NVMe Secure Erase Guide
nvme-format, part of nvme-cli (NVMe management command line interface), offers two Secure Erase options:
Secure Erase Settings: This field specifies whether a secure erase should be performed as part of the format and the type of the secure erase operation. The erase applies to all user data, regardless of location (e.g., within an exposed LBA, within a cache, within deallocated LBAs, etc). Defaults to 0.
Value | Definition |
---|---|
0 | No secure erase operation requested |
1 | User Data Erase: All user data shall be erased, contents of the user data after the erase is indeterminate. The controller may perform a cryptographic erase when a User Data Erase is requested if all user data is encrypted. |
2 | Cryptographic Erase: All user data shall be erased cryptographically. This is accomplished by deleting the encryption key. |
3-7 | Reserved |
NVM Express Base Specification Revision 1.3c (May 24, 2018) states:
As part of the Format NVM command, the host may request a secure erase of the contents of the NVM. There are two types of secure erase. The User Data Erase erases all user content present in the NVM subsystem. The Cryptographic Erase erases all user content present in the NVM subsystem by deleting the encryption key with which the user data was previously encrypted.
Usage
- Install nvme-cli: The nvme-cli README.md includes
installation instructions for a number of Linux distributions, though building is as simple as
make && make install
- List NVMe devices:
- Verify Secure Erase support:
- Issue Secure Erase command:
- If errors were encountered, suspend and resume computer then re-run:
- Verify
# hexdump /dev/nvme0n1 0000000 0000 0000 0000 0000 0000 0000 0000 0000 * 3a38b2e000
# nvme list Node SN Model Namespace Usage Format FW Rev ---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- -------- /dev/nvme0n1 XXXXXXXXXXXX WDS250G2X0C-00L350 1 250.06 GB / 250.06 GB 512 B + 0 B 101110WD
# nvme id-ctrl -H /dev/nvme0 NVME Identify Controller: vid : 0x15b7 ssvid : 0x15b7 sn : XXXXXXXXXXXX mn : WDS250G2X0C-00L350 fr : 101110WD ... oacs : 0x17 [1:1] : 0x1 Format NVM Supported ... fna : 0 [2:2] : 0 Crypto Erase Not Supported as part of Secure Erase ...
This device supports User Data Erase (value 1 in above table), but not Cryptographic Erase (value 2 in above table).
# nvme format /dev/nvme0 --ses=1 Success formatting namespace:ffffffff
# nvme format /dev/nvme0 --ses=1 NVME Admin command error:INVALID_FORMAT(410a) # systemctl -i suspend # nvme format /dev/nvme0 --ses=1 Success formatting namespace:ffffffff
Notes
- There are reports of "NVME Admin command error:INVALID_OPCODE(2001)" on Samsung NVMe SSDs being resolved by suspending and waking the computer as well.
- The manpage on specifying the character device (e.g., /dev/nvme0) vs the namespace block device (e.g., /dev/nvme0n1): If the character device is given, the namespace identifier will default to 0xffffffff to send the format to all namespaces but can be overridden to any namespace with the 'namespace-id' option. If the block device is given, the namespace identifier will default to the namespace id of the block device given but can be overridden with the same option.
- For more information on NVMe character devices (e.g., /dev/nvme0) vs. namespace block devices (e.g., /dev/nvme0n1), see Why is there both character device and block device for nvme? and Managing NVMe Namespaces.
Credits: z399