How to securely wipe a disk or partition in Linux

Securely wiping a disk or partition in Linux prevents previously stored data from being recovered when a drive is repurposed, decommissioned, or handed off to another party. Regular deletion and formatting operations mostly update filesystem metadata, leaving underlying blocks intact for forensic tools, so sensitive information can survive long after a filesystem has been removed.

Block devices exposed as /dev/sdX or /dev/nvmeXnY present the raw storage that sits beneath filesystems and partition tables. Overwriting every block with known patterns or instructing the controller to discard all blocks ensures old content is no longer accessible through normal interfaces. Tools such as lsblk, dd, and blkdiscard work together to identify the correct device and apply the wipe at the device layer instead of within a single filesystem.

Destructive write operations can instantly erase operating systems and data if pointed at the wrong device, so careful identification of disk names and mount points is essential. Solid-state drives use wear‑leveling, which changes how overwrites behave compared to spinning disks and makes controller-level discard operations preferable to repeated random passes. Running the procedure from a live environment after creating any required backups reduces the risk of accidentally wiping an active or irreplaceable system.

Steps to completely wipe a disk or partition in Linux:

Open a terminal with access to a user account in the sudo group.
```
$ whoami
user
```
sudo access is required because wiping operations target block devices such as /dev/sdb that are owned by the root user.

List available disks and partitions to locate the target device name.

$ lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
loop0    7:0    0  55.4M  1 loop /snap/core18/19
loop1    7:1    0  55.4M  1 loop /snap/core18/19
loop2    7:2    0    51M  1 loop /snap/snap-stor
loop3    7:3    0   219M  1 loop /snap/gnome-3-3
loop4    7:4    0 217.9M  1 loop /snap/gnome-3-3
loop5    7:5    0  31.1M  1 loop /snap/snapd/104
loop6    7:6    0  62.1M  1 loop /snap/gtk-commo
loop7    7:7    0  64.8M  1 loop /snap/gtk-commo
loop8    7:8    0    51M  1 loop /snap/snap-stor
loop9    7:9    0  31.1M  1 loop /snap/snapd/107
sda      8:0    0    20G  0 disk 
├─sda1   8:1    0     1M  0 part 
├─sda2   8:2    0   513M  0 part /boot/efi
└─sda3   8:3    0  19.5G  0 part /
sdb      8:16   0    20G  0 disk 
└─sdb1   8:17   0    20G  0 part 
sr0     11:0    1  1024M  0 rom

Match the capacity and TYPE fields to the intended target to avoid selecting the system disk or an external device that must be kept.

Ensure the target disk or partition is not the current system disk or an active mount.

$ lsblk -f
NAME   FSTYPE LABEL UUID                                 MOUNTPOINT
sda
├─sda1 vfat         1111-2222                            /boot/efi
└─sda3 ext4  root  33333333-4444-5555-6666-777777777777 /
sdb
└─sdb1 ext4  data  88888888-9999-aaaa-bbbb-cccccccccccc

Selecting a mounted system disk such as /dev/sda typically destroys the running installation and leaves the machine unbootable.

Unmount the target partition if it has a mount point.
```
$ sudo umount /dev/sdb1
umount: /dev/sdb1: not mounted.
```
Unmounting ensures no filesystem activity interferes with the wiping operation; use a live environment when the target contains the active root filesystem.

For traditional HDD media or non‑TRIM‑aware devices, overwrite the entire disk with zeros.

$ sudo dd if=/dev/zero of=/dev/sdb bs=1M status=progress oflag=direct
21471859200 bytes (21 GB, 20 GiB) copied, 269 s, 79.8 MB/s
dd: writing to '/dev/sdb': No space left on device
20480+0 records in
20479+0 records out
21474836480 bytes (21 GB, 20 GiB) copied, 269.451 s, 79.7 MB/s

The dd command irreversibly overwrites every block on the specified device; an incorrect of= value erases the wrong disk without any interactive confirmation.

For SSD devices that support TRIM, discard all blocks using blkdiscard instead of repeated overwrites.
```
$ sudo blkdiscard /dev/sdb
```
blkdiscard instructs the controller to mark all blocks as unused, which can complete almost instantly; verify the device name very carefully before running the command.
Inform the kernel that the partition table on the wiped disk has changed or is now empty.
```
$ sudo partprobe /dev/sdb
```
partprobe forces a rescan so tools such as lsblk and partition editors see the updated layout.

Verify that no partitions remain on the wiped disk and that it appears only as a bare device.

$ lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
loop0    7:0    0  55.4M  1 loop /snap/core18/19
loop1    7:1    0  55.4M  1 loop /snap/core18/19
loop2    7:2    0    51M  1 loop /snap/snap-stor
loop3    7:3    0   219M  1 loop /snap/gnome-3-3
loop4    7:4    0 217.9M  1 loop /snap/gnome-3-3
loop5    7:5    0  31.1M  1 loop /snap/snapd/104
loop6    7:6    0  62.1M  1 loop /snap/gtk-commo
loop7    7:7    0  64.8M  1 loop /snap/gtk-commo
loop8    7:8    0    51M  1 loop /snap/snap-stor
loop9    7:9    0  31.1M  1 loop /snap/snapd/107
sda      8:0    0    20G  0 disk 
├─sda1   8:1    0     1M  0 part 
├─sda2   8:2    0   513M  0 part /boot/efi
└─sda3   8:3    0  19.5G  0 part /
sdb      8:16   0    20G  0 disk 
sr0     11:0    1  1024M  0 rom

Optionally read a small portion of the device to confirm only zeros or non‑structured data remains.
```
$ sudo head -c 1024 /dev/sdb | hexdump -C
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
##### snipped #####
```
Random or all‑zero output with no filesystem signatures indicates that previous data and partition metadata were successfully removed.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.