Deleting An SSD With ATA Security Erase

And in this final part of my mini-series on disk and SSD passwords that require interaction over the ATA protocol I’d quickly like to say a few words about another interesting feature that I have previously missed: Securely erasing a device.

So far I’ve been using command line programs such as shred to (more or less) to securely delete data on USB sticks, SSDs and disk drives. The catch with these high level programs is, however, that not all data is potentially deleted. Especially data on spare data blocks is not reachable from the logical layer so there might be some leftovers. These are hard to get to from the outside, however. Be that as it may, it was the best I had found so far. But now I’ve stumbled over the ‘security erase‘ capability of the drives themselves that can be invoked with hdparm. It doesn’t work for USB sticks, as they don’t use the ATA protocol, but it does work for hard disks and SSDs on an SATA bus or over a USB to SATA converter that supports the UAS protocol.

If a drive supports security erase can be queried with hdparm as follows:

sudo hdparm -I /dev/sdb

[...]

Security:

[...]

60min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

The drive even tells how long the security erase procedure will take. The example above is from a rather old 320 GB hard disk which requires 60 minutes to delete all data. I gave it a go and indeed, it took almost 60 minutes to do the job. A current 3.5″ 4 TB drive announced that the deletion process would take 720 minutes, i.e. around 12 hours.

Some SSDs on the other hand only require a few minutes to securely erase all data. That’s because they either just delete the encryption key that is used to encrypt all data on the drive (e.g. Samsung) or the SSDs just delete their logical to physical mapping and allocation table.

How secure each of these security erase procedures is difficult to tell, as everything is proprietary and done inside the drive. But perhaps a combination of ATA secure erase followed by a pass with shred should be good enough for most purposes.

And here’s the command sequence to run the secure erase procedure. In a first step a disk password needs to be set. In the next step the secure erase procedure is started which requires the password just set. At the end of the procedure the password protection is removed again so the disk is accessible without entering a password.

# sudo hdparm --user-master u --security-set-pass Eins /dev/sdb

# Output:
/dev/sdb:
 Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high

#sudo time hdparm --user-master u --security-erase Eins /dev/sdb
# Then wait...

For more details have a look here.