securely wiping drives

Todd Millecam tyggna at gmail.com
Mon Dec 15 22:36:44 MST 2014


So, the hdparm --security-erase will work on an HDD, but how it wipes is
left up entirely to the hard drive manfuacturer.  Most of them will just
zero out your drive once and call it good and some forensic specialists
will be able to recover data from that (but only the ones that charge,
like, $900/hour or are on government payroll).  If your drive supports
drive-level encryption, then regardless of it being an SSD or HDD, then
this is the best way to go, as it'll just wipe the key and none of the data
will be recoverable.

After the erase, the password is gone so no worries there.  It's a good
idea to set the password because a lot of firmwares/bioses will freeze the
drive security settings after boot without one (Lenovo, Dell, HP to name a
few).  If you get an I/O error running hdparm commands, then do hdparm -I
and look for the text "        frozen" which means your bios is freezing
that functionality on the hard drive immediately after boot.



On Mon, Dec 15, 2014 at 10:12 PM, der.hans <PLUGd at lufthans.com> wrote:
>
> moin moin,
>
> the dban threads have a few good pieces of advice, so I thought I'd throw
> them together. I'll also add what I can remember from last month's
> discussion on electronics donations since we covered drive wipes there as
> well.
>
> @ spinning disks:
>
> use wipe or shred
>
> Todd gave the following command line, be sure to specify the correct disk:
>
> $~ shred -zn10 /dev/sda
>
> As Stephen found out the hard way, dban wipes all drives it can find
> including the boot drive.
>
> During the discussion at the meetings encryption came up, someone
> suggested a couple of rounds of random data, encrypting the entire drive,
> filling the entire encrypted filesystem, then running wipe or shred to
> erase the drive. Note that this procedure will take a long time.
>
> @ solid state devices
>
> Todd pointed out the following commands:
>
> $~ hdparm --user-master u --security-set-pass PasSWorD /dev/sda  #sets
> up security on the drive
>
> $~ hdparm --user-master u --security-erase PasSWorD /dev/sda # the point
> of no return delete everything on your SSD drive command
>
> The man page says you can use "the special password  NULL  to  represent
> an  empty password". After the erase with a password set is the password
> still set?
>
> Do we actually need to do the security-erase for spinning disks as well?
> All modern drives lie about their size and hide blocks in order to be able
> to replace bad blocks rather than failing if a block here or there goes
> bad.
>
> ciao,
>
> der.hans
> --
> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
> #  "The only thing that interferes with my learning is my education."
> #   -- Albert Einstein
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>


-- 
Todd Millecam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20141215/3700e306/attachment.html>


More information about the PLUG-discuss mailing list