This pair of scripts is written to assist with securely wiping hard drives and SSDs (SATA, NVMe is not currently supported).
The HDD script is utilizing the methodology from The Arch Linux wiki. The SSD script is utilizing secure erasure as guided by code.mendhak.com.
Both scripts ask for the disk to wipe and perform a check to ensure the disk is safe to wipe (aka: not currently mounted)
Technically, you can use hdd-wipe.sh against SSDs. However, it's going to cause unnecessary thrashing against the disk which will consume the limited write cycles of the NAND flash cells.
The two scripts could be combined to ask you if the disk is an HDD or an SSD and perform the separate tasks appropriately, but I wanted to provide them separately in case you only need/want one and to make it easier to read/understand.
The script will ask for the device name (sda, sdb, etc.), how many wipes you wish to perform, if you would like to zero out the disk at the end, and what the block size used should be. Once entered the script will begin wiping the disk and optionally zeroing it out.
The script is hard coded to work against /dev so all you need to do is enter the device name itself.
The script will loop through writing randomized data the number of times you enter here. Generally speaking 4 is a good count, but a lower number will be faster, and a higher number will be more secure.
If select, the last thing the script will do is write zeroes to the disk until it runs out of space. This is not required but generally suggested.
Depending on the disk to be wiped, and potentially the computer performing the wipe, different block sizes can result in higher or lower time to complete speeds of the wipes. You can refer here for some suggestions on how to find the best block size.
However, generally, 1M (aka: 1MB) is generally a good balance and will result in acceptable time to complete times.
The script will generate a 128 byte encryption key from /dev/urandom, and then runs that key thru OpenSSL to generate AES ciphertext, which is then streamed to the disk via dd. When you are running more than 1 wipe, each wipe will use a freshly generated encryption key which will generate fresh ciphertext for each wipe cycle. Zeroing out the disk is not necessary but provides a further wipe cycle that is performed much faster and obfuscates the ciphertext that was there.
The script will ask for the device name (sda, sdb, etc.), ask if you'd like to zero out the disk, ask you to confirm if the drive is frozen or not, set a temporary password to use during the encryption process, and whether you'd like to perform a secure erase or an enhanced secure erase. Once selected the script will begin securely erasing the disk and when complete will also zero out the disk if selected. While not strictly necessary it is a slightly more paranoid way of ensuring the disk truly wiped.
The script is hard coded to work against /dev so all you need to do is enter the device name itself.
If select, the last thing the script will do is write zeroes to the disk until it runs out of space. This is not required but generally suggested.
Sometimes a disk will show as frozen, which will block the secure erase process from continuing. However, putting the computer to sleep and waking it back up will almost always unfreeze the disk.
The SSD Secure Erase spec requires a password be set as part of it's proceedings. Any password will do, and it will be erased as part of the process. It's not a bad idea to select a decently secure password but there's no need to go above and beyond with it.
FOR YOUR SECURITY, DO NO USE A PRE-EXISTING PASSWORD. The script will write out the password you're using in case there is some failure you'll have a reference.
Most SSDs support secure erase, and many newer SSDs will also support enhanced secure erase. Generally speaking, if you disk support enhanced secure erase you want to use it.
Secure erase rotates the disk's internal encryption key, which makes any data on the disk meaningless. Enhanced secure erase does the above while also writing a pattern to the disk set by the manufacturer.
The script is only utilizing the SSD secure erase function, but attempting to guide you through it to make it easier to perform. It finishes by zeroing out the disk. While not strictly necessary, different manufacturers support the secure erase function of SSDs in various ways, and it's been shown that some are not as good as others. Zeroing the disk is just an added safety precaution and thus I suggest it, however, again, it's not strictly required.