Comments on: Secure Erase: data security you already own

By: Mike

Mike — Sun, 28 Aug 2011 09:28:33 +0000

I’m sorry I didn’t copy the URL on the work computer where I’m writing this from, but I was reading earlier on how (E)SE on SSD’s is commonly not implemented correctly, and on at least one drive *SAID* it completed but in reality DID NOTHING!! Apparently these manufacturers consider SE on SSD to be nothing more than a controller FTL reset.

I believe it may have been a recent CMRR paper, but again I’m going from my fuzzy memory–sorry.

Oh, and “hdparm” on recent Linux kernels (and, I’m assuming, *BSD kernels including OS-X) seems to be fine and stable issuing (E)SE commands: in fact, I’m doing an ESE on my 160GB Toshiba drive right now as I’m replacing it with a Corsair 115GB SSD and will sell the HDD.

By: Paul L

Paul L — Fri, 29 Apr 2011 22:20:57 +0000

The Ultimate Boot CD 5.0.3 is a bootable cd with HDDerase 4.0 set to run from FreeDOS. I have been using it to erase a bunch of drives in machines that I am prepping for donation/discarding. Most Seagate and WD hard drives above 20GB performed secure erase quite easily and quickly. About 20 min for a 40GB PATA drive. FYI – Maxtor DiamondMax drives don’t seem to allow secure erase to happen. They always come back with “security count exceeded”.

By: David

David — Thu, 20 Jan 2011 00:56:24 +0000

Just in case people find this blog entry when searching Google (or Bing) for secure erase, hdparm is on the gparted live distribution and can used to secure erase (enhanced) an HDD. I completed this yesterday (2011/01/18) on a Seagate drive.

gparted here:
http://gparted.sourceforge.net/download.php

instructions here:
http://www.ocztechnologyforum.com/forum/showthread.php?67253-Alternative-to-HDDerase-(Gparted)-compatible-with-AHCI-!
AND here:
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Caveats:
Yes, the drive needs to be attached locally or possibly eSATA. USB and FireWire probably have a chance to fail.
Yes you DO have to use ‘sudo’.
No, you should not use NULL. for the password.
If the drive is SATA and frozen you can unfreeze it by “hot plugging” the drive (remove, CTRL-R, insert, CTRL-R).
If the drive is IDE/PATA and frozen– I haven’t gotten that far yet.
Secure Erase can take a while. A 500 GB 2.5 inch drive took around 2 hours, 20 minutes.
Secure Erase will wipe the partition table. You will need to create a new one before trying to install anything (like Windows). Luckily you have gparted, right?

By: F2

F2 — Fri, 18 Jun 2010 18:34:24 +0000

Hello Robin,
You say that the Security Extensions are prevalent on most drives. I have scanned a few SATA units from Hitachi, Maxtor and Seagate, and so far found the extension only on the Hitachi drive.

I have been researching the topic myself — there is very little out there on this subject.

By: Gregg E.

Gregg E. — Sat, 07 Nov 2009 08:11:43 +0000

I just want to wipe a Maxtor 40 gig QuickView drive that came from an old DVR of unknown make. There’s something secured or locked with it so I can’t just plug it into a normal PC and partition/format it.

I know there are master passwords for these drives, I can find them online for any brand *except Maxtor*.

Would be great, in this case, if it had something like “WARNING! INCORRECT PASSWORD ENTERED 5 TIMES! ENTERING INCORRECT PASSWORD AGAIN WILL START SECURE ERASE PROCESS!”.
I’d just poke in some randomness and let the thing wipe itself, as long as that would unlock it.

By: Anonymous

Anonymous — Fri, 30 Oct 2009 01:00:10 +0000

Hi,

I want to enhanced secure erase my seagate drive but:
-HDDerase gives memory error on startup and I am not experienced enough to track reasons.
-I do not know how to boot with hdparm so that I cant use it. I guess I need to initialize hddparm from a physically different location, i.e. not from the drive i am going to erase.

I just want to want to enhanced secure erase the only hard drive on my laptop. What is the easiest way to do that?

Thanks.

By: Robin Harris

Robin Harris — Sat, 25 Jul 2009 01:44:12 +0000

Mark,

Did you do reformat the drives from Windows before the install? That could be it.

Robin

By: mark stumpo

mark stumpo — Fri, 24 Jul 2009 17:28:41 +0000

I used SE on maxtor and seagate drives, but when installing xp on any of them, after xp formats and copies files, the install fails. It only seems to happen on drives that were SE.. Any idea?

By: JIRA: Infra Hardware - Issues Tracking

JIRA: Infra Hardware - Issues Tracking — Wed, 03 Jun 2009 23:38:42 +0000

[INHWISSUES-68] Support for “secure erase” command for all storage controllers and physical disks…

Controller + Physical drives must support “secure erase” command.

This is better than data overwrite because:
1. It includes bad blocks.
2. 6-8 times faster than normal disk writes.
3. Approved by NIST.
4. Handled entirely by o…

By: Ryk Edelstein

Ryk Edelstein — Fri, 18 May 2007 02:16:25 +0000

Thanks for the posting… However, although I may have pointed out a minor error (rather, a point in need of a bit of elaboration), I will throw myself on my sword and correct a few errors in my own message…(probably why I should not be writing in the very early a.m.)

1/ the Acronym is the CMRR – Center for Magnetic Recording Research at the University of California San Diego.

2/ the first sentence is a mess… sorry.

3/ This is not self promotion.. I do not work for Ensconce Data Technology, the manufacturer of the Dead on Demand Digital Shredder. The white paper was originally developed as a presentation of the acceptable means to responsibly destroy hard drive data, and to dispel many of the half baked and potentially dangerous concepts floating about. EDT had requested the rights to the paper for their own purpose.

Clearly my perspective on their product and the value it offers the public and private sector as a portable data destruction appliance made the piece very appealing to them. The presentation is facts based, and you can draw your own conclusion.

If you want to see a broad array of half baked data destruction methods, by self proclaimed experts, go to YOUTUBE and search on data or drive destruction. It is like calling in your crazy cousin Bob to bring over his sledge hammer for a session or data destruction.

I apologize for the errors.

Ryk

By: Ron

Ron — Thu, 03 May 2007 13:52:48 +0000

$ /sbin/hdparm –security-help

ATA Security Commands:
Most of these are VERY DANGEROUS and can KILL your drive!
Due to bugs in most Linux kernels, use of these commands may even
trigger kernel segfaults or worse. EXPERIMENT AT YOUR OWN RISK!

–security-freeze Freeze security settings until reset.

–security-set-pass PASSWD Lock drive, using password PASSWD:
Use ‘NULL’ to set empty password.
Drive gets locked if user-passwd is selected.
–security-unlock PASSWD Unlock drive.
–security-disable PASSWD Disable drive locking.
–security-erase PASSWD Erase a (locked) drive.
–security-erase-enhanced PASSWD Enhanced-erase a (locked) drive.

The above four commands may optionally be preceeded by these options:
–security-mode LEVEL Use LEVEL to select security level:
h high security (default).
m maximum security.
–user-master WHICH Use WHICH to choose password type:
u user-password.
m master-password (default).

By: Samuel Landau

Samuel Landau — Thu, 03 May 2007 07:44:49 +0000

AFAIK for Linux, current hdparm allows to use ATA security functions, amongst which commands ERASE PREPARE and ERASE UNIT. Just make sure your kernel supports it : recent enough release and compiled with CONFIG_IDE_TASK_IOCTL enabled.

By: Robin Harris

Robin Harris — Thu, 03 May 2007 04:47:24 +0000

This came in over the transom, and it sounded pretty good, so I am putting it in as a comment from me. It is from Ryk Edelstein, director of operations for Converge Net, Inc. – a link to a white paper he wrote is in the comment – and I appreciate the quality of his presentation.

Normally I am deeply allergic to self-promotion on StorageMojo – with me as the obvious exception! – but I respect the fact that he has deeper knowledge than I do and presents it well. I do wish he didn’t point out my flaws, but what the hey:

I have read your article on Secure ERase and must state that although you are on the right track, and that the NIST does recognize SE as the single best means to destroy data on a hard dfrive beyond forensic reconstruction second to effective physical destruction. The CRMM software as developped by Dr. Gordon Hughes team, is an academic command line utility designed as a proof of concept tool to demonstrate Secure Erase. Yet, what you fail to state is that this software does not work on most stations or devices.

As a command line utility, the CRMM software does not provide a solution that offers a defensible audit log, or a reliable platform for the effective decomissioning of hard drives in the enterprise. Likewise, in many cases the SE command will not be sent to the device due to BIOS and OS inhibition of the command being presented to the target drive. PC vendors have in many cases inhibited SE from being initiated due to the threat it poses if it were to be exploited by virus and malware authors.

Furthermore, drive manufacturers have interpreted SE differently, and in some cases by the same vendor from one drive model to the next. As such, SE needs to be initiated in a manner specific to the device, in order to be effectively launched.

Please do not get me wrong, I am a big fan of Secure Erase, and more so, on the proper means to use SE. See http://www.deadondemand.com/assets/documents/edt_digital_shredder_2.pdf for more details on the proper means to decomission hard drives using Secure Erase. Even on SATA devices.

By: Robin Harris

Robin Harris — Thu, 03 May 2007 04:39:49 +0000

Joerg,

An excellent point. In fact, that is the next level of security for 2.5″ drives: everything is encrypted with secure key deletion. A future post that ties back to one I did last year.

Thanks,

Robin