Securely Erase A Drive from the Linux Command Line
Linux, Security
If a disk contains secure information, it may need to be securely erased.
This article outlines a simple disk-wipe procedure for the Linux command line. Tested on Ubuntu 16.04.
Determine the Target Drive
To find the drive, run the lsblk
command. This will output drive name and mount point:
lsblk
# Typical output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 512M 0 part /boot/efi
├─sda2 8:2 0 488M 0 part /boot
└─sda3 8:3 0 464.8G 0 part
└─sda3_crypt 252:0 0 464.8G 0 crypt
├─ubuntu--vg-root 252:1 0 448.8G 0 lvm /
└─ubuntu--vg-swap_1 252:2 0 16G 0 lvm
└─cryptswap1 252:3 0 16G 0 crypt [SWAP]
sdb 8:16 0 1.8T 0 disk
└─sdb1 8:17 0 1.8T 0 part /media/datadrive
sdc 8:32 1 7.5G 0 disk
└─sdc1 8:33 1 7.5G 0 part
└─luks-04235321-8ad9-4631-934c-2c09cfa700e7 252:4 0 7.5G 0 crypt /media/david/secure-data
sdd 8:48 1 7.5G 0 disk
└─sdd1 8:49 1 7.5G 0 part /media/david/Thumbdrive
loop0 7:0 0 80.5M 1 loop /snap/core/2462
loop1 7:1 0 80.5M 1 loop /snap/core/2381
loop2 7:2 0 79.5M 1 loop /snap/core/2312
loop3 7:3 0 182.6M 1 loop /snap/atom/9
loop4 7:4 0 182.6M 1 loop /snap/atom/8
Determine the relevant disk name from this list.
Double Check: Avoid Foot-Shooting
When you run the dd
command in the “Wipe the Disk” section of this article, the target disk will be completely overwritten.
You should therefore double check that you’re operating on the right drive:
# Replace sdX with your target drive name
cat /sys/class/block/sdX/device/{model,vendor}
The output should correspond to the target disk you’re expecting to wipe.
Wipe the Disk
This is achieved by writing random data from /dev/urandom
to the target disk.
Block size is set to 1M for the sake of increasing speed - dd
will read and write up to 1M bytes at a time.
Setting the status option to “progress” prints periodic transfer stats to stderr.
# Replace sdX with your target drive name
dd if=/dev/urandom of=/dev/sdX bs=1M status=progress
The problem with this method is that dd
just writes indefinitely - until eventually it times out. It works, but it is more time consuming than it needs to be.
Better Method
Use parameters with dd
to wipe a partition/drive:
sudo fdisk -l /dev/sdX
# Output:
GPT PMBR size mismatch (15702015 != 15826943) will be corrected by w(rite).
Disk /dev/sdX: 7.6 GiB, 8103395328 bytes, 15826944 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: C70EC09A-1A70-4728-9D0C-B4122C401FFA
Device Start End Sectors Size Type
/dev/sdX1 2048 5122047 5120000 2.5G EFI System
/dev/sdX2 5126144 15701982 10575839 5G Linux filesystem
To wipe whole drive:
Start=2048
End=15826944 # From line 2 of fdisk output
BytesInSector=512 # From line 3 of fdisk output
dd if=/dev/urandom of=/dev/sdX bs=${BytesInSector} count=${End} seek=${Start} status=progress
Resources
comments powered by Disqus