1

Does Powershell have a built-in way to secure erase a disk? By secure erase, I mean writing random data or all zeros to the entire disk. By disk, I mean the whole physical disk, not individual files, mounted volumes or filesystems.

I found Clear-Disk, but that appears to simply wipe the volume information from the partition tables.

I know there are third-party utilities out there, and Microsoft's own diskpart clean can do the trick, and heck, one could even drop into Linux on Windows and use shred or dd to make the data take a dirt nap...

But can pure vanilla Powershell do it? (without resorting to a complex script or external library call)

ryancdotnet
  • 121
  • 1
  • 5
  • That's not Secure Erase, that's just writing data to the disk. – Michael Hampton Jul 07 '20 at 21:19
  • Maybe I'm borrowing from incorrect terminology, though I did clarify my definition. There seems to be plenty of blending of the terminology used online for the SATA "Secure Erase" commands and "securely erasing" or wiping drives. How would you suggest I improve my question? Really curious on this one. – ryancdotnet Jul 07 '20 at 21:27
  • 1
    there is no PoSh-specific method to do that. – Lee_Dailey Jul 07 '20 at 21:33

1 Answers1

4

There are things you can do in PowerShell to effectively secure data on your disk, depending on your need to erase/dispose/recycle a drive. Unfortunately there is no easy Erase-Disk -Secure cmdlet.

The ATA "SECURE ERASE" and "SANITIZE" commands can be sent to the storage device controller and are usually your best technological bet for quickly and securely erasing an entire disk. However, Microsoft's AHCI driver blocks these commands unless you're running in a WinPE environment. No software running in normal Windows installations can pass ATA commands. https://docs.microsoft.com/en-us/windows-hardware/drivers/storage/security-group-commands

You could probably build a WinPE environment that ran a powershell script to send ATA commands, but then you might as well use a bootable dban image instead.

A solution you could automate using PowerShell from within Windows is BitLocker. Command BitLocker to encrypt either used disk space or all disk space via the GUI or PowerShell, and once encrypted, your data is non-recoverable without the BitLocker key.

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10

You could also try the built in reset feature of Windows 10 in "recycle" mode which does a secure erase of the onboard storage. I wasn't able to find documentation on automating the process, and only saw systemreset -cleanpc mentioned. I'll update my answer if anybody can find the documentation on automating this.

Garrett
  • 1,598
  • 4
  • 14
  • 25
  • Does DBAN have secure erase now? Last time I looked at it, it only had old school "write zeros or random stuff to the disk". Anyway, there are actual Secure Erase boot media now, though I usually just grab a random Linux install USB and run the commands myself.. – Michael Hampton Jul 09 '20 at 10:58
  • DBAN does not support ATA commands for secure erase, I just mentioned it because the question asked for "writing random data or all zeros to the entire disk" and once you're having to create alternate bootable media anyway DBAN is a pre-built automated solution. I agree sending the ATA commands from a WinPE or linux environment is still a faster and better solution for securely erasing data overall, and would like to know about an automatic bootable media for processing 100s of machines – Garrett Jul 15 '20 at 20:01