Hardware

How to Securely Recycle or Dispose of Your SSD

At times, you may want to sell your old SSD or give it away to your friends and family. It is essential to securely erase your SSD to ensure that your data is not recoverable in these cases.

The way we usually format SSD partitions does not remove the data from the drive. You can still recover files from it. So, your data is not safe, mainly when you sell your old SSD, as you don’t know who will buy it and what his intentions are. Your private photos, videos, and other important files can be recovered from your sold SSD, and you don’t really want that.

So, before you sell your SSD or give it away to someone, it’s best to erase all the data from your SSD securely.

In this article, I will show you how to erase all the data from your SSD securely. So, let’s get started.

Table of Contents:

  1. Installing GNOME Disks
  2. Installing hdparm
  3. Installing nvme-cli
  4. Securely Erase SSDs with GNOME Disks
  5. Securely Erase SSDs with the dd Command
  6. Securely Erase SATA SSDs using SSD Hardware Feature
  7. Securely Erase NVME SSDs with SSD Hardware Feature
  8. Sanitizing NVME SSDs with SSD Hardware Feature
  9. Conclusion
  10. References

Installing GNOME Disks:

NOTE: You can skip this section if you don’t want to erase your SSD using the GNOME Disks app securely.

You can securely erase your SSD with the GNOME Disks app. GNOME Disks should be installed by default on every Linux distribution featuring the GNOME 3 Desktop Environment. GNOME Disks also works on other desktop environments as well. All you have to do is install GNOME Disks from the package repository of your desired Linux distribution.

On Ubuntu/Debian, you can install GNOME Disks with the following commands:

$ sudo apt update
$ sudo apt install gnome-disk-utility -y

On CentOS/RHEL/Fedora, you can install GNOME Disks with the following command:

$ sudo dnf install gnome-disk-utility -y

On Arch Linux, you can install GNOME Disks with the following commands:

$ sudo pacman -Sy
$ sudo pacman -S gnome-disk-utility

Installing hdparm:

NOTE: You can skip this section if you don’t want to erase your SATA SSD using the SSD hardware features securely.

To securely erase SATA SSDs using its Secure Erase hardware features, you must have the hdparm utility installed on your computer.

On Ubuntu/Debian, you can install the hdparm utility with the following commands:

$ sudo apt update
$ sudo apt install hdparm -y

On CentOS/RHEL/Fedora, you can install the hdparm utility with the following command:

$ sudo dnf install hdparm -y

On Arch Linux, you can install the hdparm utility with the following commands:

$ sudo pacman -Sy
$ sudo pacman -S hdparm

Installing nvme-cli:

NOTE: You can skip this section if you don’t want to securely erase or sanitize your NVME SSD using the SSD hardware features.

To securely erase or sanitize NVME SSDs using its hardware features, you must have the nvme-cli package installed on your computer.

On Ubuntu/Debian, you can install the hdparm utility with the following commands:

$ sudo apt update
$ sudo apt install nvme-cli -y

On CentOS/RHEL/Fedora, you can install the hdparm utility with the following command:

$ sudo dnf install nvme-cli -y

On Arch Linux, you can install the hdparm utility with the following commands:

$ sudo pacman -Sy
$ sudo pacman -S nvme-cli

Securely Erase SSDs with GNOME Disks:

This section will show you how to use the GNOME Disks app to erase SSD data securely. If you don’t have the GNOME Disks app installed, check the Installing GNOME Disks section of this article.

First, open the GNOME Disks app from the Application Menu of your computer.

The GNOME Disks app should be opened.
From the GNOME Disks app, select the SSD that you want to format, as marked in the screenshot below.

Once you’ve selected an SSD, you should find its device name from the GNOME Disks app marked in the screenshot below.

In my case, the device name of my SSD is /dev/sda. It may be different for you. So, make sure to replace it with yours from now on.

Before you format the SSD sda, you can read the first 10 MB of your SSD with the following command:

$ sudo dd if=/dev/sda bs=1M count=10

You should see a lot of random characters, as shown in the screenshot below. This means that the SSD has a lot of data in it.

Once you securely erase the SSD, you should not see any of these random characters no matter how much data you read from the SSD.

To securely erase the SSD you’ve selected with the GNOME Disks app, click on > Format Disk… as marked in the screenshot below.

The Format Disk window should be displayed.

Select Overwrite existing data with zeroes (slow) from the Erase dropdown menu as marked in the screenshot below

Click on Format… as marked in the screenshot below.

Click on Format.

Type in your login password and click on Authenticate.

The GNOME Disks app should start filling your SSD with zeroes, as shown in the screenshot below. It may take a while to complete depending on the speed and size of your SSD.

At this point, all the data of your SSD should be securely erased.

You can confirm whether all the data is removed from the SSD /dev/sda as before. Just read the first 10 MB of data from the SSD with the following command:

$ sudo dd if=/dev/sda bs=1M count=10

As you can see, there is no data in the first 10 MB of my SSD. No matter how much data you read from it, you should see the same output.

So, the SSD is securely erased. You can now sell the SSD or give it away.

Securely Erase SSDs with the dd Command:

You can securely erase all the data of your SSD with the dd command-line program.

First, run the following command to find the device name of your SSD.

$ sudo lsblk -e7

All the storage devices installed on your computer should be listed.

In my case, the device name of the SSD is sda. It may be different for you. So, make sure to replace it with yours from now on.

Before you format the SSD sda, you can read the first 10 MB of the SSD with the following command:

$ sudo dd if=/dev/sda bs=1M count=10

You should see a lot of random characters, as shown in the screenshot below. This means that the SSD has a lot of data in it.

Once you securely erase the SSD, you should not see any of these random characters no matter how much data you read from the SSD.

To zero-fill all the data cells of your SSD sda, run the following command:

$ sudo dd if=/dev/zero of=/dev/sda bs=1M status=progress

It may take a while to zero-fill all the data cells of your SSD. It depends on the speed and size of your SSD.

Once all the data cells of your SSD are zero-filled, the dd command should stop running with the following error message.

Now, read the first 10 MB of data from your SSD sda, and you should not see any data in there. This means that the SSD is securely erased.

$ sudo dd if=/dev/sda bs=1M count=10

Securely Erase SATA SSDs using SSD Hardware Feature:

You can securely erase your SATA SSD to its factory default using the SSDs secure erase hardware features. To do that, you must have the hdparm utility installed on your computer. If you don’t have the hdparm utility installed on your computer, check the Installing Installing hdparm Securely section of this article.

First, run the following command to find the device name of your SSD.

$ sudo lsblk -e7

All the storage devices installed on your computer should be listed.

In my case, the device name of the SSD is sda. It may be different for you. So, make sure to replace it with yours from now on.

To securely erase your SSD using the secure erase hardware features of the SSD, your SSD must not be in a frozen state.

To check the frozen status of your SATA SSD sda, run the following command:

$ sudo hdparm -I /dev/sda | grep frozen

As you can see, the SSD sda is in a frozen state.

To change the frozen state of your SATA SSD to not frozen, you can do one of the following things:

  • Suspend your computer and wake it up.
  • Restart your computer.
  • Plug out the SATA cable from your SSD and plug it back in.

NOTE: Plugging out the SATA cable from your SSD when your computer is running may hang your computer. You can enable Hot Plugging for the SATA port where the SSD is attached from your computer’s BIOS to solve this issue.

Now, check the frozen state of your SSD sda with the following command:

$ sudo hdparm -I /dev/sda | grep frozen

The SSD should not be frozen, as shown in the screenshot below.

Now, you have to set a user password for the SSD and enable security for the SSD.

To enable security for the SSD sda, set the user password secret for the SSD as follows:

$ sudo hdparm --user-master u --security-set-pass secret /dev/sda

The security of the SSD should be enabled, and the user password should be set to secret.

NOTE: Do not restart your computer after this step. You won’t be able to access your SSD unless it’s unlocked.

Now, check whether the user password is set with the following command:

$ sudo hdparm -I /dev/sda

As you can see, the user password is set.

Before you securely format the SSD sda, you can read the first 10 MB of your SSD with the following command:

$ sudo dd if=/dev/sda bs=1M count=10

You should see a lot of random characters, as shown in the screenshot below. This means that the SSD has a lot of data in it.

Once you securely erase the SSD, you should not see any of these random characters no matter how much data you read from the SSD.

There are 2 types of secure erase operations for SATA SSDs: Security Erase and Enhanced Security Erase.

Enhanced Security Erase does a more aggressive erase and takes more time to complete than Security Erase.

You can see how much time a Security Erase and Enhanced Security Erase will complete on the SSD sda with the hdparm utility. As you can see in the screenshot below, my Samsung 860 EVO 500GB SSD will take 4 minutes for Security Erase and 8 minutes for Enhanced Security Erase.

$ sudo hdparm -I /dev/sda

NOTE: Before you start a Security Erase or Enhanced Security Erase operation on your SSD, make sure it is not mounted. Also, once you run the Security Erase or Enhanced Security Erase command, you can’t turn back and stop it.

To do a Security Erase on the SSD sda, run the following command:

$ sudo hdparm --user-master u --security-erase secret /dev/sda

To do an Enhanced Security Erase on the SSD sda, run the following command:

$ sudo hdparm --user-master u --security-erase-enhanced secret /dev/sda

The security erase command should be executed. It may take a while to complete.

Once the SSD sda is securely erased, the user password should be reset, and security should be disabled, as you can see in the screenshot below.

$ sudo hdparm -I /dev/sda

Now, reboot your computer for the changes to take effect as follows:

$ sudo reboot

As you can see, all the partitions of the SSD sda are removed.

$ sudo lsblk -e7

Now, read the first 10 MB of data from your SSD sda, and you should not see any data in there. This means that the SSD is securely erased.

$ sudo dd if=/dev/sda bs=1M count=10

Securely Erase NVME SSDs with SSD Hardware Feature:

You can securely erase NVME SSDs with the Secure Erase hardware features of your NVME SSD. To do that, you need to have the nvme-cli package installed on your computer. If you don’t have the nvme-cli package installed on your computer, check the Installing nvme-cli section of this article.

Once you have the nvme-cli package installed, you can list all the NVME SSDs installed on your computer with the following command:

$ sudo nvme list

The NVME SSDs installed on your computer should be listed.

In my case, the device path of my NVME SSD is /dev/nvme0n1. It may be different for you. So, make sure to replace it with yours from now on.

I have many partitions in my NVME SSD /dev/nvme0n1, as you can see in the screenshot below. Once the SSD is securely erased, the partitions will be removed as well.

$ sudo lsblk -e7

Different NVME SSDs implement different sets of features. To find out whether your NVME SSD /dev/nvme0n1 supports the required secure erase features, run the following command:

$ sudo nvme id-ctrl /dev/nvme0n1 -H | egrep "Format|Crypto Erase"

You should see the following output if your NVME SSD supports the required secure erase features.

The NVME SSD I am using supports the Format and Crypto Erase features.

Your NVME SSD’s features do not support the Not Supported status, as you can see in the screenshot below.

There are 2 types of secure erase operations for NVME SSDs: User Data Erase and Cryptographic Erase.

User Data Erase: The SSD controller will erase all the user data. It may fill them with zeroes or ones.

Cryptographic Erase: The SSD controller will erase all the user data cryptographically.

NOTE: Once you start an erase operation, you won’t be able to stop it.

To perform a User Data Erase operation on your NVME SSD /dev/nvme0n1, run the following command:

$ sudo nvme format /dev/nvme0n1 -s 1 -n 1

To perform a Crytographic Erase operation on your NVME SSD /dev/nvme0n1, run the following command:

$ sudo nvme format /dev/nvme0n1 -s 2 -n 1

The NVME SSD /dev/nvme0n1 should be securely erased.

For the changes to take effect, restart your computer with the following command:

$ sudo reboot

The data and partitions of your NVME SSD should be removed.

$ sudo lsblk -e7

Sanitizing NVME SSDs with SSD Hardware Feature

You can securely erase NVME SSDs with the Sanitize hardware features of your NVME SSD. The Sanitize feature of the NVME SSD removes all the user data, caches, non-volatile media, and controller memory buffers. So, nothing can ever be recovered in any way.

To sanitize NVME SSDs, you need to have the nvme-cli package installed on your computer. If you don’t have the nvme-cli package installed on your computer, check the Installing nvme-cli section of this article.

Once you have the nvme-cli package installed, you can list all the NVME SSDs installed on your computer with the following command:

$ sudo nvme list

The NVME SSDs installed on your computer should be listed.

In my case, the device path of my NVME SSD is /dev/nvme0n1. It may be different for you. So, make sure to replace it with yours from now on.

I have some partitions in my NVME SSD /dev/nvme0n1, as you can see in the screenshot below. Once the SSD is securely erased, the partitions will be removed as well.

$ sudo lsblk -e7

To find out whether your NVME SSD /dev/nvme0n1 supports the required Sanitize features, run the following command:

$ sudo nvme id-ctrl /dev/nvme0n1 -H | egrep "Sanitize"

The Sanitize support status of your NVME SSD should be printed.

My NVME SSD does not support the Sanitize feature, as you can see in the screenshot below.

There are 4 types of sanitize operations for NVME SSDs:

  1. Exit Failure Mode
  2. Block Erase: Starts a block erase sanitize operation.
  3. Overwrite: Starts an overwrite sanitize operation. It is not recommended for NVME SSDs as it will wear out the NAND cells of the SSD.
  4. Crypto Erase: Starts crypto-erase sanitize operation.

NOTE: Once you start the sanitize operation, you won’t be able to stop it. You won’t be able to use the SSD until the sanitize operation finishes. The sanitize operation will even survive reboots.

To start a sanitize operation on your NVME SSD /dev/nvme0n1 in Exit Failure Mode, run the following command:

$ sudo nvme sanitize -a 1 /dev/nvme0n1

To start a Block Erase sanitize operation on your NVME SSD /dev/nvme0n1, run the following command:

$ sudo nvme sanitize -a 2 /dev/nvme0n1

To start an Overwrite sanitize operation on your NVME SSD /dev/nvme0n1, run the following command:

$ sudo nvme sanitize -a 3 /dev/nvme0n1

To start a Crypto Erase sanitize operation on your NVME SSD /dev/nvme0n1, run the following command:

$ sudo nvme sanitize -a 4 /dev/nvme0n1

To check the sanitization progress of your NVME SSD /dev/nvme0n1, run the following command:

$ sudo nvme sanitize-log /dev/nvme0n1

The running sanitization type, sanitization progress, sanitization status, and the estimated time to finish each of the sanitize operations should be listed.

Once the sanitize operation is completed, the data and partitions of your NVME SSD should be removed.

$ sudo lsblk -e7

Conclusion:

This article shows you how to install GNOME disks, hdparm, and nvme-cli on your computer. I have also shown you how to securely erase SSDs with the GNOME Disks app and the dd command. I have shown you how to securely erase SATA SSDs and NVME SSDs using the SSD’s secure erase hardware feature. Finally, I have shown you how to erase NVME SSDs with the sanitize command securely.

References:
[1] Solid state drive/Memory cell clearing – ArchWiki
[2] NVMe® Technology Solves Many Common Sanitize Operation Issues – NVM Express

About the author

Shahriar Shovon

Freelancer & Linux System Administrator. Also loves Web API development with Node.js and JavaScript. I was born in Bangladesh. I am currently studying Electronics and Communication Engineering at Khulna University of Engineering & Technology (KUET), one of the demanding public engineering universities of Bangladesh.