Secure Erase on Linux – Safely Wipe Drives for Data Security

In today’s digital world, protecting sensitive data is crucial. Whether you’re disposing of an old hard drive, repurposing a server, or wiping a drive before selling or donating it, using the right tools to erase data is essential. A secure erase on Linux ensures no recoverable traces of your information remain, preventing breaches and protecting your confidentiality. This guide covers the most effective techniques for wiping drives on Linux, giving you peace of mind about your data security.

Introduction

Secure erase on Linux (and in general) is crucial for protecting sensitive data when decommissioning or repurposing storage devices. Unlike traditional file deletion methods, secure erasure ensures that data is irretrievable, thereby safeguarding privacy and adhering to compliance standards. The robust toolset available in Linux enables users to efficiently and flexibly wipe disks securely, making it an ideal choice for businesses, system administrators, and individual users who are concerned about data security.

Here are some of the most common frequently asked questions regarding disk secure erase:

What is the difference between deleting files and secure erase?

Deleting files only removes references to the data, leaving it recoverable. A secure erase overwrites the data, rendering it unrecoverable.

Which tools are available for secure erase?

• Built-in Linux Utilities
  • dd: Overwrites the drive with zeros or random data.
  • hdparm: Utilizes the Secure Erase feature built into modern hard drives (firmware).
  • shred: Overwrites data multiple times for added security.
• NVMe-Specific Tools
  • nvme-cli: A command-line utility for managing NVMe drives, including the nvme command, which performs a secure erase on NVMe SSDs efficiently and directly.
• Third-Party Applications
  • Samsung Magician: Offers a secure erase feature for Samsung SSDs and includes an easy-to-use interface.
  • Parted Magic: A bootable Linux-based tool that includes secure erase utilities for various drive types.
• Vendor-Specific BIOS/UEFI Options
  • Dell BIOS: Includes a “Data Wipe” or “Secure Erase” feature for supported drives.
  • HP BIOS: Offers a “Secure Erase” option for comprehensive data removal.

Can secure erase be performed on SSDs?

Yes, but it requires special methods, such as issuing ATA Secure Erase commands or using TRIM, to prevent wear-leveling complications.

Is secure erase necessary for drives being reused within the same organization?

Yes, it ensures sensitive data is not accidentally leaked when drives are reassigned or tested.

How can I confirm a drive has been securely erased?

You can verify by scanning the disk with data recovery tools to ensure no recoverable data remains.

General Use Cases for Secure Erase on Linux

I have decided to build a home server, and since I have brand-new disks for it, there is no need for a secure erase. However, I would need to perform a secure erase if I were using old, previously used drives. Below, you will find some other common use cases for disk secure erase on Linux:

• Decommissioning Hardware
  • When retiring or selling old storage devices, secure erase ensures sensitive data is unrecoverable, protecting personal and organizational security.
• Repurposing Drives
  • Before reassigning storage devices within a company or for personal use, secure erase eliminates traces of old data, reducing the risk of accidental exposure.
• Compliance with Data Privacy Regulations
  • Industries handling sensitive data, such as healthcare or finance, often require secure erase to meet standards like GDPR, HIPAA, or PCI-DSS.
• Preventing Data Recovery After File Deletion
  • Regular file deletion leaves data recoverable. Secure erase ensures complete data destruction for users concerned about privacy.
• Before Donating or Recycling Drives
  • Erasing data securely prevents personal or sensitive information from being accessed by unintended recipients.
• Testing or Benchmarking Drives
  • Secure erase clears storage devices for clean benchmarking or testing, ensuring accurate performance metrics without interference from existing data.
• Addressing Malware or Corruption
  • When dealing with a compromised or corrupted drive, secure erase ensures no traces of malware or corrupted files persist before reinstallation or reuse.

Caveats & Limitations

When considering end users, I believe that for most industries, properly performing a secure erase of any hard disk drive is generally sufficient to ensure that there is no residual data remaining—data that could potentially be recovered. However, it’s important to note that this is not always guaranteed. This guide would not be complete without addressing some caveats and limitations associated with disk secure erasure:

• Write Amplification and Data Residue
  • Caveat: Solid-state drives (SSDs) can experience write amplification due to their internal wear-leveling mechanisms. This means that the data you “erase” might still exist in other blocks, even if it appears to be wiped from accessible areas.
  • Mitigation: Use SSD-specific secure erase utilities (like hdparm or nvme-cli) that issue commands directly to the drive controller to handle all blocks properly, including reserved areas.
• Accessing Flash Memory Directly
  • Caveat: Forensic techniques, such as disassembling flash memory devices, unsoldering chips, and reading their raw content, bypass the controller entirely. Secure erase commands only communicate with the controller, which may leave some data recoverable if chips are accessed directly.
  • Mitigation: Physically destroy drives when absolute data security is required, such as when handling highly sensitive information.
• Erasure Command Reliability
  • Caveat: Secure erase commands rely on the drive’s firmware to execute the operation properly. Faulty or outdated firmware could result in incomplete erasure, leaving residual data.
  • Mitigation: Ensure the drive’s firmware is up-to-date and verify erasure with disk analysis tools.
• Encryption as an Additional Layer
  • Caveat: Drives without encryption can expose raw data even after deletion if residual traces remain. Some SSDs advertise encryption but may not securely manage encryption keys.
  • Mitigation: Use full-disk encryption from the start to ensure erasure can be achieved by destroying the encryption key.
• Wear-Leveling Areas and Overprovisioning
  • Caveat: SSDs often have reserved areas for wear-leveling and overprovisioning. These regions may contain residual data that isn’t erased with standard commands.
  • Mitigation: Choose secure erase tools that specifically address these areas or rely on hardware destruction for critical scenarios.
• Drive-Specific Behavior
  • Caveat: Different drive manufacturers implement secure erase differently. Some may fail to erase hidden partitions or reserved areas.
  • Mitigation: Consult manufacturer documentation and use vendor-approved tools for erasure, such as Dell’s BIOS Data Wipe or Samsung Magician for Samsung SSDs.

By addressing these concerns, I aim to clarify the limitations of secure erase methods. Additionally, I want to stress the significance of choosing the appropriate tools and techniques for your specific requirements.

Prerequisites

I will demonstrate three methods for wiping your hard drive in this guide. To begin, you will need a live Linux distribution that you can boot from a USB drive. I usually use the Debian Live ISO, but please feel free to choose any distribution you prefer. The commands and tools required for this process are fdisk, dd, hdparm, and nvme-cli (for non-SATA NVMe drives). These tools should be included in the major Linux distribution live images.

**IMPORTANT NOTICE** Before you proceed, make sure to back up all important data! The steps outlined below will completely erase all data on the specified disk(s), making it unrecoverable. Do not continue with the ATA Secure Erase (refer to the Table of Contents above for instructions on using hdparm and nvme-cli) unless the target drive is directly connected to a SATA or NVMe interface. Using the Secure Erase/Format/Sanitize command on a drive connected via USB or a SAS/RAID card could potentially render the drive unusable (brick the device)!

Secure Erase on Linux – DD

The dd command in Unix is a versatile utility for low-level data copying and conversion. It operates on raw data and is often used for tasks such as:

• Disk Imaging
  • Creating or restoring disk images, including backups and system recovery.
• Data Conversion
  • Converting data formats (e.g., ASCII to EBCDIC) or changing block sizes.
• Writing to Devices
  • Copying data directly to or from devices like disks, USB drives, or ISO images.
• Secure Erase
  • Overwriting disks with random or zeroed data for secure deletion.

You can erase your drive using the dd command in two ways. The first method involves simply “zeroing out” your drive, while the second is a bit more advanced. I will demonstrate both methods in the following subsections.

DD – Simple

As stated above, dd can overwrite disks with random or zeroed data for secure deletion. In the following examples, I will show you how you can wipe the drive by using two special files: /dev/zero and /dev/urandom.

In the past, the kernel’s random number generator was slow, leading many to use alternative methods for generating pseudorandom data. One common approach involved encrypting the data stream using a random key from /dev/zero. While this method is theoretically secure, it no longer provides any benefits over the kernel’s newer and faster random number generator. Additionally, there is a risk that the temporary key could be inadvertently saved in an insecure location.

Once you booted the system with a live Linux distribution, you must determine which drive you want to wipe. This is mandatory, as dd will completely erase data, so make sure to select the correct disk. You can do that by executing the fdisk command:

fdisk -l
...
Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Disk model: QEMU HARDDISK
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 3A25B8A6-6921-489A-BF0A-23D5DBB7C448

Device       Start      End  Sectors  Size Type
/dev/sda1     2048  2097151  2095104 1023M Linux filesystem
/dev/sda2  2097152  2101247     4096    2M BIOS boot
/dev/sda3  2101248  2363391   262144  128M EFI System
/dev/sda4  2363392  4460543  2097152    1G Linux swap
/dev/sda5  4460544 41940991 37480448 17,9G Linux filesystem

As you can observe in my example, I want to erase my /dev/sda disk device. To do so, I can execute the following in the console:

dd if=/dev/zero of=/dev/sda bs=4096 status=progress

The above will zero-fill the disk by writing a zero byte to every addressable location on the disk using the /dev/zero stream. Another example is using /dev/urandom, which can be used as a fast and secure source of cryptographically secure pseudorandom data from the Linux kernel. To do so, execute the following in the terminal:

dd if=/dev/urandom of=/dev/sda bs=4096 iflag=fullblock status=progress

Warning: Do not overwrite an SSD with random data if you intend to use TRIM. Unused blocks will be marked as empty after the first TRIM and will eventually be erased, thus undoing your previous actions.

The operation in both examples above will be complete when dd reports “No space left on device” and drops back to the console prompt.

DD – Advance

To complement the examples above regarding /dev/zero and /dev/urandom, there is a bit more advanced method for erasing disks using dd. An alternative approach is to randomize the drive with a randomly seeded AES cipher from OpenSSL. You can do it by executing the following in the console:

DEVICE="/dev/sda"
PASS=$(tr -cd '[:alnum:]' < /dev/urandom | head -c128)
openssl enc -aes-256-ctr -pass pass:"$PASS" -nosalt </dev/zero | dd obs=64K ibs=4K of=$DEVICE oflag=direct status=progress

The command above generates a 128-byte encryption key sourced from /dev/urandom. The key is then used in CTR mode to encrypt the output of /dev/zero, resulting in a device filled with AES ciphertext. This process achieves very high write speeds by using the cipher instead of a pseudorandom source.

Appendix – Block Size

If you do not specify the block size (bs=) when using the dd command, it will default to 512 bytes. In many cases today, this default value can make the operation very slow. Choosing a more reasonable value, such as 64K, is usually a better option.

If you want to go “deep in,” there is a script by AndyCrowd on GitHub that can help you calculate the parameters required to erase a disk or partition using dd. You can find the script here: genwipe.sh

Secure Erase on Linux – Hdparm

The hdparm command is a powerful utility for managing and configuring SATA storage devices. It provides tools for performance tuning, disk diagnostics, and secure operations. Following are some of the use cases:

• Drive Information
  • Retrieve detailed information about a disk’s model, firmware, and capabilities.
• Performance Tuning
  • Adjust disk settings like read-ahead buffers or power management.
• Secure Erase
  • Perform hardware-level secure erasure of disk contents.

hdparm is particularly useful for tasks like optimizing performance and securely erasing data. Still, it should be used cautiously, as incorrect commands can result in data loss or hardware misconfiguration.

ATA Secure Erase – Hdparm

hdparm supports ATA Secure Erase, which is functionally similar to zero-filling a disk. However, this process is managed by the hard drive’s firmware and also addresses “hidden data areas.” Therefore, it can be viewed as a modern equivalent of a “low-level format” command. It is reported that SSD drives can achieve factory performance again after this command is executed.

To perform the ATA Secure Erase operation, you must first ensure the device security is not in “frozen” mode. To do so, execute the following in the console:

hdparm -I /dev/sda | grep frozen

If the output of the Security section is showing not frozen, you may proceed with the secure erase operation. If it is frozen, the solution is to put the computer to sleep. To do that, execute the following in the console:

echo -n mem > /sys/power/state

While observing the output of hdparm -I, you may notice your drive supports Enhanced Security Erase. A good explanation of the feature is given here.

The next step is to enhance security by setting a password. Any temporary password will suffice, as it will be reset to NULL after the secure erase:

hdparm --user-master u --security-set-pass passpass /dev/sda

If you issue a hdparm -I command again, you will notice the security is enabled (Security level high):

Security:
        Master password revision code = 65534
                supported
                enabled
        not     locked
        not     frozen
        not     expired: security count
                supported: enhanced erase
        Security level high
        50min for SECURITY ERASE UNIT. 50min for ENHANCED SECURITY ERASE UNIT.

Before you issue the ATA Security Erase command, please make sure you selected the correct drive several times. Once the command is executed, you cannot go back. Also, please observe the following line:

50min for SECURITY ERASE UNIT. 50min for ENHANCED SECURITY ERASE UNIT.

According to ATA specifications, the enhanced security erase option (–security-erase-enhanced) performs a more thorough wipe of the drive. If the estimated completion time for both the regular and enhanced commands is the same, it suggests that the manufacturer has taken shortcuts in following the specifications and is using the same erase function for both processes. Conversely, a short completion time (such as 2 minutes) indicates that the device is self-encrypting, meaning it will wipe the internal encryption key rather than overwriting all data cells.

You can issue the ATA security erase command by executing the following in the console:

hdparm --user-master u --security-erase passpass /dev/sda

Wait until the operation is completed. Once it does, the output should be similar to the one below:

security_password="passpass"
/dev/sda:
Issuing SECURITY_ERASE command, password="passpass", user=user
0.000u 0.000s 0:52.35 0.0%      0+0k 0+0io 0pf+0w

The drive is now erased. If you observe the output of hdparm -I again, you will notice the security is not enabled indicating that it is automatically disabled and thus password for access is no longer required:

Security:
        Master password revision code = 65534
                supported
        not     enabled
        not     locked
        not     frozen
        not     expired: security count
                supported: enhanced erase
        50min for SECURITY ERASE UNIT. 50min for ENHANCED SECURITY ERASE UNIT.

You can use hdparm to perform ATA Security Erase on any SATA mechanical or SSD drive. In the next section, I will show you how to perform security erase on NVMe drives.

Security Erase on NVMe Drives – Nvme-cli

The NVMe specification defines a standardized way to format NVMe drives, which do not use the SATA interface protocol and cannot be cleared in the same way as SATA drives. This is where the nvme-cli tool comes into play.

The command “nvme-format” was initially used to implement a secure erase feature until the dedicated “nvme-sanitize” command was introduced in NVMe Specification 1.3. While both commands can securely erase data, “nvme-sanitize” is more effective at ensuring that the data is properly wiped.

To verify what is supported by your NVMe drive, execute the following in the console:

nvme id-ctrl /dev/nvme0 -H | grep -E 'Format |Crypto Erase|Sanitize'

The output (depending on what is supported by your drive) should be similar to the one below:

[1:1] : 0x1   Format NVM Supported
  [29:29] : 0   No-Deallocate After Sanitize bit in Sanitize command Supported
    [2:2] : 0   Overwrite Sanitize Operation Not Supported
    [1:1] : 0x1 Block Erase Sanitize Operation Supported
    [0:0] : 0   Crypto Erase Sanitize Operation Not Supported
  [3:3] : 0     Format NVM Broadcast NSID (FFFFFFFFh) Supported
  [2:2] : 0     Crypto Erase Not Supported as part of Secure Erase
  [1:1] : 0     Crypto Erase Applies to Single Namespace(s)
  [0:0] : 0     Format Applies to Single Namespace(s)
  [1:1] : 0     Controller Copy Format 1h Not Supported
  [0:0] : 0     Controller Copy Format 0h Not Supported

You can go ahead and use the format or sanitize option. Let’s observe how.

NVMe Format

To send a secure erase “command” with nvme format, you must use the -s/–ses parameter. Possible values are the following:

• 0
  • No secure erase operation requested.
• 1
  • User Data Erase: All user data shall be erased, contents of the user data after the erase is indeterminate (e.g., the user data may be zero filled, one filled, etc). The controller may perform a cryptographic erase when a User Data Erase is requested if all user data is encrypted.
• 2
  • Cryptographic Erase: All user data shall be erased cryptographically. This is accomplished by deleting the encryption key.

Observing the output of the nvme id-ctrl command above, please notice that for my example, the values for both Crypto Erase Applies to Single Namespace(s) and Format Applies to Single Namespace(s) have a bit set to 0. That means that the controller supports format on a per namespace basis. So if, for example, I’d like to format /dev/nvme0 with a user data erase to namespace 1, I would execute the following in the console:

nvme format /dev/nvme0 -s 1 -n 1

In case there are several namespaces, all of them can be formatted/secure erased by passing the -n 0xffffffff parameter.

NVMe Sanitize

The primary difference between sanitizing and formatting is that sanitizing ensures the deletion of caches and restarts the process following an unexpected power loss. Additionally, sanitizing includes a pattern overwrite for secure erase operations. While this method can negatively impact NAND endurance, it may be utilized with other types of storage and memory classes to provide greater assurance that user data cannot be recovered.

To specify the sanitize action, the -a/–sanact parameter must be supplied with the nvme sanitize command. Possible values are the following:

• 0x02 | start-block-erase
  • Start a Block Erase sanitize operation.
• 0x03 | start-overwrite
  • Start an Overwrite sanitize operation.
• 0x04 | start-crypto-erase
  • Start a Crypto Erase sanitize operation.

To get an estimation of the time the various methods would take on your drive, if supported, please execute the following in the console:

nvme sanitize-log /dev/nvme0
...
Estimated Time For Overwrite                   :  4294967295 (No time period reported)
Estimated Time For Block Erase                 :  10
Estimated Time For Crypto Erase                :  4294967295 (No time period reported)

In the case of “No time period reported,” the operation will most definitely take a substantial amount of time (a couple of hours), so be ready for that. So, for example, if you would like to perform a crypto erase sanitize operation, you must execute the following in the console:

nvme sanitize /dev/nvme0 -a start-crypto-erase

Warning: Once the operation is started, it cannot be interrupted, even if you power cycle (restart) the computer, and it will render the drive unstable until it is completed. Also, please don’t use the start-overwrite parameter even if your drive supports it, as it is not good nor recommended for NAND-based drives due to endurance.

Honorable Mention – blkdiscard

The blkdiscard command is part of the util-linux package and includes a --secure option to perform a secure discard. A secure discard function is the same as regular discard. Still, it also ensures that all copies of the discarded blocks that may have been created by garbage collection are erased as well. This process requires support from the storage device. To use it, you can execute the following in the console:

blkdiscard --secure /dev/sda

If the storage device is not supporting --secure, you can use the -z/--zeroout option. It will fill the device with zeroes instead of simply discarding all blocks on the device by default.

Conclusion

Securely erasing drives on Linux is a critical step in ensuring data privacy and protecting sensitive information. Whether you’re decommissioning a drive, repurposing storage, or adhering to compliance standards, tools like dd, hdparm, and nvme-cli provide robust solutions tailored to different storage types. While Linux offers powerful built-in options, it’s essential to understand the potential caveats, such as write amplification and the limits of software-based erasure methods. By leveraging the right tools and practices, you can confidently manage your data security and ensure that no trace of your information remains accessible.