How to send "ATA Secure Erase" command to SSD?

Question

A very good way to erase a SSD which have SED support is to change the password/key. But what to do with those that doesn't have SED support?

This article says

Fortunately it is possible to erase most SSDs, though this is closer to a “reset” than a wipe. The “ATA Secure Erase” command instructs the drive to flush all stored electrons, forcing the drive to “forget” all stored data. This command essentially resets all available blocks to the “erase” state, which is what TRIM uses for garbage collection purposes.

Question

I suppose it is something that can be done with hdparm, so does anyone know what command that does this?

It should be noted that there are drives encrypting the content - and they also forget the key, so the data is not only "random" (missing the metadata to reconstruct it), but also encrypted with an unrecoverable key... that allows the SAFE deletion of SSD and hard discs in pretty much milliseconds. Hardware storage encryption is a standard feature today on most enterprise hardware. — TomTom, May 26 '15 at 13:55

Konrad Gajewski · Accepted Answer · 2015-05-26T14:02:23.510

8

Here are the steps:

See if the feature is not frozen. hdparm -I /dev/sdX. If it is (usually by the BIOS), a good way to unfreeze it is to suspend the computer, and resume - then the drive gets powered up, but without BIOS.
IMPORTANT: set the password. This will enable the security feature of the drive: hdparm --user-master u --security-set-pass password /dev/sdX
Lastly, erase the drive:hdparm --user-master u --security-erase password /dev/sdX

The procedure is described here in more detail: https://wiki.archlinux.org/index.php/SSD_memory_cell_clearing

Example from my drive:

Security: 
    Master password revision code = 65534
        supported
    not enabled
    not locked
        frozen
    not expired: security count
    not supported: enhanced erase
    2min for SECURITY ERASE UNIT.

So it is frozen... now I suspend... and...

Security: 
    Master password revision code = 65534
        supported
    not enabled
    not locked
    not frozen
    not expired: security count
    not supported: enhanced erase
    2min for SECURITY ERASE UNIT.

edited May 26 '15 at 14:02

answered May 26 '15 at 13:50

Konrad Gajewski

1,498
3
15
29

1

Much better now; +1 from me! – MadHatter May 26 '15 at 14:20
You have just copy pasted the content of the article I linked to which explains how to change the password/key. That is not what the question is about. Please read OP. – Jasmine Lognnes May 26 '15 at 14:29
Well, you asked what do I do if the drive does not support full drive encryption, and I want to erase it with hdparm. – Konrad Gajewski May 26 '15 at 14:33
1

@JasmineLognnes I don't understand what you're talking about. This _exactly_ answers the question you asked. – Michael Hampton May 26 '15 at 15:00
I am asking for the ATA command that *resets* the SSD, not changing the password/key. – Jasmine Lognnes May 27 '15 at 09:15
2

@JasmineLognnes You need to set a password before you can issue the ATA Secure Erase command. This answer is precisely what you need, unless you have mis-stated your question – Daniel Lawson May 31 '15 at 02:00
Let's finish the disscussion, shall we? I think everyone has come out of it a little wiser. – Konrad Gajewski May 31 '15 at 15:06

How to send "ATA Secure Erase" command to SSD?

1 Answers1