforehand, the drives had completed ATA SECURE ERASE in ≈13.5 hours without incident.

The SANITIZE OPERATION START EXT - OVERWRITE command shall start a sanitize operation which fills the user data area with a four byte pattern passed in the LBA field of the command. Parameters for this method include a count for multiple overwrites and the option to invert the four byte pattern between consecutive overwrite passes. The SANITIZE OVERWRITE operation shall also remove user data held in caches and pin setting attributes (see 4.16).

After a successful SANITIZE OVERWRITE operation affected data blocks shall contain valid ECC.

The SANITIZE OPERATION START EXT - OVERWRITE shall only be processed if:

  a) the Sanitize Device feature set is supported;
  b) the OVERWRITE method is supported; and
  c) the device is in the Sanitize Idle state, the Sanitize Operation Failed state, or the Sanitize Operation Succeeded state.

—Section 7.x.5.2 of T13's Sanitize Device Command Proposal, Revision 67

# hdparm --yes-i-know-what-i-am-doing --sanitize-overwrite 11111111 /dev/sdx
invalid PATTERN format (must be hex:XXXXXXXX)

# hdparm --yes-i-know-what-i-am-doing --sanitize-overwrite hex:11111111 /dev/sdx

/dev/sdx:
Issuing SANITIZE_OVERWRITE command
Operation started in background
You may use `--sanitize-status` to check progress
# hdparm --sanitize-status /dev/sdx

/dev/sdx:
Issuing SANITIZE_STATUS command
Sanitize status:
    State:    SD2 Sanitize operation In Process
    Progress: 0x0 (0%)

8. Sources:

9. Related:


last update: 2018.09.13