Home / ubuntu / Questions / 359540
Accepted
Stefan van den Akker
Asked: 2013-10-16 11:25:01 +0800 CST

Securely erase hard drive using the Disk Utility

  • 772

I am planning on selling my laptop. So I formatted my disk using the Disk Utility and chose to overwrite the disk with zeroes.

Two questions:

Is this the same as overwriting the disk using dd?

sudo dd if=/dev/zero of=/dev/sda

And is this method secure enough so that buyers can't easily recover the previous data? Or should I take additional measures (like encrypting the disk, destroying the headers, etc.)?

disk-utility

4 Answers

  1. Best Answer

    Yes, the disk utility uses a method similar to the one with dd you describe, or a faster and more secure one more like:

    dd if=/dev/urandom of=/dev/sda bs=1M

    This introduces a lot more fuzz to the overwriting pattern than zeros only, which should be more difficult to restore but not noticeably slower to perform.

    Some people claim, this is not enough and one should overwrite hard disks multiple times and with more elaborate patterns (scrub(1) can do both of that as per the other answer), but most will say once is enough, if an attacker wants to restore more than a few bits with a significant chance.

    Edit: Apparently /dev/urandom peaks at ~13 MiB/s on at least two systems including mine. Therefore simonp suggested a different approach using openssl(1):

    head -c 32 /dev/urandom | sudo openssl enc -rc4 -nosalt -pass stdin -in /dev/zero -out /dev/sda
    • 41

  2. Another option for reference is to use the ATA Secure Erase method using hdparm.

    The problem with using OS level commands such sa DD is that they will only erase blocks seen by the OS. Any spare blocks (especially reserved cells on SSDs) will not be erased.

    https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

    To reiterate: (2017-Jul)

    The ONLY plausible method (for HDD, SSHD and SSD) is to use the ATA 'Enhanced Secure Erase' (ESE) command to 'remove' all stored and residual data.

    If this command can NOT be used, the media needs to be 'destructed' (converted to <2mm size fragments, or melted in a furnace).

    Notes:

    • This advice ignores older magnetic-media (from pre-2001 and/or less then 15GB in capacity).
    • Some PC BIOS (or OS) block the ATA command(s) from being run, and some (much older) brand/models (of drive) are problematic, due to poor implementation of ESE.
    • The lesser ATA 'Secure Erase' command is faster but only overwrites with 'zeros', rather than a random pattern.
    • The only truly better method than using ESE is NOT having data on the drive in the first place. This can be achieved by using full-disk encryption (FDE) or self-encrypting drives (SED).
    • 17

  3. The "bootom line" AFIK is that the data has to be over written or it can be retrieved. There are many tools / methods to do this.

    The consensus is that you only have to make one pass, so additional passes take additional time and put excessive wear and tear on the hard drive.

    While there are many solutions, I prefer scrub.

    scrub /dev/sda

    Or if you prefer

    scrub -p dod /dev/sda

    See also

    • 16

  4. Nwipe, it's a fork of DBAN but unlike DBAN is actively in development. It can run as a command line tool or it's default mode is ncurses GUI. It's in the debian, ubuntu, Fedora repositories. Or if you want to run from a USB stick shredOS, which uses nwipe.

    https://github.com/nadenislamarre/shredos/pull/2#event-2855392401

    https://github.com/martijnvanbrummelen/nwipeenter image description here

    • 0