1SG_SANITIZE(8) SG3_UTILS SG_SANITIZE(8)
2
6 sg_sanitize - remove all user data from disk with SCSI SANITIZE command
7
9 sg_sanitize [--ause] [--block] [--count=OC] [--crypto] [--early]
10 [--fail] [--help] [--invert] [--ipl=LEN] [--overwrite] [--pattern=PF]
11 [--quick] [--test=TE] [--verbose] [--version] [--wait] DEVICE
12
14 This utility invokes the SCSI SANITIZE command. This command was first
15 introduced in the SBC-3 revision 27 draft. The purpose of the sanitize
16 operation is to alter the information in the cache and on the medium of
17 a logical unit (e.g. a disk) so that the recovery of user data is not
18 possible. If that user data cannot be erased, or is in the process of
19 being erased, then the sanitize operation prevents access to that user
20 data.
21 Once a SCSI SANITIZE command has successfully started, then user data
23 from that disk is no longer available. Even if the disk is power
24 cycled, the sanitize operation will continue after power is re-instated
25 until it is complete.
26 This utility requires either the --block, --crypto, --fail or --over‐
28 write option. With the --block, --crypto or --overwrite option the user
29 is given 15 seconds to reconsider whether they wish to erase all the
30 data on a disk, unless the --quick option is given in which case the
31 sanitize operation starts immediately. The disk's INQUIRY response
32 strings are printed out just in case the wrong DEVICE has been given.
33 If the --early option is given this utility will exit soon after start‐
35 ing the SANITIZE command with the IMMED bit set. The user can monitor
36 the progress of the sanitize operation with the "sg_request --num=9999
37 --progress" which sends a REQUEST SENSE command every 30 seconds. Oth‐
38 erwise if the --wait option is given then this utility will wait until
39 the SANITIZE command completes (or fails) and that can be many hours.
40 If neither the --early nor --wait option is given then the SANITIZE
42 command is started with the IMMED bit set. After that this utility
43 sends a REQUEST SENSE command every 60 seconds until there are no more
44 progress indications.
45
47 Arguments to long options are mandatory for short options as well. The
48 options are arranged in alphabetical order based on the long option
49 name.
50 -A, --ause
52 sets the AUSE bit in the cdb. AUSE is an acronym for "allow
53 unrestricted sanitize exit". Default action is to leave the bit
54 cleared.
55 -B, --block
57 perform a "block erase" sanitize operation.
58 -c, --count=OC
60 where OC is the "overwrite count" associated with the "over‐
61 write" sanitize operation. OC can be a value between 1 and 31
62 and 1 is the default.
63 -C, --crypto
65 perform a "cryptographic erase" sanitize operation.
66 -e, --early
68 the default action of this utility is to poll the disk every 60
69 seconds to fetch the progress indication until the sanitize is
70 finished. When this option is given this utility will exit
71 "early" as soon as the sanitize has commenced. This option and
72 --wait cannot both be given.
73 -F, --fail
75 perform an "exit failure mode" sanitize operation. Typically
76 requires the preceding SANITIZE command to have set the AUSE
77 bit.
78 -h, --help
80 print out the usage information then exit.
81 -i, --ipl=LEN
83 set the initialization pattern length to LEN bytes. By default
84 it is set to the length of the pattern file (PF). Only active
85 when the --overwrite option is also given. It is the number of
86 bytes from the PF file that will be used as the initialization
87 pattern. The minimum size is 1 byte and the maximum is the logi‐
88 cal block size of the DEVICE (and not to exceed 65535). If LEN
89 exceeds the PF file size then the initialization pattern is
90 padded with zeros.
91 -I, --invert
93 set the INVERT bit in the overwrite service action parameter
94 list. This only affects the "overwrite" sanitize operation. The
95 default is a clear INVERT bit. When the INVERT bit is set then
96 the initialization pattern is inverted between consecutive over‐
97 write passes.
98 -O, --overwrite
100 perform an "overwrite" sanitize operation. When this option is
101 given then the --pattern=PF option is required.
102 -p, --pattern=PF
104 where PF is the filename of a file containing the initialization
105 pattern required by an "overwrite" sanitize operation. The
106 length of this file will be used as the length of the initial‐
107 ization pattern unless the --ipl=LEN option is given. The length
108 of the initialization pattern must be from 1 to the logical
109 block size of the DEVICE.
110 -Q, --quick
112 the default action (i.e. when the option is not given) is to
113 give the user 15 seconds to reconsider doing a sanitize opera‐
114 tion on the DEVICE. When this option is given that step (i.e.
115 the 15 second warning period) is skipped.
116 -T, --test=TE
118 set the TEST field in the overwrite service action parameter
119 list. This only affects the "overwrite" sanitize operation. The
120 default is to place 0 in that field.
121 -v, --verbose
123 increase the level of verbosity, (i.e. debug output).
124 -V, --version
126 print the version string and then exit.
127 -w, --wait
129 the default action (i.e. without this option and the --early
130 option) is to start the SANITIZE command with the IMMED bit set
131 then poll for the progress indication with the REQUEST SENSE
132 command until the sanitize operation is complete (or fails).
133 When this option is given (and the --early option is not given)
134 then the SANITIZE command is started with the IMMED bit clear.
135 For a large disk this might take hours. [A cryptographic erase
136 operation could potentially be very quick.]
137
139 The SCSI SANITIZE command is closely related to the ATA SANITIZE com‐
140 mand, both are relatively new with the ATA command being the first one
141 defined. The SCSI to ATA Translation (SAT) definition for the SCSI
142 SANITIZE command appeared in the SAT-3 revision 4 draft.
143 The SCSI SANITIZE command is related to the SCSI FORMAT UNIT command.
145 It is likely that a block erase sanitize operation would take a similar
146 amount of time as a format on the same disk (e.g. 9 hours for a 2 Ter‐
147 abyte disk). The primary goal of a format is the configuration of the
148 disk at the end of a format (e.g. different logical block size or pro‐
149 tection information added). Removal of user data is only a side effect
150 of a format. With the SCSI SANITIZE command, removal of user data is
151 the primary goal. If a sanitize operation is interrupted (e.g. the
152 disk is power cycled) then after power up any remaining user data will
153 not be available and the sanitize operation will continue. When a for‐
154 mat is interrupted (e.g. the disk is power cycled) the drafts say very
155 little about the state of the disk. In practice some of the original
156 user data may remain and the format may need to be restarted.
157 Finding out whether a disk (SCSI or ATA) supports SANITIZE can be a
159 challenge. If the user really needs to find out and no other informa‐
160 tion is available then try 'sg_sanitize --fail -vvv <device>' and
161 observe the sense data returned may be the safest approach. Using the
162 --fail variant of this utility should have no effect unless it follows
163 an already failed sanitize operation. If the SCSI REPORT SUPPORTED
164 OPERATION CODES command (see sg_opcodes) is supported then using it
165 would be a better approach for finding if sanitize is supported.
166
168 These examples use Linux device names. For suitable device names in
169 other supported Operating Systems see the sg3_utils(8) man page.
170 As a precaution if this utility is called with no options then apart
172 from printing a usage message, nothing happens:
173 sg_sanitize /dev/sdm
175 To do a "block erase" sanitize the --block option is required. The
177 user will be given a 15 second period to reconsider, the SCSI SANITIZE
178 command will be started with the IMMED bit set, then this utility will
179 poll for a progress indication with a REQUEST SENSE command until the
180 sanitize operation is finished:
181 sg_sanitize --block /dev/sdm
183 To start a "block erase" sanitize and return from this utility once it
185 is started (but not yet completed) use the --early option:
186 sg_sanitize --block --early /dev/sdm
188 If the 15 second reconsideration time is not required add the --quick
190 option:
191 sg_sanitize --block --quick --early /dev/sdm
193 To do an "overwrite" sanitize a pattern file is required:
195 sg_sanitize --overwrite --pattern=rand.img /dev/sdm
197 If the length of that "rand.img" is 512 bytes (a typically logical
199 block size) then to use only the first 17 bytes (repeatedly) in the
200 "overwrite" sanitize operation:
201 sg_sanitize --overwrite --pattern=rand.img --ipl=17 /dev/sdm
203
205 The exit status of sg_sanitize is 0 when it is successful. Otherwise
206 see the sg3_utils(8) man page. Unless the --wait option is given, the
207 exit status may not reflect the success of otherwise of the format.
208
210 Written by Douglas Gilbert.
211
213 Report bugs to <dgilbert at interlog dot com>.
214
216 Copyright © 2011-2013 Douglas Gilbert
217 This software is distributed under a FreeBSD license. There is NO war‐
218 ranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
219 POSE.
220
222 sg_requests(8), sg_format(8)
223sg3_utils-1.37 September 2013 SG_SANITIZE(8)