Erasing Persistent Storage Securely on Linux


Here are some notes on how to securely delete computer data in a way that makes it impractical for anybody to recover that data. This is an important thing to do before giving away (or throwing away) old disks. Ideally though, it's bet...



Onion Details



Page Clicks: 1

First Seen: 03/11/2024

Last Indexed: 10/21/2024

Domain Index Total: 195



Onion Content



Here are some notes on how to securely delete computer data in a way that makes it impractical for anybody to recover that data. This is an important thing to do before giving away (or throwing away) old disks. Ideally though, it's better not to have to rely on secure erasure and start use full-disk encryption right from the start, for example, using LUKS . That way if the secure deletion fails for whatever reason, or can't be performed (e.g. the drive is dead), then it's not a big deal. Rotating hard drives With ATA or SCSI hard drives, DBAN seems to be the ideal solution. Burn it on CD, boot with it, and following the instructions. Note that you should disconnect any drives you don't want to erase before booting with that CD. This is probably the most trustworth method of wiping since it uses free and open source software to write to each sector of the drive several times. The methods that follow rely on proprietary software built into the firmware of the devices and so you have to trust that it is implemented properly and not backdoored. ATA / SATA solid-state drives Due to the nature of solid-state storage (i.e. the lifetime number of writes is limited), it's not a good idea to use DBAN for those. Instead, we must rely on the vendor's implementation of ATA Secure Erase . First, set a password on the drive: hdparm --user-master u --security-set-pass p /dev/sdX and then issue a Secure Erase command: hdparm --user-master u --security-erase-enhanced p /dev/sdX If you get errors like "bad/missing sense data", then you may need to use one of the tricks described in this thread . For me, suspending the laptop and then waking it up did the trick. NVMe solid-state drives For SSDs using an NVMe connector, simply request a User Data Erase nvme format -s1 /dev/nvme0n1 Add a comment