1SG_SANITIZE(8) SG3_UTILS SG_SANITIZE(8)
2
6 sg_sanitize - remove all user data from disk with SCSI SANITIZE command
7
9 sg_sanitize [--ause] [--block] [--count=OC] [--crypto] [--dry-run]
10 [--desc] [--early] [--fail] [--help] [--invert] [--ipl=LEN] [--over‐
11 write] [--pattern=PF] [--quick] [--test=TE] [--timeout=SECS] [--ver‐
12 bose] [--version] [--wait] [--zero] [--znr] DEVICE
13
15 This utility invokes the SCSI SANITIZE command. This command was first
16 introduced in the SBC-3 revision 27 draft. The purpose of the sanitize
17 operation is to alter the information in the cache and on the medium of
18 a logical unit (e.g. a disk) so that the recovery of user data is not
19 possible. If that user data cannot be erased, or is in the process of
20 being erased, then the sanitize operation prevents access to that user
21 data.
22 Once a SCSI SANITIZE command has successfully started, then user data
24 from that disk is no longer available. Even if the disk is power cy‐
25 cled, the sanitize operation will continue after power is re-instated
26 until it is complete.
27 This utility requires either the --block, --crypto, --fail or --over‐
29 write option. With the --block, --crypto or --overwrite option the user
30 is given 15 seconds to reconsider whether they wish to erase all the
31 data on a disk, unless the --quick option is given in which case the
32 sanitize operation starts immediately. The disk's INQUIRY response
33 strings are printed out just in case the wrong DEVICE has been given.
34 If the --early option is given then this utility will exit soon after
36 starting the SANITIZE command with the IMMED bit set. The user can mon‐
37 itor the progress of the sanitize operation with the "sg_requests
38 --num=9999 --progress" which sends a REQUEST SENSE command every 30
39 seconds. Otherwise if the --wait option is given then this utility will
40 wait until the SANITIZE command completes (or fails) and that can be
41 many hours.
42 If the --wait option is not given then the SANITIZE command is started
44 with the IMMED bit set. If neither the --early nor the --wait options
45 are given then this utility sends a REQUEST SENSE command after every
46 60 seconds until there are no more progress indications in which case
47 this utility exits silently. If additionally the --verbose option is
48 given the exit will be marked by a short message that the sanitize
49 seems to have succeeded.
50
52 Arguments to long options are mandatory for short options as well. The
53 options are arranged in alphabetical order based on the long option
54 name.
55 -A, --ause
57 sets the AUSE bit in the cdb. AUSE is an acronym for "allow un‐
58 restricted sanitize exit". The default action is to leave the
59 AUSE bit cleared.
60 -B, --block
62 perform a "block erase" sanitize operation.
63 -c, --count=OC
65 where OC is the "overwrite count" associated with the "over‐
66 write" sanitize operation. OC can be a value between 1 and 31
67 and 1 is the default.
68 -C, --crypto
70 perform a "cryptographic erase" sanitize operation. Note that
71 this erase is often very quick as it simply overwrites an inter‐
72 nal cryptographic key with a new value. Those keys are not ac‐
73 cessible to users and encrypt all data written then decrypt all
74 data read from the media. The primary reason for doing that is
75 to make this operation fast. This operation can not be reversed.
76 -d, --desc
78 sets the DESC field in the REQUEST SENSE command used for
79 polling. By default this field is set to zero. A REQUEST SENSE
80 polling loop is used after the SANITIZE command is issued (as‐
81 suming that neither the --early nor the --wait option have been
82 given) to check on the progress of this command as it can take
83 some time.
84 -D, --dry-run
86 this option will parse the command line, do all the preparation
87 but bypass the actual SANITIZE command.
88 -e, --early
90 the default action of this utility is to poll the disk every 60
91 seconds to fetch the progress indication until the sanitize is
92 finished. When this option is given this utility will exit
93 "early" as soon as the SANITIZE command with the IMMED bit set
94 to 1 has been acknowledged. This option and --wait cannot both
95 be given.
96 -F, --fail
98 perform an "exit failure mode" sanitize operation. Typically re‐
99 quires the preceding SANITIZE command to have set the AUSE bit.
100 -h, --help
102 print out the usage information then exit.
103 -i, --ipl=LEN
105 set the initialization pattern length to LEN bytes. By default
106 it is set to the length of the pattern file (PF) or 4 if the
107 --zero option is given. Only active when the --overwrite option
108 is also given. It is the number of bytes from the PF file that
109 will be used as the initialization pattern (if the --zero option
110 is not given). The minimum size is 1 byte and the maximum is
111 the logical block size of the DEVICE (and not to exceed 65535).
112 If LEN exceeds the PF file size then the initialization pattern
113 is padded with zeros.
114 -I, --invert
116 set the INVERT bit in the overwrite service action parameter
117 list. This only affects the "overwrite" sanitize operation. The
118 default is a clear INVERT bit. When the INVERT bit is set then
119 the initialization pattern is inverted between consecutive over‐
120 write passes.
121 -O, --overwrite
123 perform an "overwrite" sanitize operation. When this option is
124 given then the --pattern=PF or the --zero option is required.
125 -p, --pattern=PF
127 where PF is the filename of a file containing the initialization
128 pattern required by an "overwrite" sanitize operation. The
129 length of this file will be used as the length of the initial‐
130 ization pattern unless the --ipl=LEN option is given. The length
131 of the initialization pattern must be from 1 to the logical
132 block size of the DEVICE.
133 -Q, --quick
135 the default action (i.e. when the option is not given) is to
136 give the user 15 seconds to reconsider doing a sanitize opera‐
137 tion on the DEVICE. When this option is given that step (i.e.
138 the 15 second warning period) is skipped.
139 -T, --test=TE
141 set the TEST field in the overwrite service action parameter
142 list. This only affects the "overwrite" sanitize operation. The
143 default is to place 0 in that field.
144 -t, --timeout=SECS
146 where SECS is the number of seconds used for the timeout on the
147 SANITIZE command.
148 -v, --verbose
150 increase the level of verbosity, (i.e. debug output).
151 -V, --version
153 print the version string and then exit.
154 -w, --wait
156 the default action (i.e. without this option and the --early op‐
157 tion) is to start the SANITIZE command with the IMMED bit set
158 then poll for the progress indication with the REQUEST SENSE
159 command until the sanitize operation is complete (or fails).
160 When this option is given (and the --early option is not given)
161 then the SANITIZE command is started with the IMMED bit clear.
162 For a large disk this might take hours. [A cryptographic erase
163 operation could potentially be very quick.]
164 -z, --zero
166 with an "overwrite" sanitize operation this option causes the
167 initialization pattern to be zero (4 zeros are used as the ini‐
168 tialization pattern). Cannot be used with the --pattern=PF op‐
169 tion. If this option is given twice (e.g. '-zz') then 0xff is
170 used as the initialization byte.
171 -Z, --znr
173 sets ZNR bit (zoned no reset) in cdb. Introduced in the SBC-4
174 revision 7 draft.
175
177 The SCSI SANITIZE command is closely related to the ATA SANITIZE com‐
178 mand, both are relatively new with the ATA command being the first one
179 defined. The SCSI to ATA Translation (SAT) definition for the SCSI
180 SANITIZE command appeared in the SAT-3 revision 4 draft.
181 When a SAT layer is used to a (S)ATA disk then for OVERWRITE the ini‐
183 tialization pattern must be 4 bytes long. So this means either the
184 --zero option may be given, or a pattern file (with the --pattern=PF
185 option) that is 4 bytes long or set to that length with the --ipl=LEN
186 option.
187 The SCSI SANITIZE command is related to the SCSI FORMAT UNIT command.
189 It is likely that a block erase sanitize operation would take a similar
190 amount of time as a format on the same disk (e.g. 9 hours for a 2 Ter‐
191 abyte disk). The primary goal of a format is the configuration of the
192 disk at the end of a format (e.g. different logical block size or pro‐
193 tection information added). Removal of user data is only a side effect
194 of a format. With the SCSI SANITIZE command, removal of user data is
195 the primary goal. If a sanitize operation is interrupted (e.g. the
196 disk is power cycled) then after power up any remaining user data will
197 not be available and the sanitize operation will continue. When a for‐
198 mat is interrupted (e.g. the disk is power cycled) the drafts say very
199 little about the state of the disk. In practice some of the original
200 user data may remain and the format may need to be restarted.
201 Finding out whether a disk (SCSI or ATA) supports SANITIZE can be a
203 challenge. If the user really needs to find out and no other informa‐
204 tion is available then try 'sg_sanitize --fail -vvv <device>' and ob‐
205 serve the sense data returned may be the safest approach. Using the
206 --fail variant of this utility should have no effect unless it follows
207 an already failed sanitize operation. If the SCSI REPORT SUPPORTED OP‐
208 ERATION CODES command (see sg_opcodes) is supported then using it would
209 be a better approach for finding if sanitize is supported.
210 If using the dd command to check the before and after data of a partic‐
212 ular block (i.e. check the erase actually worked) it is a good idea to
213 use the 'iflag=direct' operand. Otherwise the first read might be
214 cached and returned when the same LBA is read a little later. Obviously
215 this utility should only be used to sanitize data on a disk whose
216 mounted file systems (if any) have been unmounted prior to the erase!
217
219 These examples use Linux device names. For suitable device names in
220 other supported Operating Systems see the sg3_utils(8) man page.
221 As a precaution if this utility is called with no options then apart
223 from printing a usage message, nothing happens:
224 sg_sanitize /dev/sdm
226 To do a "block erase" sanitize the --block option is required. The
228 user will be given a 15 second period to reconsider, the SCSI SANITIZE
229 command will be started with the IMMED bit set, then this utility will
230 poll for a progress indication with a REQUEST SENSE command until the
231 sanitize operation is finished:
232 sg_sanitize --block /dev/sdm
234 To start a "block erase" sanitize and return from this utility once it
236 is started (but not yet completed) use the --early option:
237 sg_sanitize --block --early /dev/sdm
239 If the 15 second reconsideration time is not required add the --quick
241 option:
242 sg_sanitize --block --quick --early /dev/sdm
244 To do an "overwrite" sanitize a pattern file may be given:
246 sg_sanitize --overwrite --pattern=rand.img /dev/sdm
248 If the length of that "rand.img" is 512 bytes (a typically logical
250 block size) then to use only the first 17 bytes (repeatedly) in the
251 "overwrite" sanitize operation:
252 sg_sanitize --overwrite --pattern=rand.img --ipl=17 /dev/sdm
254 To overwrite with zeros use:
256 sg_sanitize --overwrite --zero /dev/sdm
257
259 The exit status of sg_sanitize is 0 when it is successful. Otherwise
260 see the sg3_utils(8) man page. Unless the --wait option is given, the
261 exit status may not reflect the success of otherwise of the format.
262 The Unix convention is that "no news is good news" but that can be a
264 bit unnerving after an operation like sanitize, especially if it fin‐
265 ishes quickly (i.e. before the first progress poll is sent). Giving the
266 --verbose option once should supply enough additional output to settle
267 those nerves.
268
270 Written by Douglas Gilbert.
271
273 Report bugs to <dgilbert at interlog dot com>.
274
276 Copyright © 2011-2020 Douglas Gilbert
277 This software is distributed under a FreeBSD license. There is NO war‐
278 ranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
279 POSE.
280
282 sg_requests(8), sg_format(8)
283sg3_utils-1.46 December 2020 SG_SANITIZE(8)