Advanced: Erasing Solid State Drives by using the Linux hdparm Utility


General Information

Solid State Drives (SSDs) are quickly replacing traditional, mechanical, hard disk drives due to their higher speed, lower power consumption, lighter weight, and more shock proof.  However, traditional whole disk erasing utilities like Darik's Boot and Nuke (DBAN) do not work well with SSDs because the placement of data blocks is not as predictable as traditional magnetic hard disk drive.  Since 2001, the Secure Erase command is built into the firmware of the controller on Parallel ATA (PATA) and Serial ATA (SATA) hard drives.  This includes both traditional hard disk drive and solid state drives. The Secure Erase command write zeros to user data portion of traditional hard drives or return the cells to their original, factory state in solid state drives.

This article will show the user how to use the hdparm Utility to issue the Secure Erase command to an ATA interfaced hard drive.

ONLY applicable to HDD & SSD drives with Serial ATA (SATA) or Parallel ATA (PATA) interface with a Manufactured Date after 2001. ( information can be found on most desktops & laptops.) 

SCSI and SAS drives are NOT covered in this article.

Important Notes!!

Make sure the drive is directly connected to the controller before continuing.  Do not continue if the drive is connect to the computer via a hardware RAID controller or USB/Firewire to PATA/SATA bridges.  Do not attempt the steps below via the USB interface.

The instructions in this article will destroy ALL data on the ENTIRE drive and not just a particular partition.  Please make sure that ALL necessary data are backed up from ALL partitions before following the steps below.  For safety, it is recommended that drives not intended to be wiped be removed from the system before starting the steps below.

DO NOT remove power or disconnect data cable before the operation is completed.  Doing so may cause the drive to be in an unknown state and can possibly lead to a dead drive "bricking"  or, more importantly, a data leak scenario.

The estimated completion time is dependent on the size and speed of the drive.  Some fast SSDs can take as little as two minutes, while traditional hard drives take about one hour per 100GB.

This article assumes the reader has some knowledge of the Linux Operating System.

How to Issue the Secure Erase Command?

1.  Download and burn a Linux LiveCD that includes the hdparm utilityCentOS 6.3 LiveCD & the Parted Magic LiveCD DO contain hdparm, however the Fedora 17 LiveCD DOES NOT, so your mileage will vary.

 -- Download the Parted Magic ISO file from Parted Magic

2.  Boot the computer up, with the drive(s) to be erased from the Linux LiveCD and get to a root shell.  All commands from now on will be issued as root.

3.  Find the name of the drive(s) that you want to wipe by using the fdisk command:

fdisk -l

typing Disk /dev/sda: highlighted in cmd line

NOTE: For this example, we will be using /dev/sda.

4.  Check to see if the drive is frozen: 

hdparm -I /dev/sda

the master password revision code.  not enabled, not locked, not expired.'  --------- frozen'.

NOTE: The drive is frozen, it supports Enhanced Security Erasing, and the estimated completion time is 50-minutes.

5.  Since the drive in this example is frozen, we need to unfreeze it but putting the computer to sleep with the command below.  Skip this step if your drive is not frozen.

echo -n mem > /sys/power/state

6.  After letting the computer sleep for a few seconds, wake it up and check to see if the drive is no longer in frozen state by issuing the command:

hdparm -I /dev/sda

how ' ------------- frozen' now says  'not frozen'

NOTE: The drive is no longer in frozen state.

7.  Set a temporary password "p" in order to issue the secure erase command:

hdparm --user-master u --security-set-pass p /dev/sda

typing DOS PROMPT. Issuing SECURITY_SET_PASS command, password="p", user=user, mode=high.

8.  Check to see if the password is set correctly and that security is now enabled:

hdparm -I /dev/sda

the DOS Screen prompt.  Security level high.

9.  Erase the drive:

If the drive DOES support Enhanced Security Erase:

hdparm --user-master u --security-erase-enhanced p /dev/sda


hdparm --user-master u --security-erase p /dev/sda

the DOS Screen prompt.

Warning:  ALL data on the drive will be erase and will not be recoverable.  Please backup all necessary data ahead of time.

10.  After waiting at least the estimated amount of time as shown by hdparm output (step 4), check to see if the security erase command is finished.

hdparm -I /dev/sda

 the DOS Screen prompt.

NOTE: See the differences between the picture above and the one in Step 8.  The security erase command reset the password and the security level back to the default.

 Referenced from: Parted Magic

6/29/2016 12:27:59 PM