How to erase your SSD / HDD using hdparm

I recently had to ship some (used) drives back to the manufacturer. And even though I'm pretty sure the drives will be erased first thing and even though the drives were used in a RAID (actually SHR2) set with an encrypted volume and it would be hard, if not impossible, to recover anything from them without my help I'm still never too keen to keep my bits and bytes on drives that are out of my hands. Selling my laptop? Erase drive. Recycling an old workstation? Erase drive. Then use a hammer to whack a screwdriver through the drive or "drop" (rather: throw) the drive on the ground a few times. You never know where a drive ends up and in who's hands.

So erasing your drives is a bit of a hassle and there are several techniques with each their own advantages and disadvantages. Most of it comes down to how secure the drives are erased (i.e. how much effort will an adversary need to put into it to get (some) of your data back) and how quickly the drive is erased. There's a trade-off, as you may expect.

Methods of erasing a drive

I won't go into the details but will glance over some options and finally explain why I did what I did.

There are many ways to erase a drive - the simplest is arguably a quick format. This doesn't actually delete any data but rather simply deletes all information required to locate files on the drive - effectively rendering the data 'erased'. There are, however, a plethora of tools available (hard- and software) to recover data. Depending on budget, how much the data is worth, what method of erasing the data has been used, expertise of the person/team doing the work etc. some - or maybe even all - the data on a drive can be recovered. Data has been recovered from drives that were recovered from a fire or that had been lying at the bottom of the ocean for several years. Don't underestimate what sheer will (and incentive) can accomplish, you'd be very surprised!

Then there's the zero/one-fill, which overwrites the entire drive with either zeroes or ones. Then there's the random-write which overwrites all the data with random bits. And then there's the more sophisticated methods that combine zero/one/random-fills with complement fills (that flip bits) or other creative ways to make sure the data is unrecoverable and usually this is done over several passes. Honestly, the subject is quite complicated and there are lots of standards from many organisations that each define what/when/how to erase a drive 'securely' by their definition of 'secure'. A good place to start if you want to know more on this topic is this wiki page.

The chosen method and my rationale behind it

A few important factors to consider when choosing your method of erasure are, among others:

  • What kind of data is on the drive: If you use the drive to store your Steam library and Music library on it exclusively then you probably won't mind someone being able to recover some or all of the data. But what if the drive contained your documents, your photos and videos, emails and other information that you want to keep to yourself?
  • How valuable is that data? Is it just a few games and some grocery lists or would a three letter agency kill for that data? You need to determine where on that spectrum the data on your drive is - don't underestimate this though! Your data is worth more than you think and there are more baddies out there than you'd think.
  • Is the drive already encrypted? Maybe you used Bitlocker, VeraCrypt, EFS or some other encryption method on it? This will make it harder to recover data as well.
Since my drives had an encrypted volume on it anyways I chose to NOT go overboard erasing the drive - doing a one 🡒 zero 🡒 random 🡒 complement erase with 5 or 10 passes would have been overkill and would've taken ages. Also, considering the 5 drives were part of a RAID (actually SHR2) set all drives would only contain about 1/5th of each file on average (this is technically not quite true, but I'm trying to keep it short and simple here); you'd need to have all 5 drives with the correct settings to be able to recover anything anyway. Also, I'm assuming WD will erase the drives too before (re)selling them as refurbished or whatever they do with them.

So instead of using some software to erase my drives I chose to have the drives erase themselves. Modern drives can implement an interface which specifies a command to (secure) erase a drive. If you send a drive that command it will (secure) erase itself without the help of the operating system or software required to erase the drive. However: you do need to trust that the vendor has implemented this command, and that it was implemented correctly. The manufacturer could simply make the drive do nothing for some period of time making it seem 'busy' and then tell the user it's "done". So this method does require you to trust the manufacturer. But, again, since my drives only contained an encrypted volume anyway, I didn't worry about it as much. Even if WD hadn't implemented the (secure) erase command or the implementation was flawed my data would still be very hard (maybe not quite impossible) to recover. It would take big bucks, a lot of expertise and time to recover anything from them anyway; if anything at all. I was just erasing the drives for my own peace of mind and as a bit of a courtesy to WD maybe.

So here's what I did

I grabbed an old workstation I keep around for testing stuff (not connecting the drive(s) just yet!). I downloaded and burned a GParted Live CD and booted the system from CD. The following might be a bit janky but this worked for me (YMMV): as you boot up the HDD will go into a "Frozen" state at some point as explained here. You can check this by running the following command in a terminal:
hdparm -I /dev/sda
Where /dev/sda is the drive you want to erase ofcourse. This will output something along the lines:
       Master password revision code = xxxx
       not     enabled
       not     locked
       not     expired: security count
               supported: enhanced erase
If your drive is frozen you can try to 'unfreeze' it as explained here. This didn't work for me - to be honest I can't exactly remember why / what went wrong but I tried a few things to 'unfreeze' my drive(s) using some tips I found using Google but nothing worked. So... here's what I did: SATA drives are often (not always) hot-pluggable. I just booted the system from CD, opened a terminal, THEN connected the drive (so it isn't in the 'frozen' state for some time) and started erasing my drive by first setting a password and then executing the erase command - before it entered the "Frozen" state:
sudo hdparm --user-master u --security-set-pass p /dev/sda
sudo hdparm --user-master u --security-erase-enhanced p /dev/sda
Again, make sure you enter the correct drive if yours isn't /dev/sda! This tells the drive to use it's own built-in method of erasing the drive. And that may take... a long time. In my case, the 5 WD60EFAX 6TB drives I had to do took about 13 hours each to erase. Once a drive had finished I just (hot) swapped it with the next and repeated both commands.

No comments:

Post a Comment