So, the hdparm --security-erase will work on an HDD, but how it wipes is left up entirely to the hard drive manfuacturer.  Most of them will just zero out your drive once and call it good and some forensic specialists will be able to recover data from that (but only the ones that charge, like, $900/hour or are on government payroll).  If your drive supports drive-level encryption, then regardless of it being an SSD or HDD, then this is the best way to go, as it'll just wipe the key and none of the data will be recoverable.

After the erase, the password is gone so no worries there.  It's a good idea to set the password because a lot of firmwares/bioses will freeze the drive security settings after boot without one (Lenovo, Dell, HP to name a few).  If you get an I/O error running hdparm commands, then do hdparm -I and look for the text "        frozen" which means your bios is freezing that functionality on the hard drive immediately after boot.



On Mon, Dec 15, 2014 at 10:12 PM, der.hans <PLUGd@lufthans.com> wrote:
moin moin,

the dban threads have a few good pieces of advice, so I thought I'd throw
them together. I'll also add what I can remember from last month's
discussion on electronics donations since we covered drive wipes there as
well.

@ spinning disks:

use wipe or shred

Todd gave the following command line, be sure to specify the correct disk:

$~ shred -zn10 /dev/sda

As Stephen found out the hard way, dban wipes all drives it can find
including the boot drive.

During the discussion at the meetings encryption came up, someone
suggested a couple of rounds of random data, encrypting the entire drive,
filling the entire encrypted filesystem, then running wipe or shred to
erase the drive. Note that this procedure will take a long time.

@ solid state devices

Todd pointed out the following commands:

$~ hdparm --user-master u --security-set-pass PasSWorD /dev/sda  #sets
up security on the drive

$~ hdparm --user-master u --security-erase PasSWorD /dev/sda # the point of no return delete everything on your SSD drive command

The man page says you can use "the special password  NULL  to  represent
an  empty password". After the erase with a password set is the password
still set?

Do we actually need to do the security-erase for spinning disks as well?
All modern drives lie about their size and hide blocks in order to be able
to replace bad blocks rather than failing if a block here or there goes
bad.

ciao,

der.hans
--
http://www.LuftHans.com/        http://www.PhxLinux.org/
#  "The only thing that interferes with my learning is my education."
#   -- Albert Einstein
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
Todd Millecam