Borrado seguro en SSD NVMe
En este artículo pruebo el borrado seguro de NVMe siguiendo esta guía. Tengo este SSD NVMe:
j@arai ~ % sudo nvme id-ctrl -H /dev/nvme0 [1]
NVME Identify Controller:
vid : 0x1c5c
ssvid : 0x1c5c
sn : [...]
mn : PC611 NVMe SK hynix 512GB
fdisk muestra lo siguiente:
j@arai ~ % sudo fdisk -l
Disk /dev/nvme0n1: 476.94 GiB, 512110190592 bytes, 1000215216 sectors
Disk model: PC611 NVMe SK hynix 512GB
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: [...]
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 370687 368640 180M EFI System
/dev/nvme0n1p2 370688 632831 262144 128M Microsoft reserved
/dev/nvme0n1p3 632832 205432831 204800000 97.7G Microsoft basic data
/dev/nvme0n1p4 967067648 969095167 2027520 990M Windows recovery environment
/dev/nvme0n1p5 969095168 997165055 28069888 13.4G Windows recovery environment
/dev/nvme0n1p6 997167104 1000214527 3047424 1.5G Windows recovery environment
/dev/nvme0n1p7 205432832 238987263 33554432 16G Linux filesystem
/dev/nvme0n1p8 238987264 967067647 728080384 347.2G Linux filesystem
Veamos si es capaz de hacer un borrado seguro:
j@arai ~ % sudo nvme id-ctrl /dev/nvme0 -H | grep -E 'Format |Crypto Erase|Sanitize' [130]
[1:1] : 0x1 Format NVM Supported
[29:29] : 0 No-Deallocate After Sanitize bit in Sanitize command Supported
[2:2] : 0 Overwrite Sanitize Operation Not Supported
[1:1] : 0x1 Block Erase Sanitize Operation Supported
[0:0] : 0 Crypto Erase Sanitize Operation Not Supported
[3:3] : 0 Format NVM Broadcast NSID (FFFFFFFFh) Supported
[2:2] : 0 Crypto Erase Not Supported as part of Secure Erase
[1:1] : 0 Crypto Erase Applies to Single Namespace(s)
[0:0] : 0 Format Applies to Single Namespace(s)
[3:3] : 0 Controller Copy Format 3h Not Supported
[2:2] : 0 Controller Copy Format 2h Not Supported
[1:1] : 0 Controller Copy Format 1h Not Supported
[0:0] : 0 Controller Copy Format 0h Not Supported
No soporta crypto erase pero sí block erase.
Veamos cuánto tiempo tarda:
j@arai ~ % sudo nvme sanitize-log /dev/nvme0 [0]
Sanitize Progress (SPROG) : 65535
Sanitize Status (SSTAT) : 0
Sanitize Command Dword 10 Information (SCDW10) : 0
Estimated Time For Overwrite : 4294967295 (No time period reported)
Estimated Time For Block Erase : 10
Estimated Time For Crypto Erase : 4294967295 (No time period reported)
Estimated Time For Overwrite (No-Deallocate) : 0
Estimated Time For Block Erase (No-Deallocate) : 0
Estimated Time For Crypto Erase (No-Deallocate): 0
Indica 10 segundos para block erase.
Intento por curiosidad borrado por crypto-erase. Como hemos visto arriba, no está soportado y falla, lo que es de esperar:
j@arai ~ % sudo nvme sanitize /dev/nvme0 -a start-crypto-erase [1]
NVMe status: Invalid Field in Command: A reserved coded value or an unsupported value in a defined field(0x2)
Hago block erase:
j@arai ~ % sudo nvme sanitize /dev/nvme0 -a start-block-erase [1]
j@arai ~ %
Ha sido increíblemente rápido, ¡sólo 2-3 segundos!… menos que los 10 segundos estimados.
fdisk lo muestra vacío ahora:
j@arai ~ % sudo fdisk -l
Disk /dev/nvme0n1: 476.94 GiB, 512110190592 bytes, 1000215216 sectors
Disk model: PC611 NVMe SK hynix 512GB
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Echando un vistazo rápido con ghex parece que todo /dev/nvme0n1 está a 0 (por cierto, para ejecutar ghex como root necesito xhost +local:root).