wnd's weblog

ATA Secure Erase

12 Oct 2012 08:38:43 FFR, hardware

tl;dr: ATA Secure Erase works even when your screen appears to be dead after sleep/resume cycle. No surprises there, really.

ATA Secure Erase is a great feature that offers (relatively) quick method of wiping a harddrive in (relatively) secure manner. However, actually being able to call it can be problematic. The problem with Secure Erase is that in IBM-PC-compatible PC world many BIOSes call ATA security freeze upon boot. There are several web pages that list the same “standard” methods of unfreezing your drive but as it often happens, I somehow manage to make things more complicated. For me, method of sleep/resume worked, but getting that far wasn’t example straightforward.

It all started when smartd noticed that my primary harddrive had a situation developing. Relocated sector count had crossed threshold and S.M.A.R.T. declared my drive as failing. Thanks to my nightly backups, everything important was safe. Still, as I didn’t want to lose my replaceable data, I got a new harddrive the next morning. Once I had all the data safe, it was time to wipe the old harddrive before returning it for a replacement.

Following the steps described in Linux ATA wiki I soon realised wiping the drive would not be that simple. As expected, BIOS had issued security freeze. Not ready to howswap non-hotswappable hardware, my only option was to try to sleep/resume my computer. Being a desktop workstation with an NVIDIA GPU I had never successfully put my computer to sleep and managed to wake it up again. I was out of options.

My fallback plan was to simply use software to overwrite data with random data for a few times. At first I thought of using Darik’s Book and Nuke. I then realised a complete wipe would not finish overnight, and decided to look for alternatives that could be run from my live Linux installation. With a quick apt-cache search I found that nwipe would do a “DoD” erase and it would run in a live system. I decided that running DoD short wipe for a few rounds should be enough. However, after 24 hours and having finished just two passes (of three) of the first round I decided to give Secure Erase another try.

Talking of nwipe, if you’re developing a tool to ERASE ALL YOUR DATA, please, please document the user interface and make it run with command line parameters. nwipe does NOT take device path as parameter and I could find zero instructions for its ncurses GUI. I had to read the sources to figure out how to do anything with it. Even then, I wouldn’t dare to run it on real hardware before doing a test run in a virtual machine.

After yet another internet search I downloaded Parted Magic, which was supposedly able to put my computer to sleep and have some workarounds for NVIDIA GPUs. As expected, none of these worked. Issuing sleep command would put my computer to sleep just fine, but resuming wouldn’t reinitialise my GPU. In fact, it didn’t even give a signal and my monitor remained in stand by mode. Luckily I discovered that after waking up, my computer did respond to ICMP PING requests. What was even better, pmagic environment was running SSHD. After logging in I discovered sleep/resume had worked: my failing drive was no longer security frozen.

The rest was easy. Following the steps in ATA wiki I set the security password, issued (enhanced Security Erase command and went to bed. In the morning the drive had finished the command. Security Erase had taken just 394 minutes instead of several days that would have been required for short DoD wipe. I powered off, unplugged the ill-fated drive, powered my system back on and went to work. I was finally good to return the drive for a replacement.