"Go" ATA Secure Erase

ATA Secure Erase

This procedure describes how to use the hdparm command to issue a Secure Erase ATA instruction to a target storage device. When a Secure Erase was issued against a SSD drive all its cells would be marked as empty, restoring it to factory default Write performance.

DISCLAIMER: This would erase all your data, and is not being recoverable by even data recovery services.

DISCLAIMER: If you hit kernel or firmware bugs (which is plenty with not widely-tested features such as ATA Secure Erase) This proced Ure might render the drive unusable or crash the computer it's running on.

DISCLAIMER:The Security-erase command is a single command which typically takes minutes or hours to complete, whereas most ATA Comman DS take milliseconds, or seconds to complete. Whilst drives directly attached to a Straight-forward SATA controllers should work reliably, some "intelligent" interfaces such asUSB or FireWire to Pata/sata bridges, SAS controllers or hardware RAID controllersMay try to reset devices which they has decided is no longer responding. They also decide that locked devices is faulty, and hence not provide any access to them in order to issue unlock com Mands. Such devices may still is unlocked by connecting them directly to a different SATA interface. Additionally, hdparm versions prior to 9.31 don't pass-through the long command time-outs required for the erase commands To the Scsi-ata Command translation ("SAT") layer which such devices use.versions of Hdparm prior to 9.31 with such interfaces.

Warning:do not attempt to does this through a USB interface! This procedure worked fine if I tried it on my x-25m through the SATA interface. When I tried it again later on the same drive through a USB adapter that it let me password protect the drive but would not a ccept the Security-erase command. I shut down the system, reconnected the "drive to the" SATA controller, and found that the drive was Bricked-bios couldn ' t Recognize it. I'll update this warning if I find a by-un-brick the drive. (I ' ve had a similar experience-managed to lock myself out of three drives. Read this experience and learn from It-chris)

WARNING: If the SECURITY ERASE fails, use --disable-security to set your drive back to normal. The password to an empty string or NULL. The Lenovo BIOS at least won't allow you to change the password if it ' s blank. It also freezes the "so" you can ' t-change the password later, after booting to an OS. I ' m now stuck with three drives that is passworded and I cannot unpassword. I finally found a board with a Phoenix Trustedcore BIOS which does allow clearing an empty password-chris.

Note: My hdparm program has a option --security-disable PWD. -Z

To successfully issue an ATA Security Erase command you need to first set a user password. This step was omitted from almost all and sources which describe how to secure erase with hdparm.

The example output shown is from an INTEL x25-m G1 80GB SSD running 8820 firmware. It is run from an Ubuntu 9.04 32-bit (jaunty) Live CD booted from a USB flash drive.

Contents [show]

Step 1-make sure the drive Security are not frozen:

Issue the following command, where "X" matches your device (eg. SDA).

Hdparm-i/dev/x

Step 1a-ensure The drive was not frozen:

Security:        Master Password Revision code = 65534               supported       not     enabled       not     locked        Not     frozennot     expired:security count               supported:enhanced erase       2min for security erase UNIT. 2min for enhanced SECURITY ERASE UNIT.

If the command output shows "Frozen" (instead of "not frozen") then you cannot continue to the next step.

Many bioses would protect your drives if you had a password set (security enabled) by issuing a security FREEZE command be Fore booting an operating system. If your drive is frozen, and it have a password enabled, try removing the password using the BIOS and powering down the SYS TEM to see if that disables the freeze. Otherwise need to use a different motherboard (with a different BIOS).

A possible solution for SATA drives are hot-(RE) plug the data cable (this might crash your kernel). If hot-(re) pluging the SATA data cable crashes the kernel try letting the operating system fully boot up and then quickly hot -(re) plug both the SATA power and data cables.

• It has been reported this hooking up the drive to a ESATA Siig expresscard/54 with an ESATA enclosure would leave the Driv E security state to ' not frozen '.

• Placing my system into "sleep" (suspend to RAM) worked too---and this could reset other drives to ' not frozen ' as well. This have worked on PCs from various manufacturers including Dell, Lenovo, and Clevo. Many Live distributions can be suspended to RAM for this purpose:

Echo-n mem >/sys/power/state

• Users have also reported the IDE Drives May is unfreezed by plugging on an IDE cable to a CD-ROM first, booting your Syst Em and then moving the IDE cable to the drive in question. This would allow the bypass "SECURITY FREEZE" commands sent by BIOS and your OS. Be AWARE, that IDE cables is not hot-pluggable and this technique possesses even higher risks; Under no circumstances should you connect/disconnect/swap power cables the An HDD or CD-ROM, when your PC was on.

Step 2-enable Security by setting a user password:

WARNING: When the user password was set the drive would be locked under next power cycle (the drive would deny normal access until UNL ocked with the correct password).

Step 2a-set a User Password:

Any password would do, as this should only be temporary. After the secure erase the password is set to NULL. For this procedure we'll use the password "Eins".

Hdparm--user-master u--security-set-pass eins/dev/x

Step 2a-command Output:

Security_password= "Eins"
/dev/sdd:issuing security_set_pass command, password= "Eins", User=user, Mode=high

Step 2b-make Sure it succeeded, execute:

Hdparm-i/dev/x

Step 2b-command Output (should display "enabled"):

Security:        Master Password Revision code = 65534               supported               enabled       not     locked       not     Frozen       not     expired:security count               supported:enhanced erase       security       level high 2min for SECURITY ERASE UNIT. 2min for enhanced SECURITY ERASE UNIT.

Step 3-issue the ATA Secure Erase command:

Time hdparm--user-master u--security-erase eins/dev/x

Step 3 Command Output:

Wait until the command completes. This example output shows it took about + seconds for the Intel x25-m 80GB SSD, for a 1TB hard disk it might take 3 hours or more!

Security_password= "Eins"
/dev/sdd:issuing security_erase command, password= "Eins", user=user0.000u 0.000s 0:39.71 0.0% 0+0k 0+0io 0pf+0w      

Step 4-the Drive are now erased! Verify security is disabled:

After a successful erasure the drive security should automatically is set to Disabled (thus no longer requiring a password For access). Verify this by running the following command:

Hdparm-i/dev/x

Step 4-command Output (should display "not enabled"):

Security:        Master Password Revision code = 65534               Supported not            enablednot     locked       not     frozen       not     expired:security count               supported:enhanced erase       2min for security erase UNIT. 2min for enhanced SECURITY ERASE UNIT.

Known Issues:executing security erase without setting a password

Some variations of this is spread on various Internet sources. It does because security is ' not enabled ' (see Hdparm output below).

warning:do not do this! The Lenovo BIOS at least doesn ' t allow your to change the password if it's empty, and also freezes the drive so it can ' t be Unlocked later, so your drive could be password-locked forever! If you just want to remove the security lock on your drive without secure-erasing it, use --security-disable Inst ead.

Hdparm--user-master u--security-erase null/dev/xsecurity_password= ""/dev/sdd:issuing security_erase Command, Password= "", User=user erase_prepare:input/output Error

Even if you freeze or lock your drive by running the above command from a Lenovo laptop with a blank password, it's still possible to unfreeze and unlock it. First, plug the drive into a different computer. Second, perform a power cycle of the The and you is booted into a drive utility (like Gparted). Third, issue the following command which should disable the security on the drive.

sudo hdparm--security-disable PWD  

error:25

With some distributions setting a password does don't work:

Hdparm--user-master u--security-set-pass eins/dev/x

/dev/sdd:issuing security_set_pass command, password= "Eins", User=user, Mode=highproblem issuing SECURITY command: Inappropriate ioctl for DEVICEERROR:25

Compiling the latest hdparm from http://sourceforge.net/projects/hdparm/resolved This problem on CentOS 5 x86_64.

Command time-out during erase with larger drives

Hdparm versions prior to version 9.31 hard-coded the time-out is 2 erase for the hours command. If your drive requires longer than 2 hours to perform a security-erase and then it'll be reset part-way through the erase C Ommand.

If your drive reports it needs longer than minutes to perform the security erase operation and then you should Ensur E that is using version 9.31 or newer.

If Such a time-out has occurred, the output of the "time" command above would be just slightly longer than minutes, and The drive won't have erased correctly. The drive is being reset when the time-out occurs, and whilst this appeared to does no harm to a 1GB Seagate es.2, it ' s Proba Bly not a very well tested part of the drive firmware and should is avoided. In the case of the Seagate, the password is still enabled after the partial-erase and subsequent time-out/reset.

Alternative ATA Secure Erase ToolsHDDErase

The freeware DOS tool can also perform a ATA Secure Erase, although controller support are spotty at best.

"Go" ATA Secure Erase