SRE/Dc-operations/Securely Erasing Media

Please note that the default Debian Live Image does not include hdparm.

Rob has used a small liveimage of [finnix] which includes hdparm and wipe by default.

In an ideal world, we would have a debian image available via network/PXE boot that loads a command line interface including all raid support (so we can break down raid arrays via the command line), wipe, and hdparm. This would allow 100% remote execution of secure erasure of disks.

wipe

One method of securely erasing HDDs requires use of the wipe utility. This is best done via multiple consoles via crash cart, as it allows each session to run the wipe on an individual disks concurrently rather than sequentially.

Please note that raids must be broken and disks presented individually to ensure proper wipe of all data.

Ensure you list off all the disks in a system:

lshw -class disk

Run the wipe command

wipe /dev/sda

You can then swap to alternate sessions to run the wipe command for each hard disk drive in the system.

gparted

GParted is a GUI interface that also supports a securely erase SSD function. Do NOT confuse the secure erase with simply writing zeros or re-partitioning.

The GParted image can be downloaded here: https://gparted.org

hdparm

One method of securely erasing SSDs requires use of the hdparm utility

List off the details for a given SSD:

hdparm -I /dev/sda 

Set the security password, which is required to securely erase an SSD:

hdparm --user-master u --security-set-pass pw /dev/sda 

Send the securely erase command to the SSD (this takes about 1-3 minutes per SSD tops, this command also removes the security set password as part of the secure erase):

time hdparm --user-master u --security-erase pw /dev/sda 

Display the info to show SSD back to normal state:

hdparm -I /dev/sda