Drive Data Erasure

Detailed on this page are the necessary steps to securely erase data from a drive.

  • Perform the steps in order to ensure proper data erasure.
  • Assumes commands are run as root, and drive is correctly identified.
  • Always keep your drives encrypted whenever possible. There is little reason not to do so.
  • For SSDs adding the discard or preferably discard=async option to your mounts can reduce deleted data lifetime.

Step #1: Identify the correct drive

  • On the command line can list all drives with: lsblk
  • Or via the GUI you can use: GNOME Disks, KDE Partition Manager, or GParted
  • Note down the drive path, it should be like one of the following: /dev/sda, /dev/nvme0n1, /dev/mmcblk0
  • This path will be referenced below as [DRIVE], make sure to not mistype it.

Step #2: Instruct the drive controller to discard all data

This step is to reduce wear from the the following step. This works on most solid state drives, advanced flash drives, some SD card readers, and some SMR hard drives.

  • Determine if the drive supports discards: lsblk [DRIVE] --discard
  • If the DISC-GRAN column is equal to zero, skip to the next step.
  • Issue a secure discard: blkdiscard --force --verbose --secure [DRIVE]
  • If that didn't work, try a regular discard: blkdiscard --force --verbose [DRIVE]

Step #3: Perform a traditional erase

This fills the drive with random data. While drives have their own erase features, they may not work correctly or be trustworthy.

  • shred --iterations 1 --verbose [DRIVE]

Step #4: Instruct the drive controller to erase all data

This will tell the drive to erase itself. This works on hard drives, solid state drives, and some advanced flash drives.

  • For NVMe drives:
    • For these commands you want to leave off the end of the drive path. Example: nvme0n1 becomes nvme0
    • First try a block erase: nvme sanitize --sanact 0x02 [DRIVE]
    • If that didn't work, try a secure format: nvme format --namespace-id 1 --ses 1 [DRIVE]
  • For all other drives:
    • You MUST keep your computer on for the following steps and avoid any USB drive enclosures.
    • First check if supported: hdparm -I [DRIVE] | grep frozen
    • If the last command printed nothing, you cannot complete this step.
    • If it printed "frozen", try to put your computer to sleep, wake it back up, and run the command again.
    • If it printed "not frozen", then you can continue.
    • Set a temporary password: hdparm --user-master u --security-set-pass password [DRIVE]
    • Initiate the erase: hdparm --user-master u --security-erase-enhanced password [DRIVE]
  • Finally, if you were unable to perform the nvme or hdparm methods but were able to run blkdiscard earlier, do that again.

Step #5: Physically destroy the drive (optional)

  • Take apart the drive.
  • Take a hammer or drill to the platters or flash chips.

Bonus #1: Erase Free Space

This is a non-destructive method for an in-use drive to greatly reduce the recovery chance of deleted files.

  • cd into a path on the drive
  • scrub --no-hwrand --pattern random --freespace cfs

Bonus #2: Erase Free Space on Android

This is a non-destructive method for an Android device.