Ubuntu – secure erase with hdparm – can still see file content

hdparmsecure-erase

I downloaded latest stable Ubuntu (ubuntu-16.04.3-desktop-amd64.iso image that I double checked for authenticity) and used it to boot my new Win10 system which I wanted to wipe. I followed the instructions, like those at

https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

to unfreeze the drive and wipe it using the

time hdparm –user-master u –security-erase … /dev/sda3

command. In fact I ran it another time (after resetting the drive password) and running with –security-erase-enhanced option second time (thanks to http://www.stevenmaude.co.uk/posts/securely-erasing-frozen-hard-disks-with-hdparm instructions).

It took almost 2 hours each time to go through the erase process. At the end, no errors were printed out. 0's were shown for various times, like 0 cpu time and 0 system time. Only the elapsed time was showing ~2 hours.

After those two runs, I was still able to open random text and xml files in both Windows and non-Windows directories and look at their contents even though I had not opened them earlier in that same Ubuntu session, so it could not have cached them!

then…

I could no longer boot into Windows – guess that's a good sign 🙂
After restarting computer and loading up Ubuntu again, it no longer auto-mounts /dev/sda3 (or anything else resembling a hard drive). fdisk -l shows the drive but that's about it.
Tried loading Paragon bootable CD and it also shows no filesystem.

Any ideas as to what I am missing?

It's almost as if it blew away the entry into the file system but after the two erases it was still able to navigate and find file content in that same session of running Ubuntu. Now I don't seem to be able to see anything because anything I try to run no longer finds starting point for the file system, but I wonder if all the data is still laid out there on disk?!

Thank you!

Best Answer

I think you needed the reboot for the new mapping of the hard disk drive to be seen by the system.

If you want to, you can try to recover files from the 'drive surface' with PhotoRec,

http://cgsecurity.org

or look at the following link,

Re: best way to wipe a drive

which also shows checking the result with xxd

roten@my-precise:~$ sudo hdparm -I /dev/sdb
...
Security: 
    Master password revision code = 65534
        supported
    not    enabled
    not    locked
    not    frozen
    not    expired: security count
    not    supported: enhanced erase
    88min for SECURITY ERASE UNIT. 
Logical Unit WWN Device Identifier: 50000391f340058c
    NAA        : 5
    IEEE OUI    : 000039
    Unique ID    : 1f340058c
Checksum: correct
roten@my-precise:~$ sudo hdparm --user-master u --security-set-pass Eins /dev/sdb security_password="Eins"

/dev/sdb:
 Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high
roten@my-precise:~$ sudo hdparm -I /dev/sdb
...
Security: 
    Master password revision code = 65534
        supported
        enabled
    not    locked
    not    frozen
    not    expired: security count
    not    supported: enhanced erase
    Security level high
    88min for SECURITY ERASE UNIT. 
Logical Unit WWN Device Identifier: 50000391f340058c
    NAA        : 5
    IEEE OUI    : 000039
    Unique ID    : 1f340058c
Checksum: correct
roten@my-precise:~$ sudo time hdparm --user-master u --security-erase Eins /dev/sdb security_password="Eins"

/dev/sdb:
 Issuing SECURITY_ERASE command, password="Eins", user=user
0.00user 0.00system 1:11:03elapsed 0%CPU (0avgtext+0avgdata 2432maxresident)k
0inputs+0outputs (0major+200minor)pagefaults 0swaps
...
Security: 
    Master password revision code = 65534
        supported
    not    enabled
    not    locked
    not    frozen
    not    expired: security count
    not    supported: enhanced erase
    88min for SECURITY ERASE UNIT. 
Logical Unit WWN Device Identifier: 50000391f340058c
    NAA        : 5
    IEEE OUI    : 000039
    Unique ID    : 1f340058c
Checksum: correct
roten@my-precise:~$ sudo time xxd -a /dev/sdb
[sudo] password for roten: 
0000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1000000000000 0000 0000 0000 0000 0000 0000 0000  ................
2000000000000 0000 0000 0000 0000 0000 0000 0000  ................
3000000000000 0000 0000 0000 0000 0000 0000 0000  ................
54272.57user 343.93system 15:10:36elapsed 99%CPU (0avgtext+0avgdata 2096maxresident)k
488398400inputs+0outputs (0major+179minor)pagefaults 0swaps
roten@my-precise:~$

Related Solutions

Ubuntu – run a security erase tool on the drive

If your SSD supports it, use the ATA Secure Erase command; assuming that your drive is /dev/sda:

Boot Ubuntu from a Live DVD
Open a Terminal with Ctrl+Alt+t
Check that your drive is not frozen: hdparm -I /dev/sda (look for the frozen or not frozen line)
If your device is frozen, you can try:
- Suspend and resume
- Hot replug the SATA cable (i.e. with the system loaded, unplug the SATA cable an plug it again)
Set a user password: hdparm --user-master u --security-set-pass <password> /dev/sda (replace <password> with the chosen password)
Check that security has been enabled: hdparm -I /dev/sda (look for the enabled or not enabled line)
Issue the Secure Erase command: hdparm --user-master u --security-erase <password> /dev/sda (replace <password> with the chosen password)
Check that security has been disabled: hdparm -I /dev/sda (look for the enabled or not enabled line)

This is the best method to wipe a SSD, since Secure Erase runs at firmware level and has access to all the storage areas of the device, while regular software tools don't. For further reading: ATA Secure Erase - ata Wiki and SSD Data Wiping: Sanitize or Secure Erase SSDs? | Kingston Technology

Ubuntu – Secure erase returns input/output error

FYI: unlocking a Kingston SSD by use of hdparm, after setting a user password appears to be impossible.

NOTE: The drive will appear as locked next time you reboot after setting your password. Until then, security will only appear as enabled.

Whether trying the very user-password you just set, or other variants, such as "", "NULL", NULL or a row of 32 spaces, either as a user-password or as a master-password, will not unlock your drive, but instead give you an Input/output error.

sudo hdparm --user-master m --security-erase "" /dev/sda

will, however, do the job (that's m as in master, since in Kingston's case the master-password is apparently NULL by default).

The very same master password ("") that returns the Input/output error for the security-unlock command, works just fine with the security-erase command.

So don't lock your ssd unless you really intend to erase it, 'cause it's far from certain whether you'll be able to unlock it.

I've been reading reports of similar issues and I've even stumbled across a patch, which I have, however, not tested.

Best Answer

Related Solutions

Ubuntu – run a security erase tool on the drive

Ubuntu – Secure erase returns input/output error

Related Question