Secure Erase doesn’t need to happen from the BIOS, if your BIOS doesn’t offer it, there’s a good chance you can still do it from within your OS. Don’t do it to the drive your OS is running from, though, that’ll probably cause issues.
If you’re on a desktop or laptop, you should check the disk/partition manager tooling and see if there’s a button to do this for you. In Gnome, for example, it’s in Disks > three dots > Format Disk > Erase: secure erase. I’m sure KDE and other desktop environments with a complete suite of tools will also have something like this. If you find this option greyed out, check the instructions in the wiki article I link below about unlocking the drive. If it’s not there, there may be another GUI tool, or you could use the command line version.
If you’re going command line, the exact procedure depends on the disk
Run sudo hdparm -I /dev/sdX | grep frozen (replace X with the drive name, of course, or use /dev/disk/by-* if you don’t know the right letter; should work with all of these commands) to check if it’s frozen. It should say “not frozen”, if it says “frozen”, put the computer to (S3) sleep and wake it again. That should usually do it.
Step 2: set a password
Simply put: sudo hdparm --user-master u --security-set-pass PasSWorD /dev/sdX. Don’t reboot without finishing all steps, some hardware is funky. Remember this password.
Step 3: wipe the drive
sudo hdparm --user-master u --security-erase PasSWorD /dev/sdX
This can take a minute, it can take half an hour (less likely), don’t interrupt the process, definitely don’t turn off the computer.
Step 4: remove the password
To make sure people in the future can wipe the drive again, check if there’s still a password. Run sudo hdparm -I /dev/sdX and check for “not enabled” below “password”. If it’s still enabled, try running sudo hdparm --user-master u --security-disable PasSWorD /dev/sdX. With a password set, you will need to unlock the drive with the password you configured before the drive can be used, and most operating systems can’t deal with that automatically.
NVMe disks
Based on the same wiki article. Use /dev/nvmeX for the device specification, not /dev/nvmXnY, and obviously substitute for the device you actually want to wipe. You should be able to use paths like /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM as well, in case you don’t know the exact device name.
Step 1: find capabilities
sudo nvme id-ctrl /dev/nvmeX -H | grep -E 'Format |Crypto Erase|Sanitize' to find if the device supports formatting or sanitizing.
Step 2.1: formatting
Simply put: nvme format /dev/nvmeX -s 2 -n 0xffffffff to do a cryptographic erase. 0xffffffff will erase all namespaces, if multiple namespaces are supported; this is a bit mask, so you can select multiple individual namespaces if you want. If you don’t know what that means, just erase them all, or set use 1 instead of 0xffffffff if the command errors out.
Step 2.2: sanitizing
First run nvme sanitize-log /dev/nvmeX to check how long it’ll take, in estimated seconds, for a block erase or a crypto erase to finish, to help you estimate how long you’ll need to leave the computer on for.
Step 2.2.a: cryptographic erase
sudo nvme sanitize /dev/nvmeX -a start-crypto-erase will do a cryptographic erase. This should be pretty quick.
Step 2.2.b: block erase
sudo nvme sanitize /dev/nvmeX -a start-block-erase will do a block erase. This will can take multiple minutes, maybe longer, depending on your drive and the speed.
Secure discard
There’s also a tool called blkdiscard that can tell an SSD to securely discard blocks, if the device supports it, Something like sudo blkdiscard --secure /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM or sudo blkdiscard --secure /dev/disk/by-id/ata-Samsung_SSD_789_EVO_M.2_9999GB_ABCDEFGHIJLM should work for those.
Secure Erase doesn’t need to happen from the BIOS, if your BIOS doesn’t offer it, there’s a good chance you can still do it from within your OS. Don’t do it to the drive your OS is running from, though, that’ll probably cause issues.
If running linux, what command should be run? Shred isn’t viable on a SSD, as it will only tear them down. Shred was designed with HDD in mind.
@krash @skullgiver
if the value of the compromised data exceeds the value of the drive, destroy the drive.
If you’re on a desktop or laptop, you should check the disk/partition manager tooling and see if there’s a button to do this for you. In Gnome, for example, it’s in Disks > three dots > Format Disk > Erase: secure erase. I’m sure KDE and other desktop environments with a complete suite of tools will also have something like this. If you find this option greyed out, check the instructions in the wiki article I link below about unlocking the drive. If it’s not there, there may be another GUI tool, or you could use the command line version.
If you’re going command line, the exact procedure depends on the disk
SATA disks
Based on the Arch wiki
Step 1: check if the disk is frozen
Run
sudo hdparm -I /dev/sdX | grep frozen
(replace X with the drive name, of course, or use/dev/disk/by-*
if you don’t know the right letter; should work with all of these commands) to check if it’s frozen. It should say “not frozen”, if it says “frozen”, put the computer to (S3) sleep and wake it again. That should usually do it.Step 2: set a password
Simply put:
sudo hdparm --user-master u --security-set-pass PasSWorD /dev/sdX
. Don’t reboot without finishing all steps, some hardware is funky. Remember this password.Step 3: wipe the drive
sudo hdparm --user-master u --security-erase PasSWorD /dev/sdX
This can take a minute, it can take half an hour (less likely), don’t interrupt the process, definitely don’t turn off the computer.Step 4: remove the password
To make sure people in the future can wipe the drive again, check if there’s still a password. Run
sudo hdparm -I /dev/sdX
and check for “not enabled” below “password”. If it’s still enabled, try runningsudo hdparm --user-master u --security-disable PasSWorD /dev/sdX
. With a password set, you will need to unlock the drive with the password you configured before the drive can be used, and most operating systems can’t deal with that automatically.NVMe disks
Based on the same wiki article. Use /dev/nvmeX for the device specification, not /dev/nvmXnY, and obviously substitute for the device you actually want to wipe. You should be able to use paths like
/dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM
as well, in case you don’t know the exact device name.Step 1: find capabilities
sudo nvme id-ctrl /dev/nvmeX -H | grep -E 'Format |Crypto Erase|Sanitize'
to find if the device supports formatting or sanitizing.Step 2.1: formatting
Simply put:
nvme format /dev/nvmeX -s 2 -n 0xffffffff
to do a cryptographic erase. 0xffffffff will erase all namespaces, if multiple namespaces are supported; this is a bit mask, so you can select multiple individual namespaces if you want. If you don’t know what that means, just erase them all, or set use1
instead of0xffffffff
if the command errors out.Step 2.2: sanitizing
First run
nvme sanitize-log /dev/nvmeX
to check how long it’ll take, in estimated seconds, for a block erase or a crypto erase to finish, to help you estimate how long you’ll need to leave the computer on for.Step 2.2.a: cryptographic erase
sudo nvme sanitize /dev/nvmeX -a start-crypto-erase
will do a cryptographic erase. This should be pretty quick.Step 2.2.b: block erase
sudo nvme sanitize /dev/nvmeX -a start-block-erase
will do a block erase. This will can take multiple minutes, maybe longer, depending on your drive and the speed.Secure discard
There’s also a tool called
blkdiscard
that can tell an SSD to securely discard blocks, if the device supports it, Something likesudo blkdiscard --secure /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM
orsudo blkdiscard --secure /dev/disk/by-id/ata-Samsung_SSD_789_EVO_M.2_9999GB_ABCDEFGHIJLM
should work for those.