Dev Notes

Software Development Resources by David Egan.

Securely Erase A Drive from the Linux Command Line


Linux, Security
David Egan

If a disk contains secure information, it may need to be securely erased.

This article outlines a simple disk-wipe procedure for the Linux command line. Tested on Ubuntu 16.04.

Determine the Target Drive

To find the drive, run the lsblk command. This will output drive name and mount point:

lsblk
# Typical output:
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                             8:0    0 465.8G  0 disk
├─sda1                                          8:1    0   512M  0 part  /boot/efi
├─sda2                                          8:2    0   488M  0 part  /boot
└─sda3                                          8:3    0 464.8G  0 part
  └─sda3_crypt                                252:0    0 464.8G  0 crypt
    ├─ubuntu--vg-root                         252:1    0 448.8G  0 lvm   /
    └─ubuntu--vg-swap_1                       252:2    0    16G  0 lvm
      └─cryptswap1                            252:3    0    16G  0 crypt [SWAP]
sdb                                             8:16   0   1.8T  0 disk
└─sdb1                                          8:17   0   1.8T  0 part  /media/datadrive
sdc                                             8:32   1   7.5G  0 disk
└─sdc1                                          8:33   1   7.5G  0 part
  └─luks-04235321-8ad9-4631-934c-2c09cfa700e7 252:4    0   7.5G  0 crypt /media/david/secure-data
sdd                                             8:48   1   7.5G  0 disk
└─sdd1                                          8:49   1   7.5G  0 part  /media/david/Thumbdrive
loop0                                           7:0    0  80.5M  1 loop  /snap/core/2462
loop1                                           7:1    0  80.5M  1 loop  /snap/core/2381
loop2                                           7:2    0  79.5M  1 loop  /snap/core/2312
loop3                                           7:3    0 182.6M  1 loop  /snap/atom/9
loop4                                           7:4    0 182.6M  1 loop  /snap/atom/8

Determine the relevant disk name from this list.

Double Check: Avoid Foot-Shooting

When you run the dd command in the “Wipe the Disk” section of this article, the target disk will be completely overwritten.

You should therefore double check that you’re operating on the right drive:

# Replace sdX with your target drive name
cat /sys/class/block/sdX/device/{model,vendor}

The output should correspond to the target disk you’re expecting to wipe.

Wipe the Disk

This is achieved by writing random data from /dev/urandom to the target disk.

Block size is set to 1M for the sake of increasing speed - dd will read and write up to 1M bytes at a time.

Setting the status option to “progress” prints periodic transfer stats to stderr.

# Replace sdX with your target drive name
dd if=/dev/urandom of=/dev/sdX bs=1M status=progress

The problem with this method is that dd just writes indefinitely - until eventually it times out. It works, but it is more time consuming than it needs to be.

Better Method

Use parameters with dd to wipe a partition/drive:

sudo fdisk -l /dev/sdX

# Output:
GPT PMBR size mismatch (15702015 != 15826943) will be corrected by w(rite).
Disk /dev/sdX: 7.6 GiB, 8103395328 bytes, 15826944 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: C70EC09A-1A70-4728-9D0C-B4122C401FFA

Device       Start      End  Sectors  Size Type
/dev/sdX1     2048  5122047  5120000  2.5G EFI System
/dev/sdX2  5126144 15701982 10575839    5G Linux filesystem

To wipe whole drive:

Start=2048
End=15826944 # From line 2 of fdisk output
BytesInSector=512 # From line 3 of fdisk output
dd if=/dev/urandom of=/dev/sdX bs=${BytesInSector} count=${End} seek=${Start} status=progress

Resources

comments powered by Disqus