ATA Secure Erase

ATA Secure Erase is an ATA instruction that securely erases the drive.

Step 1: Ensure drive security is not frozen

Run the following hdparm command to check whether the drive is frozen. Replace X with the device name of the drive.

hdparm -I /dev/X

Security:
    Master password revision code = 65534
        supported
    not enabled
    not locked
    not frozen
    not expired: security count
        supported: enhanced erase
    6min for SECURITY ERASE UNIT. 32min for ENHANCED SECURITY ERASE UNIT.

The output has to show not frozen before you can continue to the next step.

If the drive does not show up correctly I have had success with simply re-plugging the drive while the system is running, although your mileage may vary. See the “ATA Secure Erase” link below for more troubleshooting steps.

Step 2: Enable security

WARNING: When the user password is set the drive will be locked after next power cycle (the drive will deny normal access until unlocked with the correct password).

First we need to set a user password. This password will be removed after we have successfully erased the drive, so any password will do. However, a lot of internet guides use the password “Eins”, so we will use that as well.

hdparm --user-master u --security-set-pass Eins /dev/X

security_password="Eins"

/dev/sdb:
Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high

To make sure security was enabled we can re-run the hdparm command from before. Notice how it now says enabled instead of not enabled.

hdparm -I /dev/X

Security:
    Master password revision code = 65534
        supported
        enabled
    not locked
    not frozen
    not expired: security count
        supported: enhanced erase
    6min for SECURITY ERASE UNIT. 32min for ENHANCED SECURITY ERASE UNIT.

Step 3: Issue the ATA Secure Erase command

hdparm --user-master u --security-erase Eins /dev/X

security_password="Eins"

 /dev/sdb:
Issuing SECURITY_ERASE command, password="Eins", user=user

Step 4: Verify

After the drive is successfully erased the drive security should automatically be set to disabled and thus no longer require a password for access. Verify this by running the following command:

hdparm -I /dev/X

Security:
    Master password revision code = 65534
        supported
    not enabled
    not locked
    not frozen
    not expired: security count
        supported: enhanced erase
    6min for SECURITY ERASE UNIT. 32min for ENHANCED SECURITY ERASE UNIT.

You can also verify that all the data on the drive was actually cleared by reading the entire contents of the drive and outputting it to the console using the following command. Thankfully, repeated lines of zeroes are skipped, so reading the output is easy.

sudo od /dev/X

Further reading

• https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
• https://en.wikipedia.org/wiki/Parallel_ATA#HDD_passwords_and_security

TODO

• https://security.stackexchange.com/questions/62253/what-is-the-difference-between-ata-secure-erase-and-security-erase-how-can-i-en
• https://tinyapps.org/docs/wipe_drives_hdparm.html
• https://tinyapps.org/docs/nvme-secure-erase.html
• https://github.com/linux-nvme/nvme-cli
• http://www.hddoracle.com/viewtopic.php?f=56&t=1412
• https://www.addictivetips.com/ubuntu-linux-tips/ways-to-securely-erase-a-hard-drive-on-linux/
• https://linoxide.com/linux-command/commands-wipe-disk-linux/
• https://how-to.fandom.com/wiki/How_to_wipe_a_hard_drive_clean_in_Linux
• https://askubuntu.com/questions/42266/what-is-the-recommended-way-to-empty-a-ssd
• https://www.spinics.net/lists/util-linux-ng/msg10351.html
• https://wiki.archlinux.org/index.php/Hdparm
• https://superuser.com/questions/810867/new-ssd-hdparm-shows-frozen-whether-secure-erase-is-needed-before-installing
• https://www.thomas-krenn.com/en/wiki/Perform_a_SSD_Secure_Erase
• http://www.t13.org/Documents/UploadedDocuments/docs2008/D1699r6-ATA8-ACS.pdf