Secure data deletion for SATA drive

Edit online

You can use the Linux commands to securely delete data from the Serial Advanced Technology Attachment (SATA) drive.

  • To securely delete data for a self-encrypting SATA drive, run the following command:
    hdparm --yes-i-know-what-i-am-doing --sanitize-crypto-scramble /dev/sdX
    Notes:
    • The --sanitize command requires 9.54, or later version of the hdparm command.
    • The --sanitize command might display an error message such as SG_IO: bad or missing sense data if the SATA drive is not compatible with the crpto-erase operation. The SATA drive is not erased. Any subsequent Operation started in background message should be ignored.
    To monitor the progress of the sanitize operation, run the following command:
    hdparm --sanitize-status /dev/sdX
    Note: Do not attempt to access the SATA drive during the sanitize operation, the operation might hang. However, the kernel error-handling routines that run eventually handle the hung tasks and hung tasks error-out eventually.
  • To securely delete data for non self-encrypting solid-state drive (SSD) drives, run the following command:
    hdparm --yes-i-know-what-i-am-doing --sanitize-block-erase /dev/sdX
    Note: The hdparm command does not return an obvious error if the drive is not compatible with the block-erase operation and the drive is not erased. Such an error is typically indicated by a message such as SG_IO: bad or missing sense data. The presence of the message indicates that the drive is not erased.
  • To securely delete data for hard disk drive (HDD) drives, or 9.54 version of the hdparm command cannot be used, run the following command sequence:
    hdparm --user-master u --security-set-pass p /dev/sdX
hdparm --user-master u --security-erase p /dev/sdX
    Notes:
    • The hdparm command with the --security-erase option does not return until the erase operation is complete. The erase operation can take long time.
    • If a message prefixed with SG_IO is displayed, the drive is not erased.
    After you run the preceding hdparm commands, perform the following procedure to make the HDD drive ready to use again:
    1. To check the security level of the HDD drive, run the following command after you run the hdparm command with --security-erase option:
      hdparm -I /dev/sdX
      In the output, search for one of the following strings to know the security mode:
      • * Security Mode feature set
        Where the asterisk indicates that the HDD drive is still secure.
      • Master password revision code = NNNNN
                   supported
                   enabled
        Where the enabled line in the output indicates that the HDD drive is still secure. Many lines in the output might contain the string enabled. Therefore, only consider the string that is displayed in the Security section.
      • Security level high

        If this string is present in the output, it indicates that the HDD drive is still secure.

    2. If the HDD drive is still secure, run the following commands to disable the password locking feature so that the HDD drive can be reused:
      hdparm --user-master u --security-unlock p /dev/sdX
hdparm --user-master u --security-disable p /dev/sdXl