Slow ATA Secure Erase

TL;DR

ATA Secure Erase is often too quick to be reliable. This guide shows how to verify and extend the erase time for better data sanitisation.

Why is my ATA Secure Erase so fast?

Many drives report completion of Secure Errase very quickly, even though a proper erase should take considerable time (hours for larger drives). This happens because:

• Drive Firmware: Some drive firmware doesn’t fully implement the ATA Secure Erase command. It might just zero out the partition table and a small portion of the drive.
• Reporting Errors: The drive may report success even if it hasn’t completed the full erase process.

How to Verify & Extend ATA Secure Erase Time

1. Check Drive Capabilities with hdparm: This tool lets you see what security features your drive supports.

   sudo hdparm -I /dev/sda

   Look for the “Security” section. Pay attention to lines like:

   • Security Supported: Should include ‘SS’ (Secure Erase)
   • Enhanced Security Status: Should show if security is enabled or disabled.
2. Perform a Secure Erase using hdparm: This is the standard method.

   sudo hdparm --user-master u --security-erase NULL /dev/sda

   This command initiates a Secure Erase. The ‘NULL’ argument specifies a complete erase. You will likely be prompted for your root password.

3. Monitor the Erase Process: Unfortunately, hdparm doesn’t give real-time progress updates during the erase. You can try checking the drive status periodically:

   sudo hdparm -I /dev/sda | grep SecurityStatus

   The ‘SecurityStatus’ will change as the process runs (e.g., ‘busy’, ‘completed’).

4. Extend Erase Time with Multiple Passes: To increase confidence, repeat the Secure Erase command several times.

   sudo hdparm --user-master u --security-erase NULL /dev/sda

   sudo hdparm --user-master u --security-erase NULL /dev/sda

   (Repeat as needed)

5. Use a Dedicated Secure Erase Tool: Consider using tools specifically designed for secure data sanitisation. These often provide more control and verification.
   • DBAN (Darik’s Boot and Nuke): A popular bootable tool for wiping drives.
   • Parted Magic: A Linux-based live environment with various disk management tools, including secure erase options.
6. Verify After Erase (Important!): After the Secure Erase is complete, verify that data has been removed.
   • Read Zeroes: Attempt to read sectors from the drive. They should all contain zeroes. You can use dd for this:

     sudo dd if=/dev/sda of=/dev/null bs=4096 count=1024 status=progress

     (Adjust ‘count’ to read a sufficient number of sectors).

Important Considerations

• SSD vs. HDD: Secure Erase is more effective on SSDs than HDDs. For HDDs, overwriting multiple times with random data is generally recommended.
• TRIM Support (SSDs): Ensure TRIM is enabled for your SSD to maximize the effectiveness of secure erase.
• Drive Health: A failing drive may not complete a Secure Erase successfully. Check the SMART status before attempting an erase.

  sudo smartctl -a /dev/sda