(Also in this series: ATA Sanitize Device and hdparm, NVMe Secure Erase, and NVMe Sanitize.)
According to National Institute of Standards and Technology (NIST) Special Publication 800-88: Guidelines for Media Sanitization, Secure Erase is "An overwrite technology using firmware based process to overwrite a hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure." The guidelines also state that "degaussing and executing the firmware Secure Erase command (for ATA drives only) are acceptable methods for purging."
const int timeout_2hrs = (2 * 60 * 60);
in the source code to something like const int timeout_6hrs = (6 * 60 * 60);
and recompiling, as explained by KnifeWrench.# hdparm -I /dev/sdx
...
Security:
Master password revision code = 65534
supported
not enabled
not locked
frozen
not expired: security count
supported: enhanced erase
98min for SECURITY ERASE UNIT. 98min for ENHANCED SECURITY ERASE UNIT.
...
The drive is currently frozen. Sleep and wake computer to unfreeze.‡ Your output should now show:
# hdparm -I /dev/sdx
...
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
...
# hdparm --user-master u --security-set-pass p /dev/sdx
security_password="p"
/dev/sdx:
Issuing SECURITY_SET_PASS command, password="p", user=user, mode=high
Security should now be enabled:
# hdparm -I /dev/sdx
...
Security:
Master password revision code = 65534
supported
enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
Security level high
...
# hdparm --user-master u --security-erase p /dev/sdx
security_password="p"
/dev/sdx:
Issuing SECURITY_ERASE command, password="p", user=user
If your drive supports enhanced erase, you may want to substitute security-erase-enhanced
for security-erase
. The difference, according to the HDDerase.exe FAQ:
Secure erase overwrites all user data areas with binary zeroes. Enhanced secure erase writes predetermined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to reallocation. ***NOTE: the enhanced secure erase option is not supported by all ATA drives.
Upon completion of step 3, security should automatically switch back to disabled. If not, you will need to disable it manually. However, note that in such a case, Secure Erase likely did not complete successfully, leaving the drive only partially wiped. This can be caused by the 2 hour timeout in versions prior to 9.31, for example.
# hdparm -I /dev/sdx
...
Security:
Master password revision code = 65534
supported
enabled
locked
not frozen
not expired: security count
supported: enhanced erase
Security level high
98min for SECURITY ERASE UNIT. 98min for ENHANCED SECURITY ERASE UNIT.
...
Let's unlock it:
# hdparm --user-master u --security-unlock p /dev/sdx
security_password="p"
/dev/sdx:
Issuing SECURITY_UNLOCK command, password="p", user=user
and disable security:
# hdparm --user-master u --security-disable p /dev/sdx
security_password="p"
/dev/sdx:
Issuing SECURITY_DISABLE command, password="p", user=user
Now we're good:
# hdparm -I /dev/sdx
...
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
...
# dd if=/dev/sdx bs=8192 status=progress | hexdump
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
1000157208576 bytes (1.0 TB, 931 GiB) copied, 5708 s, 175 MB/s
122095323+0 records in
122095323+0 records out
1000204886016 bytes (1.0 TB, 932 GiB) copied, 5710.29 s, 175 MB/s
e8e0db6000
I asked hdparm's creator, Mark Lord, whether ATA SECURITY ERASE wipes hidden data areas like the host protected area (HPA) and device configuration overlay (DCO) by default:
The answer is manufacturer-specific, and only manufacturers know the exact details. However, the idea is that the SECURITY ERASE command (which is handled totally by the drive firmware itself, not Linux) is supposed to erase everything possible inside the drive. Including HPA, DCO, spare sectors, all drive firmware settings, etc. Think of it as the modern-day "low-level format" command.
To explicitly disable HPA and DCO, use hdparm -N
and hdparm --dco-restore
:
#hdparm -N /dev/sdx
/dev/sdx: max sectors = 78125000/78165360, HPA is enabled #hdparm -N p78165360 /dev/sdx
/dev/sdx: setting max visible sectors to 78165360 (permanent) max sectors = 78165360/78165360, HPA is disabled #hdparm --dco-identify /dev/sdx
/dev/sdx: DCO Revision: 0x0001 The following features can be selectively disabled via DCO: Transfer modes: udma0 udma1 udma2 udma3 udma4 udma5 Real max sectors: 78165360 ATA command/feature sets: AAM HPA #hdparm --dco-restore /dev/sdx
/dev/sdx: Use of --dco-restore is VERY DANGEROUS. You are trying to deliberately reset your drive configuration back to the factory defaults. This may change the apparent capacity and feature set of the drive, making all data on it inaccessible. You could lose *everything*. Please supply the --yes-i-know-what-i-am-doing flag if you really want this. Program aborted. #hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/sdx
/dev/sdx: issuing DCO restore command
* In fact, in informal testing on a 160GB SATA-connected hard drive, ATA SECURITY ERASE took 50m19.661s while dd if=/dev/zero of=/dev/sdx bs=1M
completed in 45m23.181s.
† RIP Linux includes 8 consoles (left Alt+F1-F8 to switch) and current versions of disk tools like hdparm 9.37, TestDisk/PhotoRec 6.14-WIP, ddrescue 1.15, and dcfldd 1.3.4-1. If you experience trouble with resuming from sleep, try PCLinuxOS instead (login: root/root).
‡ More on unfreezing:
pm-suspend
echo -n mem > /sys/power/state
ls -ld /sys/block/sdx
echo 1 > /sys/block/sdx/device/delete
echo "- - -" > /sys/class/scsi_host/host5/scan
§ HDAT2 offers an "Auto Remove Hidden Areas" function as well.
The GNOME Disks app offers an ATA Secure Erase option in the Format Disk menu. But if it fails to complete, how to unlock the drive? The password does not appear to be documented; happily, Babiz tracked it down by finding udisksd[1206] Commencing ATA enhanced secure erase in /var/log/daemon.log (and system.log) then searching the UDisks source code for "user password", which uncovered it in udiskslinuxdriveata.c as "xxxx". Thus, hdparm --security-disable xxxx /dev/sdx
will unlock the drive.
created: 2011.02.21, updated: 2022.11.04