SRE/Dc-operations/Securely Erasing Media
SRE Data Center Operations
DC Operations | About | Projects & Workboards | IRC: #wikimedia-dcops connect
HW Troubleshooting | HW Specific Documentation
Please note that the default Debian Live Image does not include hdparm.
Rob has used a small liveimage of [finnix] which includes hdparm and wipe by default.
In an ideal world, we would have a debian image available via network/PXE boot that loads a command line interface including all raid support (so we can break down raid arrays via the command line), wipe, and hdparm. This would allow 100% remote execution of secure erasure of disks.
Securely Erasing Hard Disk Drives
wipe
One method of securely erasing HDDs requires use of the wipe utility. This is best done via multiple consoles via crash cart, as it allows each session to run the wipe on an individual disks concurrently rather than sequentially.
Please note that raids must be broken and disks presented individually to ensure proper wipe of all data.
Ensure you list off all the disks in a system:
lshw -class disk
Run the wipe command
wipe /dev/sda
You can then swap to alternate sessions to run the wipe command for each hard disk drive in the system.
Securely Erasing Solid State Disks
gparted
GParted is a GUI interface that also supports a securely erase SSD function. Do NOT confuse the secure erase with simply writing zeros or re-partitioning.
The GParted image can be downloaded here: https://gparted.org
hdparm
One method of securely erasing SSDs requires use of the hdparm utility
List off the details for a given SSD:
hdparm -I /dev/sda
Set the security password, which is required to securely erase an SSD:
hdparm --user-master u --security-set-pass pw /dev/sda
Send the securely erase command to the SSD (this takes about 1-3 minutes per SSD tops, this command also removes the security set password as part of the secure erase):
time hdparm --user-master u --security-erase pw /dev/sda
Display the info to show SSD back to normal state:
hdparm -I /dev/sda