Step-by-Step Secure Erasing of a Data Storage Device

Motivation

If you didn't have the whole device encrypted, including swap space, a regular delete file command only removes the file's entry from the index and marks the space as free, so the file's contents are left intact until they are overwritten by some other file at an arbitrary time. Thus, when giving a storage device away, e.g., selling or discarding it, and you don't want to have anyone find your personal data on it, you have to manually clean it.

Preparation

• run any Linux
  • from another device, not the one that is about to be erased
  • ideally, boot from a Live CD
  • the following examples are for Ubuntu and may vary for other distributions; you can get an ISO image from ubuntu.com and write it to a CD or some bootable flash memory stick
• in the running system, have no important data (that could be accidently deleted)
  • ideally, disconnect any drives that aren't required for the process
• get the name of the medium to erase
  • run System/Administration/Disk Utility; select the drive, select the volume to erase; the name is listed there as "Device"
  • e.g., /dev/sdc for a whole storage device
  • e.g., /dev/sdc1 for a single partition
  • in the following, replace /dev/sdc with the name of the drive to erase
• open a terminal
  • run Applications/Accesories/Terminal
• get super-user rights
  • sudo su
• show device info to verify this is the one you want to erase
  • hdparm -i /dev/sdc
• unmount partition(s)
  • umount /dev/sdcN   (where N is any partition on the device to be erased)

Overwrite

• overwrite every single byte with zeroes
  1. simple; doesn't show any progress
     dd if=/dev/zero of=/dev/sdc bs=1M
     or:
  2. shows a progress bar
     dd if=/dev/zero bs=1M | pv -s $(blockdev --getsize64 /dev/sdc) -B 1M | dd of=/dev/sdc bs=1M
• The process can take a while, from minutes to hours, depending on the size and speed of the storage device. For example, USB 2.0 transfers about 100 GB per hour to an external hard disk; more than 300 GB per hour might be written to a modern disk via SATA.

Alternative Solutions

• If you want excessive security, replace /dev/zero with /dev/urandom; the process will take much more time.
• Similar to dd ... is shred -vzn 1 /dev/sdX. (TODO: try it)
• If the device is encrypted, then an alternative to overwriting is to change the password to a very secure one and forget it.
• For a flash-based device (e.g, a solid state drive, SSD), overwriting will not work, instead you should use ATA security erase.
• To only clean free space on a mounted (ext2-compatible?) volume, use sfill -llvz /media/usb-disk/ or zerofree -v /media/usb-disk/.

---

Copyright © 2007-2011 Lynax   -   Last change: 2011-08-09