Tools

Clearing old Disks – Wipe them

Before re-using any old disk, I do like to wipe them of data. Before removing the disk from the node, we wipe it clean. Now they are ready to store for later use or passed to a new owner with an old server.

Nalle

Nalle

9 min read
Share
Clearing old Disks – Wipe them
Photo by Samu Lopez / Unsplash

Selling or throwing out your PC? You need to wipe it first. Not doing so risks someone getting to the data on it and potentially using it to gain access to your online banking accounts, or to snoop on your private photos or gaining access to your systems at work.

This article is about CLI commands to use on any Linux server. As most storage is best on spinning HDDs, doing this on a large disk make take some time. For erasing hard disk permanently, you can use the standard dd command. However, I recommend using the shred or wipe or scrub commands.

⚠️
WARNING!
Be cautious using the commands listed below!
– They delete and destroy all data.
– It's highly recommended that you always keep verified backups.
ℹ️
Using these commands will take a fair amount of time!

See also my post Burn-in Hard Drives and Servers

The traditional dd -command

This Linux command will remove all partitions from an HDD.

The syntax is dd if=/dev/zero of=/dev/<your_disk> bs=512 count=1

dd if=/dev/uranom of=/dev/<your_disk> bs=512 count=1

Remove data from the SATA disk /dev/sdh, using the dd command:

  • bs=BYTES, and write up to BYTES bytes at a time (default: 512)
  • count=N, only N input blocks (default: 1)
  • if=FILE, from FILE instead of stdin
  • of=FILE, to FILE instead of stdout
  • /dev/zero, is a special Linux file in Unix-like operating systems that provides as many null characters as are read from it. 
  • /dev/random and /dev/urandom are special files that serve as cryptographically secure pseudo random number generators. They are backed by a CSPRNG that is seeded with entropy from environmental noise, collected from device drivers and other sources.
  • status=level, specify the amount of information printed. If this operand is given multiple times, the last one takes precedence.
    The level value can be one of the following:
    • none – Don't print any informational or warning messages to standard error. Error messages are output as normal.
    • noxfer – Do not print the final transfer rate and volume statistics that normally make up the last status line.
    • progress – Print the transfer rate and volume statistics on standard error, when processing each input block. Statistics are output on a single line at most once every second, but updates can be delayed when waiting on I/O.

Wipe a disk

dd if=/dev/zero of=/dev/sdd bs=1M status=progress

This will take some time, a long time!

Wipe the MBR (Master Boot Record)

If you messed up your master boot record (MBR) you can wipe it using this command : dd if=/dev/zero of=/dev/sdX bs=446 count=1 Replace X with the target drive letter.

Securely wipe hard disk

The following commands may not be installed on your system but, can easily be installed by apt update && apt install shred scrub wipe -y, make your choice.

Shred

Shred was originally designed to delete file securely. It deletes a file securely by first overwriting it to hide its contents. However, the same command can be used to erase a hard disk. Shred is part of the coreutils package, which comes pre-installed on most Linux distributions. About the syntax:

  • -n N, --iterations=N, N times instead of the default (3)
  • -v, --verbose, show progress
  • -z, --zero, add a final overwrite with zeros to hide shredding

You can use the shred command to securely remove everything so that no one recover any data shred -n 5 -vz /dev/sdb

Scrub

Scrub iteratively writes patterns on files or disk devices to make retrieving the data more difficult. Select your patterns to write, the default is nnsa.  It may take several hours or days.

  • nnsa selects patterns compliant with NNSA Policy Letter NAP-14.x;
  • dod selects patterns compliant with DoD 5220.22-M;
  • bsi selects patterns recommended by the German Center of Security in Information Technologies (http://www.bsi.bund.de);
  • old selects pre-version 1.7 scrub patterns
  • fastold is old without the random pass.
  • gutmann is a 35-pass sequence link to Wikipedia
  • random is a single random pass
  • random2 is two random passes

The effectiveness of scrubbing regular files through a file system will be limited by the OS and file system. File systems that are known to be problematic are journaled, log structured, copy-on-write, versioned, and network file systems. If in doubt, scrub the raw disk device. In other words, you need to scrub the entire raw device, such as /dev/sdb or /dev/sdvf.

The syntax is: scrub <FileName> like scrub file.txt or scrub -p dod <FileName>

  • -p, --pattern, select the patterns to write.
scrub -p dod /dev/sdd

Scrub the entire drive

Wipe

Wiping over NFS or over a journalling filesystem (ReiserFS etc.) will most probably not work. Therefore, it's strongly recommended to call wipe directly on the corresponding block device with the appropriate options. 

You can use the wipe command to delete any file, wipe -D /path/to/file.doc or a disk wipe /dev/sdh.

It’s worth noting that while the wipe command is highly reliable for securely deleting data, it's very time-consuming because of the large number of loops (34 passes) it performs by default. Simply put, running it on terabyte-sized disks could take several days to finish.

  • -s (silent mode)
    All messages, except the confirmation prompt and error messages, are suppressed.
  • -q (quick wipe)
    If this option is used, wipe will only make (by default) 4 passes on each file, writing random data.
  • -Q <number-of-passes>Sets the number of passes for quick wiping. Default is 4.

The badblocks command

The syntax is:

  • -c #, # is the number of blocks to tested at a time, default is 64.
  • -n, Use non-destructive read-write mode.
    By default, only a non-destructive read-only test is done.
  • -p #, # is the number of repeat passes scanning the disk until there are no new blocks discovered in num_passes consecutive scans of the disk.
    Default is 0, meaning bad blocks will exit after the first pass.
  • -s, show the progress of the scan
    Done by writing out rough percentage completion of the current bad blocks pass over the disk.
    Note, that bad blocks may do multiple test passes over the disk, in particular if the -p or -w option is requested by the user.
  • -v, Verbose mode.
  • -w, Use write-mode test.
    With this option, bad blocks scans for bad blocks by writing some patterns (0xaa, 0x55, 0xff, 0x00) on every block of the device, reading every block and comparing the contents. This option may not be combined with the -n option, as they are mutually exclusive.

Examples of use:

  • badblocks -c BLOCK_SIZE_HERE -wsvf /dev/DISK/TO/WIPE
  • badblocks -wsvf /dev/sde disk to erase is /dev/sde
  • badblocks -wsvf /dev/sde disk to erase is /dev/sde
  • badblocks -wsvt 0 /dev/sdz single pass, writes 0 in all positions

Non-destructive

  • -n: Non-destructive read-write mode, which tests each block by writing a pattern, and then reads it back to ensure data integrity.

Destructive Bad blocks test

The following line is for a destructive bad blocks test in a machine with at least 1 gigabyte of ram. There is a single drive to test.

 badblocks -b 4096 -c 98304 -p 0 -w -s /dev/sde
  • -w: Destructive write mode, which writes patterns to every block, erasing existing data but thoroughly testing disk sectors.

The following With this test we will be using a block size "-b" of 4096 bytes and, 98304 blocks at once "-c" to test the drive. Using 1 gig of ram in our machine allows us to use a high number of blocks "-c" and thus speed up our drive test significantly. The argument "-p" is the number of passes to run. By default, we will be running one pass (-p 0 is run once and stop). The flag "-w" is meaning we will be over writing all data on the disk. The last argument "-s" is the device we are targeting.

Using badblocks to test and wipe disks

Non-destructive

A read-only test, optimized for 1G RAM:

badblocks -b 4096 -c 98304 -p 0 -s /dev/sde

Destructive read/write test:

 badblocks -b 4096 -c 98304 -p 0 -w -s /dev/sde

Erasing the contents of a disk drive under Linux is a straightforward procedure. After unmounting all the disk drive's partitions, issue the following command (logged in as root):

badblocks -ws <device-name>

Where <device-name> represents the file name of the disk drive you wish to erase, excluding the partition number. For example, /dev/sdb for the second SATA hard drive. The following output is displayed while badblocks runs:

 Writing pattern 0xaaaaaaaa: done Reading and comparing: done Writing pattern 0x55555555: done Reading and comparing: done Writing pattern 0xffffffff: done Reading and comparing: done Writing pattern 0x00000000: done Reading and comparing: done

Keep in mind that badblocks is actually writing four different data patterns to every block on the disk drive. For large disk drives, this process can take a long time – quite often several hours or days.

ShredOS

The ShredOS disk eraser is a tool for securely wiping storage devices. It's necessary because just deleting files and emptying the Recycle Bin, or re-formatting your hard drive, isn't enough to completely destroy data. File recovery tools can still read that "deleted" data, as while the reference to it was removed from your file system, the actual data is still often readable on the physical storage medium.
This could include logins to your social media, bank accounts, and other sensitive private info that could be used for identity theft, scams, or even blackmail.

45 Drives HD checker – drive-health-check

A tool that give you peace of Mind – Confirm whether your drive is genuinely new or previously used.
With concerns about used drives being resold as new, it's crucial to check your storage devices before trusting them. This tool helps you quickly assess a drive’s condition, usage history, and overall health to ensure you get exactly what you paid for.

What the tool do:

  • Health Status – Detect signs of wear, bad sectors, and lifespan indicators.
  • Usage History – Check power-on hours and total data written.
  • SMART Data Analysis – Review key attributes reported by the drive.

Install

The following prerequisites are needed

You need Python 3 installed on your system.

Install Python 3 (Linux - Debian/Ubuntu)

sudo apt update && sudo apt install python3

Verify the installation: python3 --version

Install Dependencies

Run the following command to install the required dependencies:

pip install WeasyPrint==52.5 pycairo PyGObject

Note: You may need additional system dependencies:

sudo apt install libgtk-3-dev libpango1.0-0 libcairo2-dev

Running the Script

Download smartctl and place it in the same directory as drive-checker.py:

bin/smartctl

Run the script with administrator privileges:
sudo python3 drive-checker.py

References

Man-pages badblocks [1], scrub [2], shred [3], wipe [4] Arch wiki [5]

  1. badblocks man page ↩︎

  2. scrub man page, Red Hat ↩︎

  3. shred man page ↩︎

  4. wipe man page ↩︎

  5. How to Securely a wipe disk on Arch wiki ↩︎

Read more