I understand traditional methods don’t work with modern SSD, anyone knows any good way to do it?

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 months ago

    If you’re on a desktop or laptop, you should check the disk/partition manager tooling and see if there’s a button to do this for you. In Gnome, for example, it’s in Disks > three dots > Format Disk > Erase: secure erase. I’m sure KDE and other desktop environments with a complete suite of tools will also have something like this. If you find this option greyed out, check the instructions in the wiki article I link below about unlocking the drive. If it’s not there, there may be another GUI tool, or you could use the command line version.

    If you’re going command line, the exact procedure depends on the disk

    SATA disks

    Based on the Arch wiki

    Step 1: check if the disk is frozen

    Run sudo hdparm -I /dev/sdX | grep frozen (replace X with the drive name, of course, or use /dev/disk/by-* if you don’t know the right letter; should work with all of these commands) to check if it’s frozen. It should say “not frozen”, if it says “frozen”, put the computer to (S3) sleep and wake it again. That should usually do it.

    Step 2: set a password

    Simply put: sudo hdparm --user-master u --security-set-pass PasSWorD /dev/sdX. Don’t reboot without finishing all steps, some hardware is funky. Remember this password.

    Step 3: wipe the drive

    sudo hdparm --user-master u --security-erase PasSWorD /dev/sdX This can take a minute, it can take half an hour (less likely), don’t interrupt the process, definitely don’t turn off the computer.

    Step 4: remove the password

    To make sure people in the future can wipe the drive again, check if there’s still a password. Run sudo hdparm -I /dev/sdX and check for “not enabled” below “password”. If it’s still enabled, try running sudo hdparm --user-master u --security-disable PasSWorD /dev/sdX. With a password set, you will need to unlock the drive with the password you configured before the drive can be used, and most operating systems can’t deal with that automatically.

    NVMe disks

    Based on the same wiki article. Use /dev/nvmeX for the device specification, not /dev/nvmXnY, and obviously substitute for the device you actually want to wipe. You should be able to use paths like /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM as well, in case you don’t know the exact device name.

    Step 1: find capabilities

    sudo nvme id-ctrl /dev/nvmeX -H | grep -E 'Format |Crypto Erase|Sanitize' to find if the device supports formatting or sanitizing.

    Step 2.1: formatting

    Simply put: nvme format /dev/nvmeX -s 2 -n 0xffffffff to do a cryptographic erase. 0xffffffff will erase all namespaces, if multiple namespaces are supported; this is a bit mask, so you can select multiple individual namespaces if you want. If you don’t know what that means, just erase them all, or set use 1 instead of 0xffffffff if the command errors out.

    Step 2.2: sanitizing

    First run nvme sanitize-log /dev/nvmeX to check how long it’ll take, in estimated seconds, for a block erase or a crypto erase to finish, to help you estimate how long you’ll need to leave the computer on for.

    Step 2.2.a: cryptographic erase

    sudo nvme sanitize /dev/nvmeX -a start-crypto-erase will do a cryptographic erase. This should be pretty quick.

    Step 2.2.b: block erase

    sudo nvme sanitize /dev/nvmeX -a start-block-erase will do a block erase. This will can take multiple minutes, maybe longer, depending on your drive and the speed.

    Secure discard

    There’s also a tool called blkdiscard that can tell an SSD to securely discard blocks, if the device supports it, Something like sudo blkdiscard --secure /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM or sudo blkdiscard --secure /dev/disk/by-id/ata-Samsung_SSD_789_EVO_M.2_9999GB_ABCDEFGHIJLM should work for those.