How to securely erase a disk in Linux
When you perform data deletion actions such as removing files and folders, formatting partitions, or partitioning disks, the actual data is not deleted. Rather, only the pointers to the data are removed. For instance, deleting a partition simply removes the partition's entry in the partition table, leaving the actual partition data intact. This can pose a problem when you need to securely erase data, like when disposing of a disk containing sensitive files or when selling your hard drive.
To securely erase all files and data on a disk, you can overwrite the existing data with empty or random data. In Linux, you can achieve this using the dd command by providing either zeros or random characters as input.
Steps to safely and thoroughly wipe a disk and its partitions in Linux:
- Open the terminal.
- Display a list of available disks and partitions in your system.
$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 55.4M 1 loop /snap/core18/19 loop1 7:1 0 55.4M 1 loop /snap/core18/19 loop2 7:2 0 51M 1 loop /snap/snap-stor loop3 7:3 0 219M 1 loop /snap/gnome-3-3 loop4 7:4 0 217.9M 1 loop /snap/gnome-3-3 loop5 7:5 0 31.1M 1 loop /snap/snapd/104 loop6 7:6 0 62.1M 1 loop /snap/gtk-commo loop7 7:7 0 64.8M 1 loop /snap/gtk-commo loop8 7:8 0 51M 1 loop /snap/snap-stor loop9 7:9 0 31.1M 1 loop /snap/snapd/107 sda 8:0 0 20G 0 disk ├─sda1 8:1 0 1M 0 part ├─sda2 8:2 0 513M 0 part /boot/efi └─sda3 8:3 0 19.5G 0 part / sdb 8:16 0 20G 0 disk └─sdb1 8:17 0 20G 0 part sr0 11:0 1 1024M 0 rom
- Ensure that the disk or partition you want to securely erase is not mounted.
$ sudo umount /dev/sdb1 [sudo] password for user: umount: /dev/sdb1: not mounted.
Launch live cd such as from Ubuntu installer if the disk can't be unmounted such as the root filesystem.
- Use the dd command to overwrite the disk or partition with zeros or random data.
$ sudo dd if=/dev/zero of=/dev/sdb status=progress 21471859200 bytes (21 GB, 20 GiB) copied, 269 s, 79.8 MB/s dd: writing to '/dev/sdb': No space left on device 41943041+0 records in 41943040+0 records out 21474836480 bytes (21 GB, 20 GiB) copied, 269.451 s, 79.7 MB/s
This will take a while as dd will need to write every single bit of data within the disk. Time taken depends on the disk size and disk speed.
Replace /dev/zero with /dev/random or /dev/urandom to fill the disk with random character instead.
It is recomended to use /dev/random or /dev/urandom and to repeat this step multiple times (multi-pass) for SSD devices as some built-in function in SSD's controller might still leave some data intact with the common disk-zeroing method.
- If you have deleted an entire disk rather than just a partition, refresh the partition table.
$ partprobe
- List the disks and partitions once more to confirm the deletion.
$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 55.4M 1 loop /snap/core18/19 loop1 7:1 0 55.4M 1 loop /snap/core18/19 loop2 7:2 0 51M 1 loop /snap/snap-stor loop3 7:3 0 219M 1 loop /snap/gnome-3-3 loop4 7:4 0 217.9M 1 loop /snap/gnome-3-3 loop5 7:5 0 31.1M 1 loop /snap/snapd/104 loop6 7:6 0 62.1M 1 loop /snap/gtk-commo loop7 7:7 0 64.8M 1 loop /snap/gtk-commo loop8 7:8 0 51M 1 loop /snap/snap-stor loop9 7:9 0 31.1M 1 loop /snap/snapd/107 sda 8:0 0 20G 0 disk ├─sda1 8:1 0 1M 0 part ├─sda2 8:2 0 513M 0 part /boot/efi └─sda3 8:3 0 19.5G 0 part / sdb 8:16 0 20G 0 disk sr0 11:0 1 1024M 0 rom
- Use an administrative account to verify the disk's content has been securely erased.
# timeout 1 head /dev/sdb
A timeout needs to be set to the command since the disk is now empty, or else the command will need to scan the whole disk before it quits.
Cloud architect by profession but always consider himself as a developer, entrepreneur and an opensource enthusiast.
Comment anonymously. Login not required.
