Wiping a Disk Drive Prior to Recycling
A neighbor recently asked me what to do with some old hard drives before sending them to recycling. The article that follows gives the procedure that will wipe a disk drive in a secure way prior to sending a machine out for repair, donating it or recycling it. You should read the documentation for each method to determine whether or not it meets your information security needs: no one really knows what will the NSA can do and other state-funded intelligence agencies can do, but these methods should be sufficient for most people.
If you have a lot of disks to wipe and they are SATA drives, you can get a USB attachable disk drive duplicator so that you don't have to open up a machine each time you need to change drives. You should allow 2-3 hours per 100G of space on the drive for a 3-pass method, depending greatly on the speed of the machine that you are using; on a machine less than five years old, this will be I/O bound by the speed of the drive and USB connection, but on older machines, it will be CPU bound and will take days on a really old machine. If you are in a hurry to donate a laptop or netbook, it may be fastest to remove the drive from machine, use a fast desktop to wipe it, and then put it back in the laptop.
The first three sections of this article are aimed at donating drives that have been removed from a machine or USB drives. If you are donating a whole machine, you can create a bootable Ubuntu Linux disk, and wipe the machine from that disk as described Standalone Ubuntu Bootable DVD.
Before wiping a drive, make SURE that you have backups of the drives on your computer that you intend to keep and that you are wiping the drive that you intend to wipe, as you can easily wipe the wrong disk if you are not careful. The article is divided into the following sections:
Windows
I have not used any of the Windows programs; I have a Linux machine and it is much easier to do there. On Windows machines, perhaps the preferred way to wipe a disk is to use one of two utilities provided by Microsoft:
- SDelete available from Microsoft Technet
- Diagnostics and Recovery Toolset. Unfortunately, the toolset isn't really available to individuals or small businesses, as it requires a volume licensing agreeement.
OS X
On OS X, there are two free alternatives. One is part of the disk utility in recent versions of OS X and the other is available in the MacPorts utilities.
Disk Utility
To erase a disk using the Disk Utility, select the drive and select the "Erase" tab as shown in Figure 1, and then select "Security Options" which will bring up the dialog in Figure 2. The default option is not to wipe the drive. As you move to the write, the options increase from 1 to 3, and finally to a 7 pass wipe of the drive. The screen captures are taken on OS X Yosemite (10.10.1) and will look different on earlier versions of the utility. Earlier versions of Disk Utility did 1, 7 and 35 passes.
MacPorts bcwipe Tool
If you have MacPorts installed, bcwipe will give you a command line utility for securely wiping a disk, and will give you a 35-pass option if your version of OS X does not have a 35 pass option. Perhaps the biggest advantage of bcwipe is that it can be run as a batch script--perhaps in a cron job--to erase unused space on a regular basis.
To find the disk device name to pass to bcwipe, use
df -h
to get the filesystem name, which will look like /dev/disk1s2 which resided on the /dev/disk1 device name that would be given to bcwipe to wipe the entire drive.
Linux
On Linux, it is useful to know the commands to unmount a USB drive and detach the USB drive as two steps:
sudo apt-get install udisks
sudo udisks --unmount /dev/sdb1
sudo udisks --detach /dev/sdb
Substitute your drive letter for the “b” in sdb1 and sdb. Before wiping a drive, you will need to unmount it, but not detach it.
There are at least two alternatives on Linux. Two that I have used are listed below.
wipe
Wipe is one of the earliest tools available on Linux and has perhaps the most useful write-up on how disk drives work and on the security aspects of donating and recycling disk drives. It does not have some of the more recent standards-based wipe protocols. To install and use it, issue the following commands:
sudo apt-get update
sudo apt-get install wipe
wipe -q /dev/sdx
scrub
Scrub was written at Lawrence Livermore National Laboratory and implements the scrub policies for many government organizations. If you need to meet a particular standard, this is probably the easiest way to comply with a particular standard.
sudo apt-get update
sudo apt-get install scrub
For a basic wipe of the disk that will meet the policy for many government agencies, use the nnsa
scrub -p nnsa /dev/sdx
If you want something more secure, the following will do a 35-pass wipe, but recognize that it may take a couple of days:
scrub -p outmann /dev/sdx
Standalone Ubuntu Bootable DVD
If you are donating a machine, and do not want to remove the drives to wipe them, you can create a bootable CD and run the process from there. Be forewarned that by the time you are ready to donate a machine it is old and slow--running a wipe on an old machine may take a couple of days. Use the following steps:
- Download an ISO image of Ubuntu from Ubuntu Download site. Choose the 32-bit version, since it will run on everything.
- Burn the ISO to a bootable disk using the disk burner of your choice. Instructions for burning a DVD are available for both Windows and for OS X.
- Boot the machine to be wiped from the DVD. If the machine does not boot from the DVD, you will need to change the boot order in your BIOS. This will require pressing a particular set of keys while the machine is powering on to bring up the BIOS settings utility. Search on your manufacturer and model number to find out what keys to use.
- When you have booted from the CD, choose the option to run Ubuntu from the CD rather than install it. Make sure that the machine is connected to the Internet.
- Once you have booted to a desktop, open a terminal window and issue the following commands:
sudo apt-get update
sudo apt-get install scrub
scrub -p nnsa /dev/sda
- If the machine has multiple drives, you can start multiple terminal sessions and run the disk wipes in parallel. To get the disk names, use the command
lsblkand select the three letter device names at the top of the hierachy.
This will take a few hours