Hard-drive erasure resources

<- back to /pub/bin/
<- back to Tech Solvency

Icon  Name                    Last modified      Size  Description
[   ] HDDERASE.EXE 2008-09-20 18:19 71K ATA Secure Erase - DOS mode [   ] HDDErase.iso 2008-09-20 20:47 1.8M ATA Secure Erase - bootable ISO [TXT] HDDEraseReadMe.txt 2008-12-03 19:38 23K [   ] rufus-2.8p.exe 2016-03-22 12:04 865K Create DOS-bootable USB sticks

Tips

I am not affiliated, but the free Ultimate Boot CD (http://www.ultimatebootcd.com/) includes both DBAN and HDDErase used here. Many Linux live CDs include hdparm, but https://partedmagic.com/ ($12 shipped on CD) has the best GUI wrapper for it.


A. If the drive is too old to support the ATA Secure Erase command (less than 15-20GB or made prior to 2002):

  1. Strongly consider physically destroying the drive and not repurposing.
  2. If it must be repurposed, use DBAN to perform a 5220.22-M (7-pass) wipe. http://www.dban.org/
  3. Reformat the drive for reuse.

B. If it is a magnetic spinning drive, and will be repurposed, perform a low-level wipe:

  1. If the drive is part of a RAID, put the controller in a non-RAID mode (JBOD, Initiator/Target, etc.), or attach the drive to a non-RAID controller.
  2. Boot from a MS-DOS USB stick. If you do not have one and use Windows, use Rufus to create one.
  3. Run the HDDErase utility to issue the NIST 800-88-approved "ATA Secure Erase" command:
    http://cmrr.ucsd.edu/people/Hughes/documents/HDDEraseWeb.zip
  4. Follow the prompts to set a security password. Use a password so that an interrupted wiping session can be recovered. Do not relinquish control of the device until the secure erase is completed.
  5. Unless the drive is a Thinkpad (which relies on the DCO area), follow the prompts to delete any DCO and HPA areas.
  6. Select the option to verify that the wiping completed.
  7. When wiping is complete, print out the completion page (with drive serial, etc.), sign and date it, and place in a drive disposal log folder.
  8. Wipe the drive with a single character. Zero is recommended to make it easy to visually verify.
  9. Reformat the drive for reuse.

If booting from DOS USB or using HDDErase does not appear to be possible, try:

  1. Try disabling AHCI in the BIOS and try again.
  2. Use the http://gparted.org/livecd.php, open a Terminal, LXTerminal, or similar command-prompt window, and directly use the hdparm utility instead: https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase

    1. Manually remove HPA if it exists.
    # hdparm -N /dev/sdX
    (If "HPA is enabled", read second value in "max sectors" line shown): # hdparm -N p[max-sectors] /dev/sdX

    2. Manually remove DCO if it exists (non-Thinkpads only):
    NOTE: DO NOT REMOVE DCO ON THINKPADS.
    a. Check the number of sectors against the number noted above.
    # hdparm --dco-identify /dev/sdX
    b. If the --dco-identify sector count does not match the second -N number, remove the DCO.
    # hdparm --dco-restore /dev/sdX # hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/sdX

    3. Check if the drive is frozen, and attempt to unfreeze it.
    # hdparm -I /dev/sdX | egrep -i frozen
    If it is, unfreeze it by temporarily suspending the system.
    # pm-suspend
    Then wake the system up (press a key, tap the power button, etc.). The drive should now be unfrozen.
    # hdparm -I /dev/sdX | egrep -i frozen

    4. Initiate the Secure Erase command:
    a. First, set a security password (required to wipe the drive).
    # hdparm --user-master u --security-set-pass password /dev/sdX
    b. Then erase the drive.
    - Option 1: simple erase (zeroes):
    # time hdparm --user-master u --security-erase password /dev/sdX
    - Option 2: enhanced erase (predetermined patterns, including bad/reallocated sectors): # time hdparm --user-master u --security-erase-enhanced password /dev/sdX


If it is an SSD, and will be repurposed, either activate full-disk encryption:

Option 1 - Encrypt the drive:

  1. Enter the system BIOS.
  2. Go to the Security area.
  3. Enable "HDD password" or "hard drive password". This enables internal hardware-based FDE (Full Disk Encryption).
  4. Set a password for the device of at least 25 random upper, lower, number, and special characters.
  5. Allow the drive to be encrypted.
  6. Disable the hard drive password.
  7. Reformat the drive for reuse.

Option 2 - Use hdparm to invoke SATA "Secure Erase":

  1. Use the SATA "Secure Erase" feature as described above. On SSD, this should be implemented under the hood as encryption of the entire drive, followed by overwriting of the key.
  2. Reformat the drive for reuse.

If it is a drive already using Bitlocker:

  1. Remove BitLocker. Bitlocker encrypts SMART and the Secure Erase command cannot be issued until BitLocker is removed.

If it is a cellphone or other mobile device that supports full-disk encryption:

  1. Enter the device configuration in the security area.
  2. Set a password for the device of at least 16 random upper, lower, number, and special characters.
  3. Enable encryption of the device.
  4. Perform a factory restore of the device.
  5. Reformat the external storage.

If it is a USB, MicroSD, Compact Flash, or other flash-based device not directly accessible using a PATA or SATA interface (not a hard drive):

  1. Be aware that fully erasing USB devices that do not support hardware full-disk encryption is not currently possible. This is a best-effort method.
  2. Use Disk Wipe to wipe the device. http://www.diskwipe.org/
  3. Write the entire drive with a value, and then again with its complement.
    For example, first all zeroes:
    shred -n 1 --random-source=/dev/zero -u -v /dev/mydev
    ... and then all 1s (FF):
    perl -e '$s="$s\xFF" while length($s)<512; print $s while 1' | dd of=/dev/mydev
  4. Consider physically destroying the device.

If the drive is failing and you are having problems erasing it:

  1. Use ddrescue's --fill-mode option to wipe what you can.
  2. Example: first, analyze (will create image): ddrescue -f -n /dev/bad_drive /path/to/temp.img ddrescue-logfile
  3. Then zero the good sectors: ddrescue --fill-mode=+ --force /dev/zero /dev/bad_drive ddrescue-logfile
  4. Note that under some Linuxes, ddrescue is provided by the gddrescue package.

If not repurposing the device:

  1. If time is available, for additional assurance, perform the appropriate procedure above.
  2. Use a commercial drive magnet system to magnetize the device.
  3. Physically destroy the device.

References

Supporting information

Definitive paper and tool by Gordon Hughes, whose work was funded by NSA, incorporated into the ATA standard at his request and referenced in NIST 800-88. HDDErase v3.3 detects if HPA or DCO areas exist, and prompt the user to erase them:

"Complete eradication of user data off drives can be accomplished by running data Secure Erasure utilities such as the freeware HDDErase downloadable here. It executes the Federally-approved (NIST 800-88) Secure Erase command in the ATA ANSI standard, which is implemented in all recent ATA drives greater than 15-20 GB."

http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1

Related: Preparing a Mac for resale or donation (Sierra edition)

Sandpaper, a sledgehammer, and thermite may also be expedient. ;)


Royce Williams
Tech Solvency