1SG_SANITIZE(8) SG3_UTILS SG_SANITIZE(8)
2
6 sg_sanitize - remove all user data from disk with SCSI SANITIZE command
7
9 sg_sanitize [--ause] [--block] [--count=OC] [--crypto] [--dry-run]
10 [--desc] [--early] [--fail] [--help] [--invert] [--ipl=LEN] [--over‐
11 write] [--pattern=PF] [--quick] [--test=TE] [--timeout=SECS] [--ver‐
12 bose] [--version] [--wait] [--zero] [--znr] DEVICE
13
15 This utility invokes the SCSI SANITIZE command. This command was first
16 introduced in the SBC-3 revision 27 draft. The purpose of the sanitize
17 operation is to alter the information in the cache and on the medium of
18 a logical unit (e.g. a disk) so that the recovery of user data is not
19 possible. If that user data cannot be erased, or is in the process of
20 being erased, then the sanitize operation prevents access to that user
21 data.
22 Once a SCSI SANITIZE command has successfully started, then user data
24 from that disk is no longer available. Even if the disk is power
25 cycled, the sanitize operation will continue after power is re-instated
26 until it is complete.
27 This utility requires either the --block, --crypto, --fail or --over‐
29 write option. With the --block, --crypto or --overwrite option the user
30 is given 15 seconds to reconsider whether they wish to erase all the
31 data on a disk, unless the --quick option is given in which case the
32 sanitize operation starts immediately. The disk's INQUIRY response
33 strings are printed out just in case the wrong DEVICE has been given.
34 If the --early option is given then this utility will exit soon after
36 starting the SANITIZE command with the IMMED bit set. The user can mon‐
37 itor the progress of the sanitize operation with the "sg_requests
38 --num=9999 --progress" which sends a REQUEST SENSE command every 30
39 seconds. Otherwise if the --wait option is given then this utility will
40 wait until the SANITIZE command completes (or fails) and that can be
41 many hours.
42 If neither the --early nor --wait option is given then the SANITIZE
44 command is started with the IMMED bit set. After that this utility
45 sends a REQUEST SENSE command every 60 seconds until there are no more
46 progress indications.
47
49 Arguments to long options are mandatory for short options as well. The
50 options are arranged in alphabetical order based on the long option
51 name.
52 -A, --ause
54 sets the AUSE bit in the cdb. AUSE is an acronym for "allow
55 unrestricted sanitize exit". The default action is to leave the
56 AUSE bit cleared.
57 -B, --block
59 perform a "block erase" sanitize operation.
60 -c, --count=OC
62 where OC is the "overwrite count" associated with the "over‐
63 write" sanitize operation. OC can be a value between 1 and 31
64 and 1 is the default.
65 -C, --crypto
67 perform a "cryptographic erase" sanitize operation.
68 -d, --desc
70 sets the DESC field in the REQUEST SENSE command used for
71 polling. By default this field is set to zero. A REQUEST SENSE
72 polling loop is used after the SANITIZE command is issued
73 (assuming that neither the --early nor the --wait option have
74 been given) to check on the progress of this command as it can
75 take some time.
76 -D, --dry-run
78 this option will parse the command line, do all the preparation
79 but bypass the actual SANITIZE command.
80 -e, --early
82 the default action of this utility is to poll the disk every 60
83 seconds to fetch the progress indication until the sanitize is
84 finished. When this option is given this utility will exit
85 "early" as soon as the SANITIZE command with the IMMED bit set
86 to 1 has been acknowledged. This option and --wait cannot both
87 be given.
88 -F, --fail
90 perform an "exit failure mode" sanitize operation. Typically
91 requires the preceding SANITIZE command to have set the AUSE
92 bit.
93 -h, --help
95 print out the usage information then exit.
96 -i, --ipl=LEN
98 set the initialization pattern length to LEN bytes. By default
99 it is set to the length of the pattern file (PF) or 4 if the
100 --zero option is given. Only active when the --overwrite option
101 is also given. It is the number of bytes from the PF file that
102 will be used as the initialization pattern (if the --zero option
103 is not given). The minimum size is 1 byte and the maximum is
104 the logical block size of the DEVICE (and not to exceed 65535).
105 If LEN exceeds the PF file size then the initialization pattern
106 is padded with zeros.
107 -I, --invert
109 set the INVERT bit in the overwrite service action parameter
110 list. This only affects the "overwrite" sanitize operation. The
111 default is a clear INVERT bit. When the INVERT bit is set then
112 the initialization pattern is inverted between consecutive over‐
113 write passes.
114 -O, --overwrite
116 perform an "overwrite" sanitize operation. When this option is
117 given then the --pattern=PF or the --zero option is required.
118 -p, --pattern=PF
120 where PF is the filename of a file containing the initialization
121 pattern required by an "overwrite" sanitize operation. The
122 length of this file will be used as the length of the initial‐
123 ization pattern unless the --ipl=LEN option is given. The length
124 of the initialization pattern must be from 1 to the logical
125 block size of the DEVICE.
126 -Q, --quick
128 the default action (i.e. when the option is not given) is to
129 give the user 15 seconds to reconsider doing a sanitize opera‐
130 tion on the DEVICE. When this option is given that step (i.e.
131 the 15 second warning period) is skipped.
132 -T, --test=TE
134 set the TEST field in the overwrite service action parameter
135 list. This only affects the "overwrite" sanitize operation. The
136 default is to place 0 in that field.
137 -t, --timeout=SECS
139 where SECS is the number of seconds used for the timeout on the
140 SANITIZE command.
141 -v, --verbose
143 increase the level of verbosity, (i.e. debug output).
144 -V, --version
146 print the version string and then exit.
147 -w, --wait
149 the default action (i.e. without this option and the --early
150 option) is to start the SANITIZE command with the IMMED bit set
151 then poll for the progress indication with the REQUEST SENSE
152 command until the sanitize operation is complete (or fails).
153 When this option is given (and the --early option is not given)
154 then the SANITIZE command is started with the IMMED bit clear.
155 For a large disk this might take hours. [A cryptographic erase
156 operation could potentially be very quick.]
157 -z, --zero
159 with an "overwrite" sanitize operation this option causes the
160 initialization pattern to be zero (4 zeros are used as the ini‐
161 tialization pattern). Cannot be used with the --pattern=PF
162 option. If this option is given twice (e.g. '-zz') then 0xff is
163 used as the initialization byte.
164 -Z, --znr
166 sets ZNR bit (zoned no reset) in cdb. Introduced in the SBC-4
167 revision 7 draft.
168
170 The SCSI SANITIZE command is closely related to the ATA SANITIZE com‐
171 mand, both are relatively new with the ATA command being the first one
172 defined. The SCSI to ATA Translation (SAT) definition for the SCSI
173 SANITIZE command appeared in the SAT-3 revision 4 draft.
174 When a SAT layer is used to a (S)ATA disk then for OVERWRITE the ini‐
176 tialization pattern must be 4 bytes long. So this means either the
177 --zero option may be given, or a pattern file (with the --pattern=PF
178 option) that is 4 bytes long or set to that length with the --ipl=LEN
179 option.
180 The SCSI SANITIZE command is related to the SCSI FORMAT UNIT command.
182 It is likely that a block erase sanitize operation would take a similar
183 amount of time as a format on the same disk (e.g. 9 hours for a 2 Ter‐
184 abyte disk). The primary goal of a format is the configuration of the
185 disk at the end of a format (e.g. different logical block size or pro‐
186 tection information added). Removal of user data is only a side effect
187 of a format. With the SCSI SANITIZE command, removal of user data is
188 the primary goal. If a sanitize operation is interrupted (e.g. the
189 disk is power cycled) then after power up any remaining user data will
190 not be available and the sanitize operation will continue. When a for‐
191 mat is interrupted (e.g. the disk is power cycled) the drafts say very
192 little about the state of the disk. In practice some of the original
193 user data may remain and the format may need to be restarted.
194 Finding out whether a disk (SCSI or ATA) supports SANITIZE can be a
196 challenge. If the user really needs to find out and no other informa‐
197 tion is available then try 'sg_sanitize --fail -vvv <device>' and
198 observe the sense data returned may be the safest approach. Using the
199 --fail variant of this utility should have no effect unless it follows
200 an already failed sanitize operation. If the SCSI REPORT SUPPORTED
201 OPERATION CODES command (see sg_opcodes) is supported then using it
202 would be a better approach for finding if sanitize is supported.
203
205 These examples use Linux device names. For suitable device names in
206 other supported Operating Systems see the sg3_utils(8) man page.
207 As a precaution if this utility is called with no options then apart
209 from printing a usage message, nothing happens:
210 sg_sanitize /dev/sdm
212 To do a "block erase" sanitize the --block option is required. The
214 user will be given a 15 second period to reconsider, the SCSI SANITIZE
215 command will be started with the IMMED bit set, then this utility will
216 poll for a progress indication with a REQUEST SENSE command until the
217 sanitize operation is finished:
218 sg_sanitize --block /dev/sdm
220 To start a "block erase" sanitize and return from this utility once it
222 is started (but not yet completed) use the --early option:
223 sg_sanitize --block --early /dev/sdm
225 If the 15 second reconsideration time is not required add the --quick
227 option:
228 sg_sanitize --block --quick --early /dev/sdm
230 To do an "overwrite" sanitize a pattern file may be given:
232 sg_sanitize --overwrite --pattern=rand.img /dev/sdm
234 If the length of that "rand.img" is 512 bytes (a typically logical
236 block size) then to use only the first 17 bytes (repeatedly) in the
237 "overwrite" sanitize operation:
238 sg_sanitize --overwrite --pattern=rand.img --ipl=17 /dev/sdm
240 To overwrite with zeros use:
242 sg_sanitize --overwrite --zero /dev/sdm
243
245 The exit status of sg_sanitize is 0 when it is successful. Otherwise
246 see the sg3_utils(8) man page. Unless the --wait option is given, the
247 exit status may not reflect the success of otherwise of the format.
248
250 Written by Douglas Gilbert.
251
253 Report bugs to <dgilbert at interlog dot com>.
254
256 Copyright © 2011-2018 Douglas Gilbert
257 This software is distributed under a FreeBSD license. There is NO war‐
258 ranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
259 POSE.
260
262 sg_requests(8), sg_format(8)
263sg3_utils-1.43 May 2018 SG_SANITIZE(8)