Solid state drive/Memory cell clearing
On occasion, users may wish to completely reset an SSD's cells to the same virgin state they were manufactured, thus restoring it to its factory default write performance. Write performance is known to degrade over time even on SSDs with native TRIM support. TRIM only safeguards against file deletes, not replacements such as an incremental save.
- Back up ALL data of importance prior to continuing! Using this procedure will destroy ALL data on the SSD and render it unrecoverable by even data recovery services! Users will have to repartition the device and restore the data after completing this procedure!
- Do not proceed with this if the target drive isn't connected directly to a SATA interface. Issuing the Secure Erase command on a drive connected via USB or a SAS/RAID card could potentially brick the drive!
Contents
Step 1 - Make sure the drive security is not frozen
Issue the following command:
# hdparm -I /dev/sdX | grep frozen
In the security section of the output it should say "not frozen". If it shows as just "frozen" then you cannot continue to the next step. Some BIOSes block the ATA Secure Erase command by issuing a "SECURITY FREEZE" command to "freeze" the drive before booting an operating system.
A possible solution is to simply suspend the system. Upon waking up, it is likely that the freeze will be lifted. If unsuccessful, one can try hot-(re)plug the data cable (which might crash the kernel). If hot-(re)plugging the SATA data cable crashes the kernel try letting the operating system fully boot up, then quickly hot-(re)plug both the SATA power and data cables. If hot-(re)plugging of SATA cables still crashes the kernel, make sure that AHCI is enabled in the BIOS (AHCI allows hot-(re)plugging operations without a crash). Using a USB-to-SATA adapter is an option if it supports hotplugging. One can also use hdparm via USB.
Dell Systems
If the command output shows "frozen", you may be able to work around it by:
- Reboot into the Dell BIOS by pressing F2 on startup.
- Set the Internal HDD Password in the BIOS (be careful, the keymap is en_US / qwerty).
- Apply the changes and reboot.
- When prompted for the password by Dell Security Manager, press Escape rather than entering it. The drive will remain locked but not frozen.
- Skip step 2, and go directly to Step 3 below.
Step 2 - Enable security by setting a user password
Any password will do, as this should only be temporary. After the secure erase the password will be set back to NULL. In this example, the password is "PasSWorD" as shown:
# hdparm --user-master u --security-set-pass PasSWorD /dev/sdX security_password="PasSWorD" /dev/sdX: Issuing SECURITY_SET_PASS command, password="PasSWorD", user=user, mode=high
As a sanity check, issue the following command
# hdparm -I /dev/sdX
The command output should display "enabled":
Security: Master password revision code = 65534 supported enabled not locked not frozen not expired: security count supported: enhanced erase Security level high 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Step 3 - Issue the ATA Secure Erase command
The final step is to issue the secure erase command, instructing the device's BIOS to erase its contents. Note for the device used in this example, earlier output states:
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
As per ATA specification the enhanced security erase (--security-erase-enhanced
) performs a more elaborate wipe. If the estimated completion time for both commands is equal, it indicates the drive manufacturer shortcut the specification and uses the same erase function for both. A short time (like 2 minutes) in turn indicates the device is self-encrypting and its BIOS function will wipe the internal encryption key instead of overwriting all data cells.[2]
# hdparm --user-master u --security-erase PasSWorD /dev/sdX
Wait until the command completes. This example output shows it took about 40 seconds for an Intel X25-M 80GB SSD.
security_password="PasSWorD" /dev/sdX: Issuing SECURITY_ERASE command, password="PasSWorD", user=user 0.000u 0.000s 0:39.71 0.0% 0+0k 0+0io 0pf+0w
The drive is now erased. After a successful erasure the drive security should automatically be set to disabled (thus no longer requiring a password for access). Verify this by running the following command:
# hdparm -I /dev/sdX
The command output should display "not enabled":
Security: Master password revision code = 65534 supported not enabled not locked not frozen not expired: security count supported: enhanced erase 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Tips
See the GRUB EFI Examples for hardware-specific instructions to get GRUB EFI working following a wipe.