Discussion

The short answer is that we want to allow the SSD firmware to properly execute wear-leveling and such in hopes of increasing performance and extending the life of our SSDs in a system which does not (yet) directly support the trim function. We do this by “hiding” 20% of the blocks from the operating system. More details can be found here and here.

WARNING

⚠️ Please note that the provided scripts and executed commands bring a sledgehammer to the party, and make all kinds of assumptions. So be certain you understand what is going on here, and do not run this on a system with any connected disks which contain any data you care about. These scripts can result in a very bad day.

Steps

  1. Boot the machine from the latest archlinux iso with all disks disconnected. The disks may be disconnected after the boot on some hardware.
  2. Execute “‘lsblk”’ to ensure no disks are connected. If disks were disconnected after boot, you may have to wait for its bus to time out.
  3. Plug in ONE disk.
  4. Execute “‘lsblk”’ to ensure one disk (sda) is connected. If the disk is not “”‘sda”“’ you may need to modify the script.
  5. Execute the script. This will:
    • Show the frozen/security of the disk. It should be “not frozen” and not be in a secure configuration.
    • Place the disk in a high security mode so that the erase can be executed.
    • Securely erase the disk (affecting a trim on all disk blocks).
    • Display the status of the protected area.
    • Calculate and display what 80% of the full disk looks like.
    • Set the protected area to 20% of the disk.
    • Display the (new) status of the protected area.
  6. Unplug the disk.
  7. Repeat as necessary for each remaining disk.

The Script

#!/bin/sh

echo '**********************************************' 
echo preparing to execute secure erase
echo '**********************************************' 
hdparm -I /dev/sda | egrep -e frozen -e 'Security level'                 &&\
hdparm --user-master u --security-set-pass Eins /dev/sda                 &&\
hdparm -I /dev/sda | egrep -e frozen -e 'Security level'                 &&\
time hdparm --user-master u --security-erase Eins /dev/sda               &&\
hdparm -I /dev/sda | egrep -e frozen -e 'Security level'                 &&\
hdparm -N /dev/sda                                                       &&\
echo '**********************************************'                    &&\
echo preparing to calculate and set the protected area                   &&\
echo '**********************************************'                    &&\
full=`hdparm -N /dev/sda|awk '/sectors/ {print $4}'|cut -d/ -f2|tr -d ,` &&\
echo full = ${full}                                                      &&\
ep=`echo "scale=0 ; ${full}*.8"|bc|cut -d. -f1`                          &&\
echo 80 % = ${ep}                                                        &&\
hdparm -Np${ep} --yes-i-know-what-i-am-doing /dev/sda                    &&\
hdparm -N /dev/sda