24 May 2018

How to securely wipe an NVMe drive

NVMe drives are great: they are fast and they are huge. That huge size, however, can be a pain when it comes to securely erasing data. Old-school commands like wipe are simply not up to the task; and even if they were, they work on assumptions that do not map properly to a solid-state world. Writing random data over and over is going to dramatically reduce the lifespan of a solid-state drive, and it's pointless when all NVMe disks already have built-in tools that can take care of this task quickly and safely.

So what do you do when you want to wipe a NVMe drive?
  1. Download a recent Linux distribution. I would recommend Debian/Ubuntu or one of their smaller derivatives (like Knoppix). Burn it on a cdrom or USB drive and boot the system from it.
  2. Make sure your package manager is up-to-date (under Debian/Ubuntu, sudo apt-get update), then install nvme-cli (sudo apt-get install nvme-cli)
  3. If your drive is a Samsung, it now has to be put to sleep (you can do that with sudo systemctl suspend) and then woken up. This is a weird bug that Samsung doesn't seem in any hurry to fix.
  4. Now you can securely wipe the disk: sudo nvme format -s1 /dev/nvme0n1
For the curious: the -s option triggers Secure Erase mode, which can be set to 1 (wipe) or 2 (delete encryption keys for encrypted data). 1 looks like the safest option, because it will automatically do what 2 does if it detects that all data is encrypted. Reference here.

The latest NVMe specification adds other commands, to scrub every nook and cranny (bus caches etc), but as far as I know they have not been implemented yet.

No comments: