24 May 2018

How to securely wipe an NVMe drive

NVMe drives are great: they are fast and they are huge. That huge size, however, can be a pain when it comes to securely erasing data. Old-school commands like wipe are simply not up to the task; and even if they were, they work on assumptions that do not map properly to a solid-state world. Writing random data over and over is going to dramatically reduce the lifespan of a solid-state drive, and it's pointless when all NVMe disks already have built-in tools that can take care of this task quickly and safely.

So what do you do when you want to wipe a NVMe drive?
  1. Download a recent Linux distribution. I would recommend Debian/Ubuntu or one of their smaller derivatives (like Knoppix). Burn it on a cdrom or USB drive and boot the system from it.
  2. Make sure your package manager is up-to-date (under Debian/Ubuntu, sudo apt-get update), then install nvme-cli (sudo apt-get install nvme-cli)
  3. If your drive is a Samsung, it now has to be put to sleep (you can do that with sudo systemctl suspend) and then woken up. This is a weird bug that Samsung doesn't seem in any hurry to fix.
  4. Now you can securely wipe the disk: sudo nvme format -s1 /dev/nvme0n1
For the curious: the -s option triggers Secure Erase mode, which can be set to 1 (wipe) or 2 (delete encryption keys for encrypted data). 1 looks like the safest option, because it will automatically do what 2 does if it detects that all data is encrypted. Reference here.

The latest NVMe specification adds other commands, to scrub every nook and cranny (bus caches etc), but as far as I know they have not been implemented yet.

5 comments:

  1. If your SSD is from Lenovo, it'll be locked out. Even the newest Parted Magic can't factory erase it. Gotta use "ThinkPad Drive Erase Utility for Resetting the Cryptographic Key and Erasing the Solid State Drive - ThinkPad"

    ReplyDelete
  2. I revisit this post semi-frequently, so thanks for the help. However, an update:

    Newer versions of nvme-cli (I'm not sure when it changed) - like the one in Fedora 31/32's repositories - needs a little extra effort:

    "nvme format -s1 " throws an "invalid lbaf:255" error, but if you use "nvme format -s1 -lb=0 " it works perfectly after a ten second remorse timer.

    Hope this helps someone along the way!

    ReplyDelete
  3. This works

    ReplyDelete
  4. Anonymous15/1/22 18:10

    in Ubuntu 21.10

    it did not work - nvme --version => 1.14


    nvme format -s1 /dev/nvme0n1


    there was a 10 secs delay

    a message:
    Success formatting namespace:1

    *however*, nothing was changed and the partition table remained.


    Thanks for the info.

    ReplyDelete
  5. "*however*, nothing was changed and the partition table remained."

    run "partprobe" to detect changes.

    ReplyDelete