ATA Secure Erase

From ata Wiki

This procedure describes how to use the hdparm command to issue a Secure Erase ATA instruction to a target storage device. When a Secure Erase is issued against a SSD drive all its cells will be marked as empty, restoring it to factory default write performance.

DISCLAIMER: This will erase all your data, and will not be recoverable by even data recovery services.

DISCLAIMER: If you hit kernel or firmware bugs (which are plenty with not widely-tested features such as ATA Secure Erase) this procedure might render the drive unusable or crash the computer it's running on.

To successfully issue an ATA Security Erase command you need to first set a user password. This step is omitted from almost all other sources which describe how to secure erase with hdparm.

The example output shown is from an INTEL X25-M G1 80GB SSD running 8820 firmware. It was run from an Ubuntu 9.04 32-bit (Jaunty) Live CD booted from a USB flash drive.

Contents 1 Step 1 - Make sure the drive Security is not frozen: 1.1 Step 1a - Command Output (should display "not frozen"): 2 Step 2 - Enable security by setting a user password: 2.1 Step 2a - Set a User Password: 2.1.1 Step 2a - Command Output: 2.2 Step 2b - Make sure it succeeded, execute: 2.2.1 Step 2b - Command Output (should display "enabled"): 3 Step 3 - Issue the ATA Secure Erase command: 3.1 Step 3 Command Output: 4 Step 4 - The drive is now erased! Verify security is disabled: 4.1 Step 4 - Command Output (should display "not enabled"): 5 Known issues: 5.1 Executing security erase without setting a password 5.2 Error: 25 6 Alternative ATA Secure Erase Tools 6.1 HDDErase

Step 1 - Make sure the drive Security is not frozen:

Issue the following command, where "X" matches your device (eg. sda).

hdparm -I /dev/X

Step 1a - Command Output (should display "not frozen"):

If the command output shows "frozen" you cannot continue to the next step. Most BIOSes block (do no allow) the ATA Secure Erase command, they block it by issuing a "SECURITY FREEZE" command to "freeze" the drive before booting an operating system, your BIOS may (most likely not) have a switch to disable the security freeze.

A possible solution for SATA drives is hot-(re)plug the data cable (this might crash your kernel). If hot-(re)pluging the SATA data cable crashes the kernel try letting the operating system fully boot up, then quickly hot-(re)plug both the SATA power and data cables.

It has been reported that hooking up the drive to an eSATA SIIG ExpressCard/54 with an eSATA enclosure will leave the drive security state to "not frozen".

Security: 
       Master password revision code = 65534
               supported
       not     enabled
       not     locked
       not     frozen
       not     expired: security count
               supported: enhanced erase
       2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

Step 2 - Enable security by setting a user password:

WARNING: When the user password is set the drive will be locked after next power cycle (the drive will deny normal access until unlocked with the correct password).

Step 2a - Set a User Password:

Any password will do, as this should only be temporary. After the secure erase the password will be set back to NULL. For this procedure we'll use the password "Eins".

hdparm --user-master u --security-set-pass Eins /dev/X

Step 2a - Command Output:

security_password="Eins"

/dev/sdd:
Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high

Step 2b - Make sure it succeeded, execute:

hdparm -I /dev/X

Step 2b - Command Output (should display "enabled"):

Security: 
       Master password revision code = 65534
               supported
               enabled
       not     locked
       not     frozen
       not     expired: security count
               supported: enhanced erase
       Security level high
       2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

Step 3 - Issue the ATA Secure Erase command:

time hdparm --user-master u --security-erase Eins /dev/X

Step 3 Command Output:

Wait until the command completes. This example output shows it took about 40 seconds for an Intel X25-M 80GB SSD, for a 1TB hard disk it might take 3 hours or more!

security_password="Eins"

 /dev/sdd:
Issuing SECURITY_ERASE command, password="Eins", user=user
0.000u 0.000s 0:39.71 0.0%      0+0k 0+0io 0pf+0w

Step 4 - The drive is now erased! Verify security is disabled:

After a successful erasure the drive security should automatically be set to disabled (thus no longer requiring a password for access). Verify this by running the following command:

hdparm -I /dev/X

Step 4 - Command Output (should display "not enabled"):

Security: 
       Master password revision code = 65534
               supported
       not     enabled
       not     locked
       not     frozen
       not     expired: security count
               supported: enhanced erase
       2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

Known issues:

Executing security erase without setting a password

Some variations of this are spread on various Internet sources. It does not work because security is "not enabled" (see hdparm output below).

hdparm --user-master u --security-erase NULL /dev/X

security_password=""

/dev/sdd:
Issuing SECURITY_ERASE command, password="", user=user
ERASE_PREPARE: Input/output error

Error: 25

With some distributions setting a password does not work:

hdparm --user-master u --security-set-pass Eins /dev/X

/dev/sdd:
Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high
Problem issuing security command: Inappropriate ioctl for device
Error: 25

Compiling the latest hdparm from http://sourceforge.net/projects/hdparm/ resolved this problem on CentOS 5 x86_64.

Alternative ATA Secure Erase Tools

HDDErase

The freeware DOS tool can also perform a ATA Secure Erase, although controller support is spotty at best.