ATA Secure Erase

From ata Wiki
Revision as of 10:07, 24 November 2010 by TimSmall (Talk | contribs)

Jump to: navigation, search

This procedure describes how to use the hdparm command to issue a Secure Erase ATA instruction to a target storage device. When a Secure Erase is issued against a SSD drive all its cells will be marked as empty, restoring it to factory default write performance.

DISCLAIMER: This will erase all your data, and will not be recoverable by even data recovery services.

DISCLAIMER: If you hit kernel or firmware bugs (which are plenty with not widely-tested features such as ATA Secure Erase) this procedure might render the drive unusable or crash the computer it's running on.

WARNING: Do not attempt to do this through a USB interface! This procedure worked fine when I tried it on my X-25M through the SATA interface. When I tried it again later on the same drive through a USB adapter, it let me password protect the drive, but would not accept the SECURITY-ERASE command. I shut down the system, reconnected the drive to the SATA controller, and found that the drive was bricked - BIOS couldn't recognize it. I will update this warning if I find a way to un-brick the drive.

To successfully issue an ATA Security Erase command you need to first set a user password. This step is omitted from almost all other sources which describe how to secure erase with hdparm.

The example output shown is from an INTEL X25-M G1 80GB SSD running 8820 firmware. It was run from an Ubuntu 9.04 32-bit (Jaunty) Live CD booted from a USB flash drive.

Contents

Step 1 - Make sure the drive Security is not frozen:

Issue the following command, where "X" matches your device (eg. sda).

hdparm -I /dev/X

Step 1a - Command Output (should display "not frozen"):

If the command output shows "frozen" you cannot continue to the next step. Most BIOSes block (do no allow) the ATA Secure Erase command, they block it by issuing a "SECURITY FREEZE" command to "freeze" the drive before booting an operating system, your BIOS may (most likely not) have a switch to disable the security freeze.

A possible solution for SATA drives is hot-(re)plug the data cable (this might crash your kernel). If hot-(re)pluging the SATA data cable crashes the kernel try letting the operating system fully boot up, then quickly hot-(re)plug both the SATA power and data cables.

  • It has been reported that hooking up the drive to an eSATA SIIG ExpressCard/54 with an eSATA enclosure will leave the drive security state to "not frozen".
  • Placing my system into "sleep" (Clevo M865TU notebook) worked too---and this may reset other drives to "not frozen" as well.
Security: 
       Master password revision code = 65534
               supported
       not     enabled
       not     locked
       not     frozen
       not     expired: security count
               supported: enhanced erase
       2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

Step 2 - Enable security by setting a user password:

WARNING: When the user password is set the drive will be locked after next power cycle (the drive will deny normal access until unlocked with the correct password).

Step 2a - Set a User Password:

Any password will do, as this should only be temporary. After the secure erase the password will be set back to NULL. For this procedure we'll use the password "Eins".

hdparm --user-master u --security-set-pass Eins /dev/X

Step 2a - Command Output:

security_password="Eins"

/dev/sdd: Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high

Step 2b - Make sure it succeeded, execute:

hdparm -I /dev/X

Step 2b - Command Output (should display "enabled"):

Security: 
       Master password revision code = 65534
               supported
               enabled
       not     locked
       not     frozen
       not     expired: security count
               supported: enhanced erase
       Security level high
       2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

Step 3 - Issue the ATA Secure Erase command:

time hdparm --user-master u --security-erase Eins /dev/X

Step 3 Command Output:

Wait until the command completes. This example output shows it took about 40 seconds for an Intel X25-M 80GB SSD, for a 1TB hard disk it might take 3 hours or more!

security_password="Eins"

/dev/sdd: Issuing SECURITY_ERASE command, password="Eins", user=user 0.000u 0.000s 0:39.71 0.0% 0+0k 0+0io 0pf+0w

Step 4 - The drive is now erased! Verify security is disabled:

After a successful erasure the drive security should automatically be set to disabled (thus no longer requiring a password for access). Verify this by running the following command:

hdparm -I /dev/X

Step 4 - Command Output (should display "not enabled"):

Security: 
       Master password revision code = 65534
               supported
       not     enabled
       not     locked
       not     frozen
       not     expired: security count
               supported: enhanced erase
       2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

Known issues:

Executing security erase without setting a password

Some variations of this are spread on various Internet sources. It does not work because security is "not enabled" (see hdparm output below).

hdparm --user-master u --security-erase NULL /dev/X
security_password=""

/dev/sdd: Issuing SECURITY_ERASE command, password="", user=user ERASE_PREPARE: Input/output error

Error: 25

With some distributions setting a password does not work:

hdparm --user-master u --security-set-pass Eins /dev/X

/dev/sdd: Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high Problem issuing security command: Inappropriate ioctl for device Error: 25

Compiling the latest hdparm from http://sourceforge.net/projects/hdparm/ resolved this problem on CentOS 5 x86_64.

Command timeout during erase with larger drives

hdparm prior to version 9.31 hard-coded the time-out for the erase command to be 2 hours. If your drive takes longer than 2 hours to security-erase, then it will be reset part-way through the erase command.

If your drive reports that it needs longer than 120 minutes to perform the security erase operation, then you should ensure that you are using version 9.31 or newer.

Alternative ATA Secure Erase Tools

HDDErase

The freeware DOS tool can also perform a ATA Secure Erase, although controller support is spotty at best.

Personal tools