SSD Secure Erase with proper ATA command

Posted: 22/11/2011 in Tweaks

I recently wanted to completely wipe (not format) my two Intel X25-M Solid State (SSD) Drives that replaced the ones found in my MacBook Pro (2007) and my Dell Mini 10v (2009) so I went back to a favourite website -that I had saved- to seek instructions using Ubuntu’s Live CD:

http://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

 
However, to my surprise, the site doesn’t carry that information anymore (I barely caught the Google-chached page) so I started digging up the web again for a possible fresh set of instructions and compare them to my notes. Nevertheless, after successfully wiping these two Intel SSD drives using the “secure erase ATA command”, I am posting an updated copy of those Wiki instructions that are now down the… world wide drain!

First of all, go grab the Ubuntu v9.04 Live CD image (ubuntu-9.04-desktop-i386.iso) and burn it to a blank CD-R with your favourite application (either on Mac or PC). Update: It seems Ubuntu only supports v10.04 LTS now, as their oldest distro, so use Google to find v9.04 if your computer is more than 2 years old, otherwise v10.04 will do just fine. On the Ubuntu download page, there are also instructions on how to conver the .iso into a bootable USB drive; however, after following their Mac OS X instructions carefully, my MacBook Pro did not want to boot Ubuntu via USB so I ended up burning a CD-R. That’s 0,10 Euros wasted!

Once you successfully boot into the Ubuntu desktop, you will first need to determine the device that your SSD drive is assigned to. Find and run GParted and you should end up with a list of drives and partitions:

As you can see, in this example, the drive to be erased (the only one actually connected to the Dell Mini) is /dev/sda that has 3 partitions (EFI, Apple HFS+ and NFTS) from my current Hackintosh hybrid.

This procedure below describes how to use the hdparm command to issue a Secure Erase ATA instruction to a target storage device. When a Secure Erase is issued to an SSD drive, all of its cells will be marked as empty, restoring it to factory-default write performance. This is very different from the format command, especially for SSD technology.

DISCLAIMER: This will erase all your data, and will not be recoverable by even data recovery services.

DISCLAIMER: If you encounter kernel or firmware bugs (which are plenty with non-widely-tested features such as the ATA Secure Erase) this procedure might render the drive unusable or crash the computer it’s running on.

To successfully issue the so-called ATA Security Erase command, you need to first set a user password. This step is somehow omitted from almost all other sources which describe how to secure erase with hdparm.

The example output shown is from an Intel X25-M (34nm) 40GB SSD running the latest 02M3 firmware. It was run from an Ubuntu 9.04 32-bit (Jaunty) Live CD, booted from CD-ROM.

Start by opening Terminal in Ubuntu.

Step 1 – Make sure the drive’s security is not frozen

You will start by issuing the following command, where “X” matches your device (in my case, sda):

sudo hdparm -I /dev/X
i.e.
sudo hdparm -I /dev/sda

 
Typically, you should obtain the following information, at the very end of the command output:

Security:
	Master password revision code = 65534
		supported
	not	enabled
	not	locked
		frozen
	not	expired: security count
		supported: enhanced erase
	2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

 
If the command output at the end shows “frozen”, then you cannot immediately continue to the next step. It is likely that your BIOS does not allow the ATA Secure Erase command, as it typically issues a “SECURITY FREEZE” command to “freeze” the drive, before booting any operating system. In this case, you could check if your BIOS may (most likely not) have a switch to disable the security freeze.

The only way that I personally was able to reset the “frozen” state of the SSD drive was to put the system into “sleep”. Placing both my MacBook Pro and Dell Mini into “sleep” and then “waking” them (simply by closing and opening the lid after a few seconds) is a trick that seems to work, as the sudo hdparm -I /dev/sda command now issues the required and correct “not frozen” output:

Security:
	Master password revision code = 65534
		supported
	not	enabled
	not	locked
	not frozen
	not	expired: security count
		supported: enhanced erase
	2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

 
You may now confidently proceed to step 2 below!

Step 2 – Enable security by setting a user password

WARNING: When the user password is set, the drive will be locked after next power cycle! (the drive will deny normal access until unlocked with the correct password)

For this process, any password will do as this should only be temporary. After performing the secure erase to the drive, the password will be set back to NULL. For this procedure, I used the password “Eins” like everybody else on the web:

sudo hdparm --user-master u --security-set-pass Eins /dev/sda

 
This has resulted to the following output:

security_password="Eins"

/dev/sda:
Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high

 
The password is now properly set and you should again check the status of the drive, by entering again:

sudo hdparm -I /dev/sda

 
You should now read “enabled” at the end of the command output:

Security:
	Master password revision code = 65534
		supported
		enabled
	not	locked
	not	frozen
	not	expired: security count
		supported: enhanced erase
	2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

 
Now you can safely proceed to the next step of actually erasing the drive.

Step  3 – Issuing the ATA Secure Erase command

Still at the Terminal, type:

sudo time hdparm --user-master u --security-erase Eins /dev/sda

 
Please wait white the process completes. This may take a few minutes; on my MacBook Pro and the Intel X25-M 80GB, it took about 1 minute to complete, whilst on my Dell Mini and the Intel X25-M 40GB about half-minute. It is reported that for 1TB disk it could take 3 hours or more!

The output should now read the following:

security_password="Eins"

/dev/sda:
  Issuing SECURITY_ERASE command, password="Eins", user=user
  0.00 user  0.00 system  0:16.71 elapsed  0% CPU
  (0avgtext+0avgdata 0maxresident)k 0inputs+0outputs (0major+165minor)pagefaults 0swaps

 
Step 4 – Verify the security of the erased SSD

After successfully erasing it, the drive’s security should automatically be reset to “disabled” (thus, no longer requiring a password for access). You have to verify this by running again the following command at the Terminal:

sudo hdparm -I /dev/sda

 
The command output at the end should thus show the following:

Security:
	Master password revision code = 65534
		supported
	not enabled
	not	locked
	not	frozen
	not	expired: security count
		supported: enhanced erase
	2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

 
The process is now officially over. Run or refresh GParted and verify that the drive was been wiped out completely:

Known issues

1. Executing security erase without setting a password

Some variations of this method are spread on various internet sites, but they will not work because security is “not enabled”, when issuing the hdparm command:

sudo hdparm --user-master u --security-erase NULL /dev/sda

 
As you can see, this results to the following output/error:

security_password=""

/dev/sda:
Issuing SECURITY_ERASE command, password="", user=user
ERASE_PREPARE: Input/output error

 
2. Getting “Error: 25″ when setting a password

With some other Linux distributions, it seems that setting a password simply does not work:

sudo hdparm --user-master u --security-set-pass Eins /dev/sda

 
…which, in turn, outputs:

/dev/sda:
Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high
Problem issuing security command: Inappropriate ioctl for device
Error: 25

 
The only advice found is that you try to compile the latest hdparm from http://sourceforge.net/projects/hdparm/

Update

I remember seeing this somewhere but it seems you can issue another parameter to the hdparm command, above, for securely erasing your SSD in an “enhanced” way. According to the command manual, besides issuing the command above in Step 1:

sudo time hdparm --user-master u --security-erase Eins /dev/sda

 
you can replace the parameter –security-erase with –security-erase-enhanced provided that your SSD supports this (it must report “supported: enhanced erase” when you issue sudo hdparm -I /dev/sda in Step 2):

sudo time hdparm --user-master u --security-erase-enhanced Eins /dev/sda

 
The main difference is that “Secure Erase overwrites all user data areas with binary zeroes. Enhanced Secure Erase writes pre-determined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to re-allocation” thus, offering better data-wiping. Read more here.

Comments are closed.