How to use Secure Erase and is it on the install CD?

Question

Supposedly there is some built in hard drive magic called "Secure Erase" which is wildly faster and more secure than "dd if=/dev/zero..."

I am most excited about the speed increase.

There seems to be a GUI for it as part of Parted Magic: http://www.ocztechnologyforum.com/forum/showthread.php?81321-Secure-Erase-With-bootable-CD-USB-Linux..-Point-and-Click-Method

Is there something like this for Ubuntu? Better yet, is there a way to actually issue this command "manually" like with smartctl or something?

While this is a great function, which most modern hard drives support, it is NOT supported on all platforms. Sometimes it is the controller (or logical addressing), and for some platforms the BIOS does NOT support (or blocks) the 'SecureErase' command (to prevent malicious usage). SEE: http://cmrr.ucsd.edu/people/Hughes/HDDEraseReadMe.txt — david6, Nov 21 '11 at 21:20
Another good reason to use it is to tell the firmware of modern solid state drives that the data currently existing on the disk is no longer needed. This can improve performance. — Marius Gedminas, Jul 22 '12 at 11:34
@Richard No s/he asked how to run ATA Secure Erase and even the solution is the same. The difference in performing ATA Secure Erase on an SSD and an HDD would probably be just a difference in time the process takes to complete. — LiveWireBT, Oct 16 '14 at 00:16

Sergey · Accepted Answer · 2011-11-21T20:42:11.790

Secure Erase is part of ATA standard and it is supported by stock-standard hdparm program:

  ATA Security Feature Set
These switches are DANGEROUS to experiment with, and might not work with some kernels.  USE AT YOUR OWN RISK.
--security-help
          Display terse usage info for all of the --security-* options.
--security-freeze
          Freeze the drive´s security settings.  The drive does not accept any security commands until  next  power-on  reset.
          Use this function in combination with --security-unlock to protect drive from any attempt to set a new password. Can
          be used standalone, too.  No other options are permitted on the command line with this one.
--security-unlock PWD
          Unlock the drive, using password PWD.  Password is given as an ASCII string and is padded  with  NULs  to  reach  32
          bytes.   The  applicable  drive password is selected with the --user-master switch (default is "user" password).  No
          other options are permitted on the command line with this one.
--security-set-pass PWD
          Lock the drive, using password PWD (Set Password) (DANGEROUS).  Password is given as an ASCII string and  is  padded
          with NULs to reach 32 bytes.  Use the special password NULL to set an empty password.  The applicable drive password
          is selected with the --user-master switch (default is "user" password) and the applicable  security  mode  with  the
          --security-mode switch.  No other options are permitted on the command line with this one.
--security-disable PWD
          Disable drive locking, using password PWD.  Password is given as an ASCII string and is padded with NULs to reach 32
          bytes.  The applicable drive password is selected with the --user-master switch (default is  "user"  password).   No
          other options are permitted on the command line with this one.
--security-erase PWD
          Erase  (locked) drive, using password PWD (DANGEROUS).  Password is given as an ASCII string and is padded with NULs
          to reach 32 bytes.  Use the special password NULL to represent an empty password.  The applicable drive password  is
          selected  with the --user-master switch (default is "user" password).  No other options are permitted on the command
          line with this one.
--security-erase-enhanced PWD
          Enhanced erase (locked) drive, using password PWD (DANGEROUS).  Password is given as an ASCII string and  is  padded
          with  NULs  to  reach 32 bytes.  The applicable drive password is selected with the --user-master switch (default is
          "user" password).  No other options are permitted on the command line with this one.
--user-master USER
          Specifies which password (user/master) to select.  Defaults to user  password.   Only  useful  in  combination  with
          --security-unlock, --security-set-pass, --security-disable, --security-erase or --security-erase-enhanced.
                  u       user password
                  m       master password
--security-mode MODE
          Specifies which security mode (high/maximum) to set.  Defaults to high.  Only useful in combination with --security-
          set-pass.
                  h       high security
                  m       maximum security
      THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK.

For obvious reasons, I haven't tested those options, you'll need to see if they work yourself :)

Might be worth updating your answer to only include the correct advice, for the benefit of future people finding the answer. — James Henstridge, Nov 21 '11 at 11:19
For rotational hard disks, it is usually faster than dd, but not that much. For SSDs it is usually nearly instantaneous. — psusi, Nov 21 '11 at 14:46
That's a lot of options. Does anybody know the difference between -security-erase and --security-erase-enhanced? Which one is more appropriate for an SSD when the main reason for doing this is to reduce internal fragmentation and not wipe sensitive data? — Marius Gedminas, Jul 22 '12 at 11:36
There's a step-by-step tutorial on using hdparm to perform a secure erase on the kernel wiki. — Marius Gedminas, Jul 22 '12 at 11:40

How to use Secure Erase and is it on the install CD?

1 Answers1