[CentOS] Utility to zero unused blocks on disk

Tue Feb 9 05:54:54 UTC 2016
Chris Murphy <lists at colorremedies.com>

On Mon, Feb 8, 2016 at 3:18 PM,  <m.roth at 5-cent.us> wrote:
> Chris Murphy wrote:
>> DBAN is obsolete. NIST 800-88 for some time now says to use secure erase
>> or enhanced security erase or crypto erase if supported.
>>
>> Other options do not erase data in remapped sectors.
>
> dban doesn't? What F/OSS does "secure erase"? And does it do what dban's
> DoD 5220.22-M does?

http://dban.org/download

That DoD standard is also obsolete per NIST 800-88. There's zero
evidence provided that 2 passes makes any difference compared to 1,
let alone doing 7.

hdparm --security-help

This takes the form of something like:

hdparm --user-master u --set-security-pass chickens /dev/sdX
hdparm --user-master u --security-erase-enhanced chickens /dev/sdX

The 2nd command doesn't return until completion. hdparm -I can give an
estimate of how long it will take. For HDDs I've found it slightly
overestimates how long it will take, but is generally pretty close.
For SSD's it can be way off. It says 8 minutes for my SSD, but the
command returns in 5 seconds and the SSD spits back all zeros.

Secure erase is really the only thing to use on SSDs. Writing a pile
of zeros just increases wear (minor negative) but also doesn't
actually set the cells to the state required to accept a new write, so
you've just added a lot more work for the SSD's garbage collector and
wear leveling, so it's going to be slower than before you did the
zeroing. Secure erase on an SSD erases the cells so they're ready to
accept writes.

-- 
Chris Murphy