tinyapps.org / docs / ATA Secure Erase (SE) and hdparm

Warnings

The instructions below will irretrievably destroy data. Moreover, as the hdparm manpage explains, "these switches are DANGEROUS to experiment with, and might not work with every kernel. USE AT YOUR OWN RISK."
Beware - When SECURE ERASE doesn't erase at all

Explanation

According to National Institute of Standards and Technology (NIST) Special Publication 800-88: Guidelines for Media Sanitization, Secure Erase is "An overwrite technology using firmware based process to overwrite a hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure." The guidelines also state that "degaussing and executing the firmware Secure Erase command (for ATA drives only) are acceptable methods for purging."

Benefits

Can securely wipe most PATA/SATA hard drives manufactured this century
Reportedly restores peak performance to SSD drives (though SE fails to securely wipe some SSDs)
hdparm/Linux offers much better hardware support than HDDErase/MS-DOS
Overwrites blocks marked as bad by the hard drive (which DBAN and similar tools ignore)
Though speed (vs. block erase wiping tools like DBAN) is often cited, the difference is negligible.^*

Suggestions

Boot from RIP Linux^† or any distro which includes hdparm 9.31 or greater (prior versions would timeout after 2 hours, leaving the disk only partially erased)
- If you must use a version prior to 9.31, you'll want to increase the timeout by changing const int timeout_2hrs = (2 * 60 * 60); in the source code to something like const int timeout_6hrs = (6 * 60 * 60); and recompiling, as explained by KnifeWrench.
Connect drive directly to PATA/SATA interface; do not use USB, Firewire, etc
Do not have any other drives connected other than the one(s) you want to wipe
Note that all commands below are issued as root (hence the # prompt)
For the truly paranoid:
1. Wipe drive with ATA Secure Erase
2. Follow with block erase wiping tool (DBAN, etc)
3. Physically destroy drive

Directions

1. If drive is frozen, unfreeze

# hdparm -I /dev/sdx
...
Security: 
	Master password revision code = 65534
		supported
	not	enabled
	not	locked
		frozen
	not	expired: security count
		supported: enhanced erase
	168min for SECURITY ERASE UNIT. 168min for ENHANCED SECURITY ERASE UNIT.
...

The drive is currently frozen. Sleep and wake computer to unfreeze.^‡ Your output should now show:

# hdparm -I /dev/sdx
...
Security:
	Master password revision code = 65534
		supported
	not	enabled
	not	locked
	not	frozen
...

2. Set password (req'd for using SE)

# hdparm --user-master u --security-set-pass p /dev/sdx
security_password="p"

/dev/sdx:
 Issuing SECURITY_SET_PASS command, password="p", user=user, mode=high

Security should now be enabled:

# hdparm -I /dev/sdx
...
Security:
	Master password revision code = 65534
		supported
		enabled
	not	locked
	not	frozen
	not	expired: security count
		supported: enhanced erase
	Security level high
...

3. Erase drive

# hdparm --user-master u --security-erase p /dev/sdx
security_password="p"

/dev/sdx:
 Issuing SECURITY_ERASE command, password="p", user=user

If your drive supports enhanced erase, you may want to substitute security-erase-enhanced for security-erase. The difference, according to the HDDerase.exe FAQ:

Secure erase overwrites all user data areas with binary zeroes. Enhanced secure erase writes predetermined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to reallocation.

4. If drive is locked, unlock & disable security

Upon completion, security should automatically switch back to disabled. If not, you will need to disable it manually. However, note that in such a case, Secure Erase likely did not complete successfully, leaving the drive only partially wiped. This can be caused by the 2 hour timeout in versions prior to 9.31, for example.

# hdparm -I /dev/sdx
...
Security:
	Master password revision code = 65534
		supported
		enabled
		locked
	not	frozen
	not	expired: security count
		supported: enhanced erase
	Security level high
	168min for SECURITY ERASE UNIT. 168min for ENHANCED SECURITY ERASE UNIT.
...

Let's unlock it:

# hdparm --user-master u --security-unlock p /dev/sdx
security_password="p"

/dev/sdx:
 Issuing SECURITY_UNLOCK command, password="p", user=user

and disable security:

# hdparm --user-master u --security-disable p /dev/sdx
security_password="p"

/dev/sdx:
 Issuing SECURITY_DISABLE command, password="p", user=user

Now we're good:

# hdparm -I /dev/sdx
...
Security:
	Master password revision code = 65534
		supported
	not	enabled
	not	locked
	not	frozen
...

Hidden Data Areas ^§

I asked hdparm's creator, Mark Lord, whether ATA SECURITY ERASE wipes hidden data areas like the host protected area (HPA) and device configuration overlay (DCO) by default:

The answer is manufacturer-specific, and only manufacturers know the exact details. However, the idea is that the SECURITY ERASE command (which is handled totally by the drive firmware itself, not Linux) is supposed to erase everything possible inside the drive. Including HPA, DCO, spare sectors, all drive firmware settings, etc. Think of it as the modern-day "low-level format" command.

To explicitly disable HPA and DCO, use hdparm -N and hdparm --dco-restore:

# hdparm -N /dev/sdx

/dev/sdx:
max sectors   = 78125000/78165360, HPA is enabled

# hdparm -N p78165360 /dev/sdx

/dev/sdx:
setting max visible sectors to 78165360 (permanent)
max sectors   = 78165360/78165360, HPA is disabled

# hdparm --dco-identify /dev/sdx

/dev/sdx:
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
       Transfer modes:
                udma0 udma1 udma2 udma3 udma4 udma5
       Real max sectors: 78165360
       ATA command/feature sets:
                AAM HPA

# hdparm --dco-restore /dev/sdx

/dev/sdx:
Use of --dco-restore is VERY DANGEROUS.
You are trying to deliberately reset your drive configuration back to
the factory defaults.
This may change the apparent capacity and feature set of the drive,
making all data on it inaccessible.
You could lose *everything*.
Please supply the --yes-i-know-what-i-am-doing flag if you really want this.
Program aborted.

# hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/sdx

/dev/sdx:
issuing DCO restore command

Sources

Footnotes

^* In fact, in informal testing on a 160GB SATA-connected hard drive, ATA SECURITY ERASE took 50m19.661s while dd if=/dev/zero of=/dev/sdx bs=1M completed in 45m23.181s.

^† RIP Linux inclues 8 consoles (left Alt+F1-F8 to switch) and current versions of disk tools like hdparm 9.37, TestDisk/PhotoRec 6.14-WIP, ddrescue 1.15, and dcfldd 1.3.4-1. If you experience trouble with resuming from sleep, try PCLinuxOS instead (login: root/root).

^‡ More on unfreezing:

Two ways to suspend/sleep from the terminal:
- # pm-suspend
- # echo -n mem > /sys/power/state
Toby Ovod-Everett shares that hot plugging SATA drives may also unfreeze them - check UEFI/BIOS for support or try eSATA. And David Clayton reminds us that AHCI must be enabled for SATA hotplugging to function.
Edoardo Liverani explains how he unfroze his internal SATA drive:
1. Find the host on which sdx is attached:
  # ls -ld /sys/block/sdx lrwxrwxrwx 1 root root 0 Mar 13 09:24 /sys/block/sdx -> ../devices/pci0000:00/0000:00:1f.2/host5/target5:0:0/5:0:0:0/block/sdx
2. Detach the drive and power it off:
  # echo 1 > /sys/block/sdx/device/delete
3. Rescan the SATA bus and reattach the drive:
  # echo "- - -" > /sys/class/scsi_host/host5/scan

^§ HDAT2 offers an "Auto Remove Hidden Areas" function as well.

last update: 2016.11.06