1SG_SANITIZE(8)                     SG3_UTILS                    SG_SANITIZE(8)
2
3
4

NAME

6       sg_sanitize - remove all user data from disk with SCSI SANITIZE command
7

SYNOPSIS

9       sg_sanitize  [--ause]  [--block]  [--count=OC]  [--crypto]  [--dry-run]
10       [--desc] [--early] [--fail] [--help]  [--invert]  [--ipl=LEN]  [--over‐
11       write]  [--pattern=PF]  [--quick]  [--test=TE] [--timeout=SECS] [--ver‐
12       bose] [--version] [--wait] [--zero] [--znr] DEVICE
13

DESCRIPTION

15       This utility invokes the SCSI SANITIZE command. This command was  first
16       introduced  in the SBC-3 revision 27 draft. The purpose of the sanitize
17       operation is to alter the information in the cache and on the medium of
18       a  logical  unit (e.g. a disk) so that the recovery of user data is not
19       possible. If that user data cannot be erased, or is in the  process  of
20       being  erased, then the sanitize operation prevents access to that user
21       data.
22
23       Once a SCSI SANITIZE command has successfully started, then  user  data
24       from  that  disk  is no longer available. Even if the disk is power cy‐
25       cled, the sanitize operation will continue after power  is  re-instated
26       until it is complete.
27
28       This  utility  requires either the --block, --crypto, --fail or --over‐
29       write option. With the --block, --crypto or --overwrite option the user
30       is  given  15  seconds to reconsider whether they wish to erase all the
31       data on a disk, unless the --quick option is given in  which  case  the
32       sanitize  operation  starts  immediately.  The  disk's INQUIRY response
33       strings are printed out just in case the wrong DEVICE has been given.
34
35       If the --early option is given then this utility will exit  soon  after
36       starting the SANITIZE command with the IMMED bit set. The user can mon‐
37       itor the progress of  the  sanitize  operation  with  the  "sg_requests
38       --num=9999  --progress"  which  sends  a REQUEST SENSE command every 30
39       seconds. Otherwise if the --wait option is given then this utility will
40       wait  until  the  SANITIZE command completes (or fails) and that can be
41       many hours.
42
43       If the --wait option is not given then the SANITIZE command is  started
44       with  the  IMMED bit set. If neither the --early nor the --wait options
45       are given then this utility sends a REQUEST SENSE command  after  every
46       60  seconds  until there are no more progress indications in which case
47       this utility exits silently. If additionally the  --verbose  option  is
48       given  the  exit  will  be  marked by a short message that the sanitize
49       seems to have succeeded.
50

OPTIONS

52       Arguments to long options are mandatory for short options as well.  The
53       options  are  arranged  in  alphabetical order based on the long option
54       name.
55
56       -A, --ause
57              sets the AUSE bit in the cdb. AUSE is an acronym for "allow  un‐
58              restricted  sanitize  exit".  The default action is to leave the
59              AUSE bit cleared.
60
61       -B, --block
62              perform a "block erase" sanitize operation.
63
64       -c, --count=OC
65              where OC is the "overwrite count"  associated  with  the  "over‐
66              write"  sanitize  operation.  OC can be a value between 1 and 31
67              and 1 is the default.
68
69       -C, --crypto
70              perform a "cryptographic erase" sanitize  operation.  Note  that
71              this erase is often very quick as it simply overwrites an inter‐
72              nal cryptographic key with a new value. Those keys are  not  ac‐
73              cessible  to users and encrypt all data written then decrypt all
74              data read from the media. The primary reason for doing  that  is
75              to make this operation fast. This operation can not be reversed.
76
77       -d, --desc
78              sets  the  DESC  field  in  the  REQUEST  SENSE command used for
79              polling. By default this field is set to zero. A  REQUEST  SENSE
80              polling  loop  is used after the SANITIZE command is issued (as‐
81              suming that neither the --early nor the --wait option have  been
82              given)  to  check on the progress of this command as it can take
83              some time.
84
85       -D, --dry-run
86              this option will parse the command line, do all the  preparation
87              but bypass the actual SANITIZE command.
88
89       -e, --early
90              the  default action of this utility is to poll the disk every 60
91              seconds to fetch the progress indication until the  sanitize  is
92              finished.  When  this  option  is  given  this utility will exit
93              "early" as soon as the SANITIZE command with the IMMED  bit  set
94              to  1  has been acknowledged. This option and --wait cannot both
95              be given.
96
97       -F, --fail
98              perform an "exit failure mode" sanitize operation. Typically re‐
99              quires the preceding SANITIZE command to have set the AUSE bit.
100
101       -h, --help
102              print out the usage information then exit.
103
104       -i, --ipl=LEN
105              set  the  initialization pattern length to LEN bytes. By default
106              it is set to the length of the pattern file (PF)  or  4  if  the
107              --zero  option is given. Only active when the --overwrite option
108              is also given. It is the number of bytes from the PF  file  that
109              will be used as the initialization pattern (if the --zero option
110              is not given).  The minimum size is 1 byte and  the  maximum  is
111              the  logical block size of the DEVICE (and not to exceed 65535).
112              If LEN exceeds the PF file size then the initialization  pattern
113              is padded with zeros.
114
115       -I, --invert
116              set  the  INVERT  bit  in the overwrite service action parameter
117              list. This only affects the "overwrite" sanitize operation.  The
118              default  is  a clear INVERT bit. When the INVERT bit is set then
119              the initialization pattern is inverted between consecutive over‐
120              write passes.
121
122       -O, --overwrite
123              perform  an  "overwrite" sanitize operation. When this option is
124              given then the --pattern=PF or the --zero option is required.
125
126       -p, --pattern=PF
127              where PF is the filename of a file containing the initialization
128              pattern  required  by  an  "overwrite"  sanitize  operation. The
129              length of this file will be used as the length of  the  initial‐
130              ization pattern unless the --ipl=LEN option is given. The length
131              of the initialization pattern must be  from  1  to  the  logical
132              block size of the DEVICE.
133
134       -Q, --quick
135              the  default  action  (i.e.  when the option is not given) is to
136              give the user 15 seconds to reconsider doing a  sanitize  opera‐
137              tion  on  the DEVICE.  When this option is given that step (i.e.
138              the 15 second warning period) is skipped.
139
140       -T, --test=TE
141              set the TEST field in the  overwrite  service  action  parameter
142              list.  This only affects the "overwrite" sanitize operation. The
143              default is to place 0 in that field.
144
145       -t, --timeout=SECS
146              where SECS is the number of seconds used for the timeout on  the
147              SANITIZE command.
148
149       -v, --verbose
150              increase the level of verbosity, (i.e. debug output).
151
152       -V, --version
153              print the version string and then exit.
154
155       -w, --wait
156              the default action (i.e. without this option and the --early op‐
157              tion) is to start the SANITIZE command with the  IMMED  bit  set
158              then  poll  for  the  progress indication with the REQUEST SENSE
159              command until the sanitize operation  is  complete  (or  fails).
160              When  this option is given (and the --early option is not given)
161              then the SANITIZE command is started with the IMMED  bit  clear.
162              For  a  large disk this might take hours. [A cryptographic erase
163              operation could potentially be very quick.]
164
165       -z, --zero
166              with an "overwrite" sanitize operation this  option  causes  the
167              initialization  pattern to be zero (4 zeros are used as the ini‐
168              tialization pattern). Cannot be used with the  --pattern=PF  op‐
169              tion.  If  this  option is given twice (e.g. '-zz') then 0xff is
170              used as the initialization byte.
171
172       -Z, --znr
173              sets ZNR bit (zoned no reset) in cdb. Introduced  in  the  SBC-4
174              revision 7 draft.
175

NOTES

177       The  SCSI  SANITIZE command is closely related to the ATA SANITIZE com‐
178       mand, both are relatively new with the ATA command being the first  one
179       defined.   The  SCSI  to  ATA Translation (SAT) definition for the SCSI
180       SANITIZE command appeared in the SAT-3 revision 4 draft.
181
182       When a SAT layer is used to a (S)ATA disk then for OVERWRITE  the  ini‐
183       tialization  pattern  must  be  4  bytes long. So this means either the
184       --zero option may be given, or a pattern file  (with  the  --pattern=PF
185       option)  that  is 4 bytes long or set to that length with the --ipl=LEN
186       option.
187
188       The SCSI SANITIZE command is related to the SCSI FORMAT  UNIT  command.
189       It is likely that a block erase sanitize operation would take a similar
190       amount of time as a format on the same disk (e.g. 9 hours for a 2  Ter‐
191       abyte  disk).  The primary goal of a format is the configuration of the
192       disk at the end of a format (e.g. different logical block size or  pro‐
193       tection  information added). Removal of user data is only a side effect
194       of a format.  With the SCSI SANITIZE command, removal of user  data  is
195       the  primary  goal.   If  a sanitize operation is interrupted (e.g. the
196       disk is power cycled) then after power up any remaining user data  will
197       not  be available and the sanitize operation will continue. When a for‐
198       mat is interrupted (e.g. the disk is power cycled) the drafts say  very
199       little  about  the  state of the disk. In practice some of the original
200       user data may remain and the format may need to be restarted.
201
202       Finding out whether a disk (SCSI or ATA) supports  SANITIZE  can  be  a
203       challenge.  If  the user really needs to find out and no other informa‐
204       tion is available then try 'sg_sanitize --fail -vvv <device>'  and  ob‐
205       serve  the  sense  data  returned may be the safest approach. Using the
206       --fail variant of this utility should have no effect unless it  follows
207       an  already failed sanitize operation. If the SCSI REPORT SUPPORTED OP‐
208       ERATION CODES command (see sg_opcodes) is supported then using it would
209       be a better approach for finding if sanitize is supported.
210
211       If using the dd command to check the before and after data of a partic‐
212       ular block (i.e. check the erase actually worked) it is a good idea  to
213       use  the  'iflag=direct'  operand.  Otherwise  the  first read might be
214       cached and returned when the same LBA is read a little later. Obviously
215       this  utility  should  only  be  used  to sanitize data on a disk whose
216       mounted file systems (if any) have been unmounted prior to the erase!
217

EXAMPLES

219       These examples use Linux device names. For  suitable  device  names  in
220       other supported Operating Systems see the sg3_utils(8) man page.
221
222       As  a  precaution  if this utility is called with no options then apart
223       from printing a usage message, nothing happens:
224
225          sg_sanitize /dev/sdm
226
227       To do a "block erase" sanitize the --block  option  is  required.   The
228       user  will be given a 15 second period to reconsider, the SCSI SANITIZE
229       command will be started with the IMMED bit set, then this utility  will
230       poll  for  a progress indication with a REQUEST SENSE command until the
231       sanitize operation is finished:
232
233          sg_sanitize --block /dev/sdm
234
235       To start a "block erase" sanitize and return from this utility once  it
236       is started (but not yet completed) use the --early option:
237
238          sg_sanitize --block --early /dev/sdm
239
240       If  the  15 second reconsideration time is not required add the --quick
241       option:
242
243          sg_sanitize --block --quick --early /dev/sdm
244
245       To do an "overwrite" sanitize a pattern file may be given:
246
247          sg_sanitize --overwrite --pattern=rand.img /dev/sdm
248
249       If the length of that "rand.img" is  512  bytes  (a  typically  logical
250       block  size)  then  to  use only the first 17 bytes (repeatedly) in the
251       "overwrite" sanitize operation:
252
253          sg_sanitize --overwrite --pattern=rand.img --ipl=17 /dev/sdm
254
255       To overwrite with zeros use:
256          sg_sanitize --overwrite --zero /dev/sdm
257

EXIT STATUS

259       The exit status of sg_sanitize is 0 when it  is  successful.  Otherwise
260       see  the  sg3_utils(8) man page. Unless the --wait option is given, the
261       exit status may not reflect the success of otherwise of the format.
262
263       The Unix convention is that "no news is good news" but that  can  be  a
264       bit  unnerving  after an operation like sanitize, especially if it fin‐
265       ishes quickly (i.e. before the first progress poll is sent). Giving the
266       --verbose  option once should supply enough additional output to settle
267       those nerves.
268

AUTHORS

270       Written by Douglas Gilbert.
271

REPORTING BUGS

273       Report bugs to <dgilbert at interlog dot com>.
274
276       Copyright © 2011-2020 Douglas Gilbert
277       This software is distributed under a FreeBSD license. There is NO  war‐
278       ranty;  not  even  for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
279       POSE.
280

SEE ALSO

282       sg_requests(8), sg_format(8)
283
284
285
286sg3_utils-1.46                   December 2020                  SG_SANITIZE(8)
Impressum