hdparm vs /dev/zero in hdd erase
They use different methods, and the effectiveness may depend on the drive. The former uses the 'newer' ATA secure erase command and the latter just overwrites it with zeros.
For really old drives that don't have ata secure erase supported, the latter is the only way to do it - it just overwrites the drive with zeros and in many cases thats enough (though using something like the shred command is better - since its designed specifically to wipe out data, unlike DD). Most drive wouldn't be accessible after a wipe.
However, with SSDs, data is intentionally internally scrambled and stored for wear levelling purposes. overwriting it with zeros should work, but it isn't certain - in which case doing a sata secure erase is a better solution. It may also provide a short term performance boost on a drive that is suffering from write amplification. Sata secure erase will trigger the internal erasure method, and is the best way to be assured of a wipe.
In most modern drives the hdparm method should be sufficient and reliable enough to use. If you need to zero out a drive for whatever reason, use the dd method.
Related videos on Youtube
user149770
Updated on September 18, 2022Comments
-
user149770 almost 2 years
So, what is more secure and why?
hdparm --security-erase-enhanced NULL /dev/sdX
or
dd if=/dev/zero of=/dev/sdx
-
Izzy almost 12 yearsIf overwriting from
/dev/zero
seems insufficient, one could additionally make a second run with/dev/random
as source. Btw: SSDs use NAND-Flash, don't they? So if you instead use/dev/random
as source, this should trigger the internal block erasure in most cases. Still, writes to NAND-Flash devices should be minimized as much as possible, if you want to increase the lifespan of those devices - they have a limited "write-count". -
Thalys almost 12 yearsWith SSDs ATA secure erase is a much better idea since you KNOW it triggers a internal block erase. Anything else is a crapshoot.
-
Izzy almost 12 yearsAh, OK -- thank you for that detail. ATA secure erase I haven't heard of before, so please forgive me my ignorance concerning this piece ;) Maybe you want to add this detail to your answer directly -- e.g. behind "better solution, as it for sure triggers..." or the like?
-
Wyzard almost 12 yearsNote that hdparm imposes a timeout based on how long the drive reports that its security erase should take. (This is shown in the security section of the
hdparm -I
output.) If the drive doesn't provide that information, hdparm assumes a hard-coded limit of 3 hours. There are some (older) drives that don't report how long an erase takes, but take more than 3 hours, so hdparm will stop waiting and reset the drive before the erase is done. Be careful about this if you don't see a line like "322min for SECURITY ERASE UNIT" in yourhdparm -I
output.