1

All tutorials tell us to erase a hard disk for later user (without destroying it) we must spend hours/days to wipe it one pass or three passes...

Is there something like SSD's secure erase function for hard disk? That it can make all data unrecoverable (or hard to recover) in minutes?

Sven
  • 97,248
  • 13
  • 177
  • 225
Dsae
  • 19
  • 1
  • 4
    Sure: https://en.wikipedia.org/wiki/Thermite – ceejayoz Jan 31 '17 at 23:08
  • @ceejayoz LOL :). – EEAA Jan 31 '17 at 23:11
  • Or: http://www.datadev.com/degausser-government-nsa-dod-approved-data-security-erase.html – EEAA Jan 31 '17 at 23:12
  • 1
    In many cases, I would consider using encrypted disks and then nuking just the headers secure enough. This can be done in seconds. – Sven Feb 01 '17 at 00:42
  • Is that myth about needing to overwrite your hard drive 25 times still going on? That hasn't been true for close to two decades. And anyway, any hard drive sold in the last 15-20 years will have the same secure erase function built in. It just takes longer to run on spinning magnetic media since everything must be overwritten - but only once. – Michael Hampton Feb 01 '17 at 01:01
  • @ceejayoz Is the thermite method will destory the disk? We still need the disk for later use... – Dsae Feb 01 '17 at 01:47
  • 3
    Possible duplicate of [Fastest, surest way to erase a hard drive?](http://serverfault.com/questions/56280/fastest-surest-way-to-erase-a-hard-drive) – user9517 Feb 01 '17 at 07:09
  • See also this [search](https://serverfault.com/search?q=erase+disk) – user9517 Feb 01 '17 at 07:10

3 Answers3

1

It all depends on what your security policy will allow.

The only secure way to wipe data from a HDD is using programs such as DBAN

There really isn't a faster option if you want to ensure compliance with some of the data erasure standards. I've been in a situation where drilling big holes in the platters was good enough!

car1bo
  • 71
  • 5
  • This isn't an HDD, and does not need to be erased with the same process that a magnetic medium does. Zeroing an SSD in a single pass is sufficient, rather than having to perform 3-7 pass DOD wipes. – Spooler Feb 01 '17 at 00:03
  • Hm, right you are (question read weird to me). Well, if it's an hdd then DBAN is probably the way to go. – Spooler Feb 01 '17 at 00:19
1

Molten hard drives produce a lot of smoke

That said, @ceejayoz is correct. Thermite will do the job, but may not be permitted in your datacenter. If you are not allowed to use thermite and you do not have a data-destruction policy and procedure that outline the only approved ways to wipe your data, then you can

1) Assume that a single pass of zeros is sufficient. This is not spinning rust. The methods used to recover data on spinning rust do not apply in the same way to SSD's.

2) You will need to perform multiple tests to determine the maximun number of write threads you can use on your SSD before you saturate any of the bottlenecks between your CPU cores and your drive.

3) Once you have determined the number of threads you can write to your SSD without diminishing returns, then split up a dd job into multiple processes using taskset and assign each one to its own CPU core with its own range of blocks to zero out.

dd if=/dev/zero of=/dev/sd__DEVICE__ bs=1M count= seek=

You will need to determine the count/seek numbers based on how you split up the size of your drive(s). That calculation is beyond the scope of my answer, as I need to leave the building in a minute.

To zero out the drive any faster will require Ceejayoz's method. If using thermite, you should consider first getting training on the proper handling and usage of this material and check with local fire authorities prior to incineration.

Encryption Ahead of Time Helps

You can of course use cryptsetup to encrypt your drives, assuming you have a strong and long passphrase and don't store a key in clear text on the unencrypted portion of your drive, as I see many people do.

Encrypting your drive will reduce the risk of data exposure should any blocks not be overwritten by dd. Some blocks are reserved for error handling and there is no guarentee that you will have zero'd them out and that they do not contain sensitive data.

Note: If you are going to dd zero a drive that is encrypted, first dismount it and force the block size in dd, or dd will read the existing 4k block size and your dd wipe will take aeons. e.g. cryptsetup remove /dev/mapper/trump2016 then do your wipe.

Aaron
  • 2,809
  • 2
  • 11
  • 29
0

For SSDs, or any Self Encrypting Drive (SED), issuing a SATA Secure Erase and/or Enhanced Secure Erase will do the job. For more information, see here

Note: there are reports of SSDs whose firmware basically ignore these two SATA commands. After using SATA Secure Erase or Enhanced Secure Erase, give a look at your drive to be sure no partitions remain defined.

shodanshok
  • 44,038
  • 6
  • 98
  • 162