- #Sd secure erase full
- #Sd secure erase code
#Sd secure erase full
This disk performs a full data overwrite (that's the only reason why it would take almost three hours). On the other hand, if hdparm reports this: 168min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.Ģ minutes are not enough to overwrite the whole disk, so if that disk implements some actual "secure erase", it must be with the encryption mechanism. Note that, similarly, if a spinning disk claims to implement both modes as well, it may very well map both commands to the same action (hopefully, the "enhanced" one).Īs described in this page, the hdparm -I /dev/sdX command will report something like this: Security:Ģmin for SECURITY ERASE UNIT. When a disk uses encryption, it will make no distinction between "secure erase" and "enhanced secure erase" it may implement both commands (at the ATA protocol level), but they will yield the same results. #Sd secure erase code
In fact, when an SSD implements "secure erase", it MUST use the encryption mechanism, because the "overwrite with zeros" makes a lot less sense, given the behaviour of Flash cells and the heavy remapping / error correcting code layers used in SSDs. This strategy is applicable to both spinning disks and SSD.
To implement a "secure erase", the disk just needs to forget K by generating a new one, and overwriting the previous one. Every data read or write will be encrypted symmetrically, using K as key. When it is first powered on, the disk generates a random symmetric key K and keeps it in some reboot-resistant storage space (say, some EEPROM). with data caching).Īnother method for secure erasure, which is quite more efficient, is encryption: Disks in the wild have been known to take some liberties with the specification at times (e.g. From the ATA specification point of view, there are two commands, and there is no real way to know how the erasure is implemented, or even whether it is actually implemented. 
one of the spare sectors is used by the disk firmware when the computer reads or writes it). It also overwrites sectors which are no longer used because they triggered an I/O error at some point, and were remapped (i.e.
It overwrites data several times with distinct bit patterns, to be sure that the data is thoroughly destroyed (whether this is really needed is subject to debate, but there is a lot of tradition at work here).
The "enhanced secure erase" tries harder: On such a disk, at any time, there is a logical view of the disk as a huge sequence of numbered sectors the "secure erase" is about overwriting all these sectors (and only these sectors) once, with zeros. This sentence makes sense only for spinning disks, and without encryption. Enhanced secure erase writes predetermined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to reallocation. Secure erase overwrites all user data areas with binary zeroes.
0 kommentar(er)
