If you ever need to securely erase a hard drive, you may be interested to learn that the erasing core of the classic old Darik's Boot and Nuke (DBAN) software has been modernized and open-sourced under the name nwipe.
-
If you ever need to securely erase a hard drive, you may be interested to learn that the erasing core of the classic old Darik's Boot and Nuke (DBAN) software has been modernized and open-sourced under the name nwipe. It offers a range of secure erase options, including overwriting with all 1s/0s, overwriting with the output of a (configurable) PRNG, and DoD 5220.22 (short and full).
You don't need it to erase an SSD; the built-in Secure Erase method on those is both faster and safer. But if you still have spinning rust lying around, it might come in handy.
-
@jalefkowit Honestly drives aren't expensive enough anymore to justify wiping them: The government (and I) recommend just physically destroying them instead.
-
@jalefkowit Does secure erase work? I’ve heard some implementations are better than others.
-
@jollyrogue According to what I've read there were some kinks with Secure Erase in very early drives that supported it, but they've mostly been worked out.
It seems to have worked reliably on the drives I've used it on, though you'd need to ask a red-team type person to confirm if the data really is unrecoverable. I'm not qualified to opine on that.
-
P [email protected] shared this topic
-
@ocdtrekkie Big enterprises will have a bin they can put a drive in where it will be collected and destroyed by someone competent to do that. I don't have that bin, and I don't trust myself to destroy the drive competently on my own.
There are local shredding companies that say they do drive destruction as well, but they have all seemed geared towards serving enterprise customers too. Someone like me who needs to destroy one or two drives every few years is too small-time to be of interest to them.
-
@jalefkowit I personally like to consume it as part of ShredOS (https://github.com/PartialVolume/shredos.x86_64) which can print nifty certificates of date/time/serial/number of bad sectors, etc.
Probably not good enough for any real audit since it's just a PDF of stuff collected at runtime and not "warranted" but it's a nice-to-have IMO for personal/SMB use which would have been happy with standard DBAN/nwipe.
-
J [email protected] shared this topic
-
@_calmdowndear Yeah, I was going to mention ShredOS as an easy way to pick up nwipe if you want something more like the "classic" DBAN boot-and-nuke experience.
I haven't tried the PDF certificate feature myself, but I _think_ it's coming from nwipe, not ShredOS. So you could theoretically produce the certificate even if you just take nwipe from your distro.
-
@jalefkowit If a spinning drive's controller supports the ATA Secure Erase standard (which drives have supported for more than 25 years), you can use the same command to erase both spinning drives and SSDs (It performs overwrite on rust and encrypt-then-discard-key on SSDs). The Linux
hdparmcan send the command to the controller directly, no third-party software required.Also, if a hard drive is more than 20 MB, the track density makes it much more difficult to reconstruct useful data from the fallow magnetic medium between tracks. Making seven passes has been overkill for a long time.
I cover some other corner cases here, including quoting Gutmann to back up my claim that multiple passes are no longer necessary:
-
@tychotithonus The maintainer of nwipe agrees with you re multiple passes; their guidance is one pass with PRNG output is sufficient for most cases. (And they say even that's probably overkill, with no demonstrated proof that data can be recovered after a single pass just writing zeroes.)
I keep hearing that modern HDDs should also support ATA Secure Erase, but the one I'm working with now is from a reputable vendor (WDC) and relatively recent (bought circa 2020) and as far as I can tell it does not. So I don't know where the line is on which HDDs can do Secure Erase and which can't.
https://github.com/martijnvanbrummelen/nwipe/discussions/582
-
@jalefkowit Wow, that is a firmware bug as far as I'm concerned. I bet WD would be surprised that it's missing!
-
@tychotithonus @jalefkowit hey uh
Got a model number and firmware revision for that WDC drive that's missing support for SATA secure erase?
For
Let's say, totally normal reasons
-
@gnomon @tychotithonus I feel like you’re asking me to provide evidence that I’m an idiot, which as a matter of policy is a thing I generally do not do
