268 lines
13 KiB
Groff
268 lines
13 KiB
Groff
.TH SG_SANITIZE "8" "December 2020" "sg3_utils\-1.46" SG3_UTILS
|
|
.SH NAME
|
|
sg_sanitize \- remove all user data from disk with SCSI SANITIZE command
|
|
.SH SYNOPSIS
|
|
.B sg_sanitize
|
|
[\fI\-\-ause\fR] [\fI\-\-block\fR] [\fI\-\-count=OC\fR] [\fI\-\-crypto\fR]
|
|
[\fI\-\-dry\-run\fR] [\fI\-\-desc\fR] [\fI\-\-early\fR] [\fI\-\-fail\fR]
|
|
[\fI\-\-help\fR] [\fI\-\-invert\fR] [\fI\-\-ipl=LEN\fR] [\fI\-\-overwrite\fR]
|
|
[\fI\-\-pattern=PF\fR] [\fI\-\-quick\fR] [\fI\-\-test=TE\fR]
|
|
[\fI\-\-timeout=SECS\fR] [\fI\-\-verbose\fR] [\fI\-\-version\fR]
|
|
[\fI\-\-wait\fR] [\fI\-\-zero\fR] [\fI\-\-znr\fR] \fIDEVICE\fR
|
|
.SH DESCRIPTION
|
|
.\" Add any additional description here
|
|
.PP
|
|
This utility invokes the SCSI SANITIZE command. This command was first
|
|
introduced in the SBC\-3 revision 27 draft. The purpose of the sanitize
|
|
operation is to alter the information in the cache and on the medium of a
|
|
logical unit (e.g. a disk) so that the recovery of user data is not
|
|
possible. If that user data cannot be erased, or is in the process of
|
|
being erased, then the sanitize operation prevents access to that user
|
|
data.
|
|
.PP
|
|
Once a SCSI SANITIZE command has successfully started, then user data from
|
|
that disk is no longer available. Even if the disk is power cycled, the
|
|
sanitize operation will continue after power is re\-instated until it is
|
|
complete.
|
|
.PP
|
|
This utility requires either the \fI\-\-block\fR, \fI\-\-crypto\fR,
|
|
\fI\-\-fail\fR or \fI\-\-overwrite\fR option. With the \fI\-\-block\fR,
|
|
\fI\-\-crypto\fR or \fI\-\-overwrite\fR option the user is given 15 seconds
|
|
to reconsider whether they wish to erase all the data on a disk, unless
|
|
the \fI\-\-quick\fR option is given in which case the sanitize operation
|
|
starts immediately. The disk's INQUIRY response strings are printed out just
|
|
in case the wrong \fIDEVICE\fR has been given.
|
|
.PP
|
|
If the \fI\-\-early\fR option is given then this utility will exit soon
|
|
after starting the SANITIZE command with the IMMED bit set. The user can
|
|
monitor the progress of the sanitize operation with
|
|
the "sg_requests \-\-num=9999 \-\-progress" which sends a REQUEST SENSE
|
|
command every 30 seconds. Otherwise if the \fI\-\-wait\fR option is given
|
|
then this utility will wait until the SANITIZE command completes (or fails)
|
|
and that can be many hours.
|
|
.PP
|
|
If the \fI\-\-wait\fR option is not given then the SANITIZE command is
|
|
started with the IMMED bit set. If neither the \fI\-\-early\fR nor the
|
|
\fI\-\-wait\fR options are given then this utility sends a REQUEST SENSE
|
|
command after every 60 seconds until there are no more progress indications
|
|
in which case this utility exits silently. If additionally the
|
|
\fI\-\-verbose\fR option is given the exit will be marked by a short
|
|
message that the sanitize seems to have succeeded.
|
|
.SH OPTIONS
|
|
Arguments to long options are mandatory for short options as well.
|
|
The options are arranged in alphabetical order based on the long
|
|
option name.
|
|
.TP
|
|
\fB\-A\fR, \fB\-\-ause\fR
|
|
sets the AUSE bit in the cdb. AUSE is an acronym for "allow unrestricted
|
|
sanitize exit". The default action is to leave the AUSE bit cleared.
|
|
.TP
|
|
\fB\-B\fR, \fB\-\-block\fR
|
|
perform a "block erase" sanitize operation.
|
|
.TP
|
|
\fB\-c\fR, \fB\-\-count\fR=\fIOC\fR
|
|
where \fIOC\fR is the "overwrite count" associated with the "overwrite"
|
|
sanitize operation. \fIOC\fR can be a value between 1 and 31 and 1 is
|
|
the default.
|
|
.TP
|
|
\fB\-C\fR, \fB\-\-crypto\fR
|
|
perform a "cryptographic erase" sanitize operation. Note that this erase is
|
|
often very quick as it simply overwrites an internal cryptographic key with
|
|
a new value. Those keys are not accessible to users and encrypt all data
|
|
written then decrypt all data read from the media. The primary reason for
|
|
doing that is to make this operation fast. This operation can not be
|
|
reversed.
|
|
.TP
|
|
\fB\-d\fR, \fB\-\-desc\fR
|
|
sets the DESC field in the REQUEST SENSE command used for polling. By
|
|
default this field is set to zero. A REQUEST SENSE polling loop is
|
|
used after the SANITIZE command is issued (assuming that neither the
|
|
\fI\-\-early\fR nor the \fI\-\-wait\fR option have been given) to check
|
|
on the progress of this command as it can take some time.
|
|
.TP
|
|
\fB\-D\fR, \fB\-\-dry\-run\fR
|
|
this option will parse the command line, do all the preparation but bypass
|
|
the actual SANITIZE command.
|
|
.TP
|
|
\fB\-e\fR, \fB\-\-early\fR
|
|
the default action of this utility is to poll the disk every 60 seconds to
|
|
fetch the progress indication until the sanitize is finished. When this
|
|
option is given this utility will exit "early" as soon as the SANITIZE
|
|
command with the IMMED bit set to 1 has been acknowledged. This option and
|
|
\fI\-\-wait\fR cannot both be given.
|
|
.TP
|
|
\fB\-F\fR, \fB\-\-fail\fR
|
|
perform an "exit failure mode" sanitize operation. Typically requires the
|
|
preceding SANITIZE command to have set the AUSE bit.
|
|
.TP
|
|
\fB\-h\fR, \fB\-\-help\fR
|
|
print out the usage information then exit.
|
|
.TP
|
|
\fB\-i\fR, \fB\-\-ipl\fR=\fILEN\fR
|
|
set the initialization pattern length to \fILEN\fR bytes. By default it is
|
|
set to the length of the pattern file (\fIPF\fR) or 4 if the \fI\-\-zero\fR
|
|
option is given. Only active when the \fI\-\-overwrite\fR option is also
|
|
given. It is the number of bytes from the \fIPF\fR file that will be used
|
|
as the initialization pattern (if the \fI\-\-zero\fR option is not given).
|
|
The minimum size is 1 byte and the maximum is the logical block size of the
|
|
\fIDEVICE\fR (and not to exceed 65535). If \fILEN\fR exceeds the \fIPF\fR
|
|
file size then the initialization pattern is padded with zeros.
|
|
.TP
|
|
\fB\-I\fR, \fB\-\-invert\fR
|
|
set the INVERT bit in the overwrite service action parameter list. This
|
|
only affects the "overwrite" sanitize operation. The default is a clear
|
|
INVERT bit. When the INVERT bit is set then the initialization pattern
|
|
is inverted between consecutive overwrite passes.
|
|
.TP
|
|
\fB\-O\fR, \fB\-\-overwrite\fR
|
|
perform an "overwrite" sanitize operation. When this option is given then
|
|
the \fI\-\-pattern=PF\fR or the \fI\-\-zero\fR option is required.
|
|
.TP
|
|
\fB\-p\fR, \fB\-\-pattern\fR=\fIPF\fR
|
|
where \fIPF\fR is the filename of a file containing the initialization
|
|
pattern required by an "overwrite" sanitize operation. The length of
|
|
this file will be used as the length of the initialization pattern unless
|
|
the \fI\-\-ipl=LEN\fR option is given. The length of the initialization
|
|
pattern must be from 1 to the logical block size of the \fIDEVICE\fR.
|
|
.TP
|
|
\fB\-Q\fR, \fB\-\-quick\fR
|
|
the default action (i.e. when the option is not given) is to give the user
|
|
15 seconds to reconsider doing a sanitize operation on the \fIDEVICE\fR.
|
|
When this option is given that step (i.e. the 15 second warning period)
|
|
is skipped.
|
|
.TP
|
|
\fB\-T\fR, \fB\-\-test\fR=\fITE\fR
|
|
set the TEST field in the overwrite service action parameter list. This
|
|
only affects the "overwrite" sanitize operation. The default is to place
|
|
0 in that field.
|
|
.TP
|
|
\fB\-t\fR, \fB\-\-timeout\fR=\fISECS\fR
|
|
where \fISECS\fR is the number of seconds used for the timeout on the
|
|
SANITIZE command.
|
|
.TP
|
|
\fB\-v\fR, \fB\-\-verbose\fR
|
|
increase the level of verbosity, (i.e. debug output).
|
|
.TP
|
|
\fB\-V\fR, \fB\-\-version\fR
|
|
print the version string and then exit.
|
|
.TP
|
|
\fB\-w\fR, \fB\-\-wait\fR
|
|
the default action (i.e. without this option and the \fI\-\-early\fR option)
|
|
is to start the SANITIZE command with the IMMED bit set then poll for the
|
|
progress indication with the REQUEST SENSE command until the sanitize
|
|
operation is complete (or fails). When this option is given (and the
|
|
\fI\-\-early\fR option is not given) then the SANITIZE command is started
|
|
with the IMMED bit clear. For a large disk this might take hours. [A
|
|
cryptographic erase operation could potentially be very quick.]
|
|
.TP
|
|
\fB\-z\fR, \fB\-\-zero\fR
|
|
with an "overwrite" sanitize operation this option causes the initialization
|
|
pattern to be zero (4 zeros are used as the initialization pattern). Cannot
|
|
be used with the \fI\-\-pattern=PF\fR option. If this option is given
|
|
twice (e.g. '\-zz') then 0xff is used as the initialization byte.
|
|
.TP
|
|
\fB\-Z\fR, \fB\-\-znr\fR
|
|
sets ZNR bit (zoned no reset) in cdb. Introduced in the SBC\-4 revision 7
|
|
draft.
|
|
.SH NOTES
|
|
The SCSI SANITIZE command is closely related to the ATA SANITIZE command,
|
|
both are relatively new with the ATA command being the first one defined.
|
|
The SCSI to ATA Translation (SAT) definition for the SCSI SANITIZE command
|
|
appeared in the SAT\-3 revision 4 draft.
|
|
.PP
|
|
When a SAT layer is used to a (S)ATA disk then for OVERWRITE the
|
|
initialization pattern must be 4 bytes long. So this means either the
|
|
\fI\-\-zero\fR option may be given, or a pattern file (with the
|
|
\fI\-\-pattern=PF\fR option) that is 4 bytes long or set to that
|
|
length with the \fI\-\-ipl=LEN\fR option.
|
|
.PP
|
|
The SCSI SANITIZE command is related to the SCSI FORMAT UNIT command. It
|
|
is likely that a block erase sanitize operation would take a similar
|
|
amount of time as a format on the same disk (e.g. 9 hours for a 2 Terabyte
|
|
disk). The primary goal of a format is the configuration of the disk at
|
|
the end of a format (e.g. different logical block size or protection
|
|
information added). Removal of user data is only a side effect of a format.
|
|
With the SCSI SANITIZE command, removal of user data is the primary goal.
|
|
If a sanitize operation is interrupted (e.g. the disk is power cycled)
|
|
then after power up any remaining user data will not be available and the
|
|
sanitize operation will continue. When a format is interrupted (e.g. the
|
|
disk is power cycled) the drafts say very little about the state of the
|
|
disk. In practice some of the original user data may remain and the format
|
|
may need to be restarted.
|
|
.PP
|
|
Finding out whether a disk (SCSI or ATA) supports SANITIZE can be a
|
|
challenge. If the user really needs to find out and no other information
|
|
is available then try 'sg_sanitize \-\-fail \-vvv <device>' and observe
|
|
the sense data returned may be the safest approach. Using the \fI\-\-fail\fR
|
|
variant of this utility should have no effect unless it follows an already
|
|
failed sanitize operation. If the SCSI REPORT SUPPORTED OPERATION CODES
|
|
command (see sg_opcodes) is supported then using it would be a better
|
|
approach for finding if sanitize is supported.
|
|
.PP
|
|
If using the dd command to check the before and after data of a particular
|
|
block (i.e. check the erase actually worked) it is a good idea to use
|
|
the 'iflag=direct' operand. Otherwise the first read might be cached and
|
|
returned when the same LBA is read a little later. Obviously this utility
|
|
should only be used to sanitize data on a disk whose mounted file
|
|
systems (if any) have been unmounted prior to the erase!
|
|
.SH EXAMPLES
|
|
These examples use Linux device names. For suitable device names in
|
|
other supported Operating Systems see the sg3_utils(8) man page.
|
|
.PP
|
|
As a precaution if this utility is called with no options then apart from
|
|
printing a usage message, nothing happens:
|
|
.PP
|
|
sg_sanitize /dev/sdm
|
|
.PP
|
|
To do a "block erase" sanitize the \fI\-\-block\fR option is required.
|
|
The user will be given a 15 second period to reconsider, the SCSI SANITIZE
|
|
command will be started with the IMMED bit set, then this utility will
|
|
poll for a progress indication with a REQUEST SENSE command until the
|
|
sanitize operation is finished:
|
|
.PP
|
|
sg_sanitize \-\-block /dev/sdm
|
|
.PP
|
|
To start a "block erase" sanitize and return from this utility once it is
|
|
started (but not yet completed) use the \fI\-\-early\fR option:
|
|
.PP
|
|
sg_sanitize \-\-block \-\-early /dev/sdm
|
|
.PP
|
|
If the 15 second reconsideration time is not required add the
|
|
\fI\-\-quick\fR option:
|
|
.PP
|
|
sg_sanitize \-\-block \-\-quick \-\-early /dev/sdm
|
|
.PP
|
|
To do an "overwrite" sanitize a pattern file may be given:
|
|
.PP
|
|
sg_sanitize \-\-overwrite \-\-pattern=rand.img /dev/sdm
|
|
.PP
|
|
If the length of that "rand.img" is 512 bytes (a typically logical block
|
|
size) then to use only the first 17 bytes (repeatedly) in the "overwrite"
|
|
sanitize operation:
|
|
.PP
|
|
sg_sanitize \-\-overwrite \-\-pattern=rand.img \-\-ipl=17 /dev/sdm
|
|
.PP
|
|
To overwrite with zeros use:
|
|
sg_sanitize \-\-overwrite \-\-zero /dev/sdm
|
|
.SH EXIT STATUS
|
|
The exit status of sg_sanitize is 0 when it is successful. Otherwise see
|
|
the sg3_utils(8) man page. Unless the \fI\-\-wait\fR option is given, the
|
|
exit status may not reflect the success of otherwise of the format.
|
|
.PP
|
|
The Unix convention is that "no news is good news" but that can be a bit
|
|
unnerving after an operation like sanitize, especially if it finishes
|
|
quickly (i.e. before the first progress poll is sent). Giving the
|
|
\fI\-\-verbose\fR option once should supply enough additional output to
|
|
settle those nerves.
|
|
.SH AUTHORS
|
|
Written by Douglas Gilbert.
|
|
.SH "REPORTING BUGS"
|
|
Report bugs to <dgilbert at interlog dot com>.
|
|
.SH COPYRIGHT
|
|
Copyright \(co 2011\-2020 Douglas Gilbert
|
|
.br
|
|
This software is distributed under a BSD\-2\-Clause license. There is NO
|
|
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
.SH "SEE ALSO"
|
|
.B sg_requests(8), sg_format(8)
|