Securely wipe an SSD with its built in commands

Modern SSDs now come with built in commands that can wipe a disk for you. This is an action that should normally be performed when you’re about to give/sell it away.

As an overview you’ll need to find out the disk’s label, unfreeze the disk, set a password, and then issue the erase command. We’ll perform these steps on Ubuntu using the hdparm and dd tools.

Plug it in

If the disk is already connected to your motherboard, you can leave it there. If you’ve already removed it from the case, you can connect it to your machine with a USB-SATA converter. Preferably, do this over SATA but the option exists to use USB.

A 2.5 inch SSD connected to a PC USB port — USB SATA converter

There have been some forum posts about disks being bricked when attempting these operations over USB, however I have wiped about a dozen SSDs without issue. Your mileage may vary.

Find out its label

You’ll need to know the correct hard drive label to feed into later commands. The easiest way to do this is to open up the Ubuntu Disks application and look for the hard drive that you’ve plugged in.

Using disk viewer to get the disk label — Get the label of the disk

You can also use the sudo fdisk -l command, and look for your disk there.

Output of fdisk showing many disks — `fdisk` output

In this case, the drive is /dev/sda - though if you have other SATA SSDs then there may be a mix of sda, sdb, sdc and so on in there. For reference the drive will just be referenced as /dev/sdX from here on.

It is really important to get this step right, as working with the wrong label can wipe your main disk.
If in doubt, try disconnecting any other drives you have, except the primary OS drive.
The safest way would be to do this from an Ubuntu Live USB and disconnect all other drives.

Install `hdparm`

The tool to use here is hdparm - if it isn’t already install, just install it using

sudo apt install hdparm

hdparm allows you to work with ATA disks and the ATA disk’s built in commands.

Unfreeze the drive.

SSDs will sometimes be in a ‘frozen’ state, which is designed to prevent malicious attacks against your disk, including wiping it.

You can check if your disk is frozen using

sudo hdparm -I /dev/sdX

Output of hdparm showing not frozen — Disk frozen status

If you see not frozen then you’re OK to proceed. But if you just see frozen, you will need to unfreeze the disk.

The quickest way is to suspend your computer and then reawaken it. You can do this using

sudo pm-suspend

and then power it back on.

If that doesn’t work, a simple reboot should be enough. Try the command again and you should see that the disk is no longer frozen.

Set a password

According to the spec, as a prerequisite to issuing an erase command, you’ll need to set a password to enable security on the disk. Any password will do, and this password will disappear once the drive has been securely erased.

sudo hdparm --user-master u --security-set-pass hunter2 /dev/sdX

Use of hdparm to set a password on the SSD — Set password

Test to make sure that the password has indeed been set.

sudo hdparm -I /dev/sdX

Use of hdparm to confirm that a password is set — Confirm password is set

This time you should see, under Master password, the not enabled has become enabled. The line Security level high also appears at the bottom of the list.

Security Erase or Enhanced Security Erase

The hdparm output also shows what kind of erase the drive supports.

hdparm output indicating supported erase types — Type of erases supported

The SECURITY ERASE UNIT command will rotate the disk’s internal encryption key, rendering the data on disk invalid.
The ENHANCED SECURITY ERASE UNIT will rotate the encryption key and also write a manufacturer-determined pattern to the disk as an added measure.

Take note of how long the estimate is; it can be anywhere from a minute to hundreds of minutes; the time depends on what method the disk uses to erase data.

Actually erase it

To perform an Enhanced Security Erase,

sudo hdparm --user-master u --security-erase-enhanced hunter2 /dev/sdX

To perform a normal Security Erase,

sudo hdparm --user-master u --security-erase hunter2 /dev/sdX

Be sure to wait a few minutes more than the estimate.

Use of hdparm to erase the disk — Erase command

Test that it’s erased

Once again, run

sudo hdparm -I /dev/sda

Notice that the Security level high line no longer appears. Under Master password the status has returned to not enabled. This tells us that the disk has been reset.

Use of hdparm to confirm disk erased showing master password is not enabled — Confirm erasure

Unplug and re-plug the SSD, then open the Disks application. The disk should appear but without any of your previous partitions.

Use of Disks application to confirm erasure — Confirm erasure

You can also verify by reading bytes directly off the disk with the dd command.

sudo dd if=/dev/sda bs=1M count=5

If you’ve done an Enhanced Erase you will see the pattern which was set by the manufacturer.

Garbled output from dd command indicating an enhanced erase — Enhanced security erase

In the case of a regular erase you will see nothing.

Paranoid mode

Although there is an ATA spec proposal for the erase operations, there is no real standardization in secure erase. An SSD could report that it has erased the disk but without inspecting the code, there is no guarantee that it has done so.

The erase should be occurring by changing the internal encryption key thereby making the data useless; in some cases the disk will perform both the normal erase and the security enhanced erase in the same way. But manufacturers are not forthcoming about these kinds of details, so a level of suspicion or paranoia here is not unusual.

To address this paranoia, you can take this a step further by performing a dd write to disk anyway. This command will fill the disk with zeroes.

sudo dd if=/dev/zero of=/dev/sdX bs=1M status=progress

Wait until the ‘no space left on device’ error appears.

Output of dd command until there is no longer space left on the device — `dd` fill

And you’re done.

Between all of these steps performed, the disk is now in a state to be sold or given away.