1SG_SANITIZE(8)                     SG3_UTILS                    SG_SANITIZE(8)
2
3
4

NAME

6       sg_sanitize - remove all user data from disk with SCSI SANITIZE command
7

SYNOPSIS

9       sg_sanitize   [--ause]   [--block]   [--count=OC]  [--crypto]  [--desc]
10       [--early]  [--fail]  [--help]  [--invert]   [--ipl=LEN]   [--overwrite]
11       [--pattern=PF]  [--quick]  [--test=TE] [--verbose] [--version] [--wait]
12       [--zero] [--znr] DEVICE
13

DESCRIPTION

15       This utility invokes the SCSI SANITIZE command. This command was  first
16       introduced  in the SBC-3 revision 27 draft. The purpose of the sanitize
17       operation is to alter the information in the cache and on the medium of
18       a  logical  unit (e.g. a disk) so that the recovery of user data is not
19       possible. If that user data cannot be erased, or is in the  process  of
20       being  erased, then the sanitize operation prevents access to that user
21       data.
22
23       Once a SCSI SANITIZE command has successfully started, then  user  data
24       from  that  disk  is  no  longer  available.  Even if the disk is power
25       cycled, the sanitize operation will continue after power is re-instated
26       until it is complete.
27
28       This  utility  requires either the --block, --crypto, --fail or --over‐
29       write option. With the --block, --crypto or --overwrite option the user
30       is  given  15  seconds to reconsider whether they wish to erase all the
31       data on a disk, unless the --quick option is given in  which  case  the
32       sanitize  operation  starts  immediately.  The  disk's INQUIRY response
33       strings are printed out just in case the wrong DEVICE has been given.
34
35       If the --early option is given then this utility will exit  soon  after
36       starting the SANITIZE command with the IMMED bit set. The user can mon‐
37       itor the progress  of  the  sanitize  operation  with  the  "sg_request
38       --num=9999  --progress"  which  sends  a REQUEST SENSE command every 30
39       seconds. Otherwise if the --wait option is given then this utility will
40       wait  until  the  SANITIZE command completes (or fails) and that can be
41       many hours.
42
43       If neither the --early nor --wait option is  given  then  the  SANITIZE
44       command  is  started  with  the  IMMED bit set. After that this utility
45       sends a REQUEST SENSE command every 60 seconds until there are no  more
46       progress indications.
47

OPTIONS

49       Arguments to long options are mandatory for short options as well.  The
50       options are arranged in alphabetical order based  on  the  long  option
51       name.
52
53       -A, --ause
54              sets  the  AUSE  bit  in  the cdb. AUSE is an acronym for "allow
55              unrestricted sanitize exit". The default action is to leave  the
56              AUSE bit cleared.
57
58       -B, --block
59              perform a "block erase" sanitize operation.
60
61       -c, --count=OC
62              where  OC  is  the  "overwrite count" associated with the "over‐
63              write" sanitize operation. OC can be a value between  1  and  31
64              and 1 is the default.
65
66       -C, --crypto
67              perform a "cryptographic erase" sanitize operation.
68
69       -d, --desc
70              sets  the  DESC  field  in  the  REQUEST  SENSE command used for
71              polling. By default this field is set to zero. A  REQUEST  SENSE
72              polling  loop  is  used  after  the  SANITIZE  command is issued
73              (assuming that neither the --early nor the  --wait  option  have
74              been  given)  to check on the progress of this command as it can
75              take some time.
76
77       -e, --early
78              the default action of this utility is to poll the disk every  60
79              seconds  to  fetch the progress indication until the sanitize is
80              finished. When this option  is  given  this  utility  will  exit
81              "early"  as  soon as the SANITIZE command with the IMMED bit set
82              to 1 has been acknowledged. This option and --wait  cannot  both
83              be given.
84
85       -F, --fail
86              perform  an  "exit  failure  mode" sanitize operation. Typically
87              requires the preceding SANITIZE command to  have  set  the  AUSE
88              bit.
89
90       -h, --help
91              print out the usage information then exit.
92
93       -i, --ipl=LEN
94              set  the  initialization pattern length to LEN bytes. By default
95              it is set to the length of the pattern file (PF)  or  4  if  the
96              --zero  option is given. Only active when the --overwrite option
97              is also given. It is the number of bytes from the PF  file  that
98              will be used as the initialization pattern (if the --zero option
99              is not given).  The minimum size is 1 byte and  the  maximum  is
100              the  logical block size of the DEVICE (and not to exceed 65535).
101              If LEN exceeds the PF file size then the initialization  pattern
102              is padded with zeros.
103
104       -I, --invert
105              set  the  INVERT  bit  in the overwrite service action parameter
106              list. This only affects the "overwrite" sanitize operation.  The
107              default  is  a clear INVERT bit. When the INVERT bit is set then
108              the initialization pattern is inverted between consecutive over‐
109              write passes.
110
111       -O, --overwrite
112              perform  an  "overwrite" sanitize operation. When this option is
113              given then the --pattern=PF or the --zero option is required.
114
115       -p, --pattern=PF
116              where PF is the filename of a file containing the initialization
117              pattern  required  by  an  "overwrite"  sanitize  operation. The
118              length of this file will be used as the length of  the  initial‐
119              ization pattern unless the --ipl=LEN option is given. The length
120              of the initialization pattern must be  from  1  to  the  logical
121              block size of the DEVICE.
122
123       -Q, --quick
124              the  default  action  (i.e.  when the option is not given) is to
125              give the user 15 seconds to reconsider doing a  sanitize  opera‐
126              tion  on  the DEVICE.  When this option is given that step (i.e.
127              the 15 second warning period) is skipped.
128
129       -T, --test=TE
130              set the TEST field in the  overwrite  service  action  parameter
131              list.  This only affects the "overwrite" sanitize operation. The
132              default is to place 0 in that field.
133
134       -v, --verbose
135              increase the level of verbosity, (i.e. debug output).
136
137       -V, --version
138              print the version string and then exit.
139
140       -w, --wait
141              the default action (i.e. without this  option  and  the  --early
142              option)  is to start the SANITIZE command with the IMMED bit set
143              then poll for the progress indication  with  the  REQUEST  SENSE
144              command  until  the  sanitize  operation is complete (or fails).
145              When this option is given (and the --early option is not  given)
146              then  the  SANITIZE command is started with the IMMED bit clear.
147              For a large disk this might take hours. [A  cryptographic  erase
148              operation could potentially be very quick.]
149
150       -z, --zero
151              with  an  "overwrite"  sanitize operation this option causes the
152              initialization pattern to be zero (4 zeros are used as the  ini‐
153              tialization  pattern).  Cannot  be  used  with  the --pattern=PF
154              option. If this option is given twice (e.g. '-zz') then 0xff  is
155              used as the initialization byte.
156
157       -Z, --znr
158              sets  ZNR  bit  (zoned no reset) in cdb. Introduced in the SBC-4
159              revision 7 draft.
160

NOTES

162       The SCSI SANITIZE command is closely related to the ATA  SANITIZE  com‐
163       mand,  both are relatively new with the ATA command being the first one
164       defined.  The SCSI to ATA Translation (SAT)  definition  for  the  SCSI
165       SANITIZE command appeared in the SAT-3 revision 4 draft.
166
167       When  a  SAT layer is used to a (S)ATA disk then for OVERWRITE the ini‐
168       tialization pattern must be 4 bytes long.  So  this  means  either  the
169       --zero  option  may  be given, or a pattern file (with the --pattern=PF
170       option) that is 4 bytes long or set to that length with  the  --ipl=LEN
171       option.
172
173       The  SCSI  SANITIZE command is related to the SCSI FORMAT UNIT command.
174       It is likely that a block erase sanitize operation would take a similar
175       amount  of time as a format on the same disk (e.g. 9 hours for a 2 Ter‐
176       abyte disk). The primary goal of a format is the configuration  of  the
177       disk  at the end of a format (e.g. different logical block size or pro‐
178       tection information added). Removal of user data is only a side  effect
179       of  a  format.  With the SCSI SANITIZE command, removal of user data is
180       the primary goal.  If a sanitize operation  is  interrupted  (e.g.  the
181       disk  is power cycled) then after power up any remaining user data will
182       not be available and the sanitize operation will continue. When a  for‐
183       mat  is interrupted (e.g. the disk is power cycled) the drafts say very
184       little about the state of the disk. In practice some  of  the  original
185       user data may remain and the format may need to be restarted.
186
187       Finding  out  whether  a  disk (SCSI or ATA) supports SANITIZE can be a
188       challenge. If the user really needs to find out and no  other  informa‐
189       tion  is  available  then  try  'sg_sanitize  --fail -vvv <device>' and
190       observe the sense data returned may be the safest approach.  Using  the
191       --fail  variant of this utility should have no effect unless it follows
192       an already failed sanitize operation.  If  the  SCSI  REPORT  SUPPORTED
193       OPERATION  CODES  command  (see  sg_opcodes) is supported then using it
194       would be a better approach for finding if sanitize is supported.
195

EXAMPLES

197       These examples use Linux device names. For  suitable  device  names  in
198       other supported Operating Systems see the sg3_utils(8) man page.
199
200       As  a  precaution  if this utility is called with no options then apart
201       from printing a usage message, nothing happens:
202
203          sg_sanitize /dev/sdm
204
205       To do a "block erase" sanitize the --block  option  is  required.   The
206       user  will be given a 15 second period to reconsider, the SCSI SANITIZE
207       command will be started with the IMMED bit set, then this utility  will
208       poll  for  a progress indication with a REQUEST SENSE command until the
209       sanitize operation is finished:
210
211          sg_sanitize --block /dev/sdm
212
213       To start a "block erase" sanitize and return from this utility once  it
214       is started (but not yet completed) use the --early option:
215
216          sg_sanitize --block --early /dev/sdm
217
218       If  the  15 second reconsideration time is not required add the --quick
219       option:
220
221          sg_sanitize --block --quick --early /dev/sdm
222
223       To do an "overwrite" sanitize a pattern file may be given:
224
225          sg_sanitize --overwrite --pattern=rand.img /dev/sdm
226
227       If the length of that "rand.img" is  512  bytes  (a  typically  logical
228       block  size)  then  to  use only the first 17 bytes (repeatedly) in the
229       "overwrite" sanitize operation:
230
231          sg_sanitize --overwrite --pattern=rand.img --ipl=17 /dev/sdm
232
233       To overwrite with zeros use:
234          sg_sanitize --overwrite --zero /dev/sdm
235

EXIT STATUS

237       The exit status of sg_sanitize is 0 when it  is  successful.  Otherwise
238       see  the  sg3_utils(8) man page. Unless the --wait option is given, the
239       exit status may not reflect the success of otherwise of the format.
240

AUTHORS

242       Written by Douglas Gilbert.
243

REPORTING BUGS

245       Report bugs to <dgilbert at interlog dot com>.
246
248       Copyright © 2011-2015 Douglas Gilbert
249       This software is distributed under a FreeBSD license. There is NO  war‐
250       ranty;  not  even  for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
251       POSE.
252

SEE ALSO

254       sg_requests(8), sg_format(8)
255
256
257
258sg3_utils-1.42                   November 2015                  SG_SANITIZE(8)
Impressum