Archived post. New comments cannot be posted and votes cannot be cast.
If it's an SSD, there will likely be a manufacturer tool for performing a secure erase. SSDs have a specific "Secure Erase" function that applies voltage and clears the drive in one go. That save's writing 7 passes over the drive, reducing wear on it. But as ever, check that meets your requirements for secure wiping!
Agreed, with wear leveling you are also not guaranteed to wipe the drive even with multiple passes with the old zeroing methods like dban.
Secure erase is the way to go with SSDs and parted magic's utility does a good job simplifying that processes.
Use "SATA Sanitize" (newest) or "SATA Secure Erase" on any device that supports them. This has the major benefit of being very fast, because of the way it works.
7 passes is for people reading DoD standards from the late 1980s. We do one zeroing pass with badblocks and you're not getting any data from that hardware. If you need more than this, then one random pass and one zeroing pass, but it's really overkill.
Ya, for SSD I tend to go with the devices supported erase and then at least one full pass of writes just in case the vendor doesn't do their implementation properly(ya it might not get all the blocks but it's better than nothing). Also, I'm not really worried abut the lifetime of the drive if I'm at the point of wiping a drive so full writes aren't a concern.
This the procedure we use to partially meet NIST SP 800-88 Level 2 (required for media storing information classified up to the secret level, they're not exactly clear on that).
First get a computer running your favorite flavor of Debian, you can use an installer usb to run it "live" without installing it.
for NVMe drives:
apt install nvme-cli
nvme list
nvme format -s1 /dev/{device identifier}
For sata drives:
hdparm -I /dev/[device identifier]
hdparm --user-master u --security-set-pass temptemp /dev/[device identifier]
time hdparm --user-master u --security-erase temptemp /dev/[device identifier]
Note: NIST sp800-88 requires a validation pass, and specifies a methodology. We use this procedure for drives that are going to be reused, so we didn't develop a validation method.
There's a secure erase tool in the BIOS of basically all modern laptops. You mentioned Dell, it'll definitely have one in my experience. It's a little tricky tho, you basically have to confirm like 5 times and the last confirmation basically says "Do you wish to cancel" meaning you have to click no instead of yes.
If it's an SSD, there will likely be a manufacturer tool for performing a secure erase. SSDs have a specific "Secure Erase" function that applies voltage and clears the drive in one go. That save's writing 7 passes over the drive, reducing wear on it. But as ever, check that meets your requirements for secure wiping!
I'll have to check with Dell then!
More replies More replies
Agreed, with wear leveling you are also not guaranteed to wipe the drive even with multiple passes with the old zeroing methods like dban.
Secure erase is the way to go with SSDs and parted magic's utility does a good job simplifying that processes.
Use "SATA Sanitize" (newest) or "SATA Secure Erase" on any device that supports them. This has the major benefit of being very fast, because of the way it works.
7 passes is for people reading DoD standards from the late 1980s. We do one zeroing pass with
badblocksand you're not getting any data from that hardware. If you need more than this, then one random pass and one zeroing pass, but it's really overkill.Ya, for SSD I tend to go with the devices supported erase and then at least one full pass of writes just in case the vendor doesn't do their implementation properly(ya it might not get all the blocks but it's better than nothing). Also, I'm not really worried abut the lifetime of the drive if I'm at the point of wiping a drive so full writes aren't a concern.
More replies
Always wipe front to back
More replies
This the procedure we use to partially meet NIST SP 800-88 Level 2 (required for media storing information classified up to the secret level, they're not exactly clear on that).
First get a computer running your favorite flavor of Debian, you can use an installer usb to run it "live" without installing it.
for NVMe drives:
apt install nvme-cli
nvme list
nvme format -s1 /dev/{device identifier}
For sata drives:
hdparm -I /dev/[device identifier]
hdparm --user-master u --security-set-pass temptemp /dev/[device identifier]
time hdparm --user-master u --security-erase temptemp /dev/[device identifier]
Note: NIST sp800-88 requires a validation pass, and specifies a methodology. We use this procedure for drives that are going to be reused, so we didn't develop a validation method.
More replies
There's a secure erase tool in the BIOS of basically all modern laptops. You mentioned Dell, it'll definitely have one in my experience. It's a little tricky tho, you basically have to confirm like 5 times and the last confirmation basically says "Do you wish to cancel" meaning you have to click no instead of yes.
DBAN is for HDDs.
More replies