I understand traditional methods don’t work with modern SSD, anyone knows any good way to do it?

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    arrow-up
    2
    ·
    6 months ago

    Secure Erase doesn’t need to happen from the BIOS, if your BIOS doesn’t offer it, there’s a good chance you can still do it from within your OS. Don’t do it to the drive your OS is running from, though, that’ll probably cause issues.

    • krash@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      If running linux, what command should be run? Shred isn’t viable on a SSD, as it will only tear them down. Shred was designed with HDD in mind.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        If you’re on a desktop or laptop, you should check the disk/partition manager tooling and see if there’s a button to do this for you. In Gnome, for example, it’s in Disks > three dots > Format Disk > Erase: secure erase. I’m sure KDE and other desktop environments with a complete suite of tools will also have something like this. If you find this option greyed out, check the instructions in the wiki article I link below about unlocking the drive. If it’s not there, there may be another GUI tool, or you could use the command line version.

        If you’re going command line, the exact procedure depends on the disk

        SATA disks

        Based on the Arch wiki

        Step 1: check if the disk is frozen

        Run sudo hdparm -I /dev/sdX | grep frozen (replace X with the drive name, of course, or use /dev/disk/by-* if you don’t know the right letter; should work with all of these commands) to check if it’s frozen. It should say “not frozen”, if it says “frozen”, put the computer to (S3) sleep and wake it again. That should usually do it.

        Step 2: set a password

        Simply put: sudo hdparm --user-master u --security-set-pass PasSWorD /dev/sdX. Don’t reboot without finishing all steps, some hardware is funky. Remember this password.

        Step 3: wipe the drive

        sudo hdparm --user-master u --security-erase PasSWorD /dev/sdX This can take a minute, it can take half an hour (less likely), don’t interrupt the process, definitely don’t turn off the computer.

        Step 4: remove the password

        To make sure people in the future can wipe the drive again, check if there’s still a password. Run sudo hdparm -I /dev/sdX and check for “not enabled” below “password”. If it’s still enabled, try running sudo hdparm --user-master u --security-disable PasSWorD /dev/sdX. With a password set, you will need to unlock the drive with the password you configured before the drive can be used, and most operating systems can’t deal with that automatically.

        NVMe disks

        Based on the same wiki article. Use /dev/nvmeX for the device specification, not /dev/nvmXnY, and obviously substitute for the device you actually want to wipe. You should be able to use paths like /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM as well, in case you don’t know the exact device name.

        Step 1: find capabilities

        sudo nvme id-ctrl /dev/nvmeX -H | grep -E 'Format |Crypto Erase|Sanitize' to find if the device supports formatting or sanitizing.

        Step 2.1: formatting

        Simply put: nvme format /dev/nvmeX -s 2 -n 0xffffffff to do a cryptographic erase. 0xffffffff will erase all namespaces, if multiple namespaces are supported; this is a bit mask, so you can select multiple individual namespaces if you want. If you don’t know what that means, just erase them all, or set use 1 instead of 0xffffffff if the command errors out.

        Step 2.2: sanitizing

        First run nvme sanitize-log /dev/nvmeX to check how long it’ll take, in estimated seconds, for a block erase or a crypto erase to finish, to help you estimate how long you’ll need to leave the computer on for.

        Step 2.2.a: cryptographic erase

        sudo nvme sanitize /dev/nvmeX -a start-crypto-erase will do a cryptographic erase. This should be pretty quick.

        Step 2.2.b: block erase

        sudo nvme sanitize /dev/nvmeX -a start-block-erase will do a block erase. This will can take multiple minutes, maybe longer, depending on your drive and the speed.

        Secure discard

        There’s also a tool called blkdiscard that can tell an SSD to securely discard blocks, if the device supports it, Something like sudo blkdiscard --secure /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM or sudo blkdiscard --secure /dev/disk/by-id/ata-Samsung_SSD_789_EVO_M.2_9999GB_ABCDEFGHIJLM should work for those.