Hard Disk Drives (HDD)

Secure Erase is the name given to a set of commands available from the firmware on PATA and SATA (so not available on SCSI or SAS) based hard drives. Secure Erase commands are used as a data sanitization method to completely overwrite all of the data on a hard drive including the HPA (Host Protected Area). Once a hard drive has been erased with a program that utilizes Secure Erase firmware commands, no file recovery program, partition recovery program, or other data recovery method will be able to extract data from the drive.

Note: Secure Erase, or really any data sanitization method, is not the same as sending files to your computer's Recycle Bin or trash. The former will "permanently" delete files, whereas the latter only moves the data to a location that's easy to flush away from the system (and just as easy to recover).

Secure Erase Wipe Method
The Secure Erase data sanitization method is implemented in the following way; one pass write of a binary one or zero.

No verification of the overwrite is needed with the Secure Erase method because the writing occurs from within the drive, meaning the drive's write fault detection prevents any misses. This makes Secure Erase very fast compared to other data sanitization methods and arguably more effective. This is different than other data sanitization methods like CSEC ITSG-06, RCMP TSSIT OPS-II and DoD 5220.22-M, which usually implement a verification after the first or last pass, and/or any other passes.

Some specific Secure Erase commands include SECURITY ERASE PREPARE and SECURITY ERASE UNIT.

More About Secure Erase
Since Secure Erase is a whole-drive data sanitization method only, it is not available as a data wipe method when destroying individual files or folders. Using Secure Erase to erase the data from a hard drive is often considered the best way to do so because the action is accomplished from the drive itself, the same hardware that wrote the data in the first place. Other methods of removing data from a hard drive may be less effective because they rely on more standard ways of overwriting data.

According to National Institute of Standards and Technology (NIST) Special Publication 800-88 (PDF file below), the only method of software-based data sanitation must be one that utilizes a hard drive's Secure Erase commands.

Note: You can not run firmware commands on a hard drive like you can run commands in Windows from the Command Prompt. To execute Secure Erase commands, you must use some program that interfaces directly with the hard drive and even then, you probably won't be running the command manually.


Solid State Drives (SSD)

An SSD drive is a storage device that uses flash memory to store data. It's a modern alternative to traditional hard disk drives (HDDs) and offers faster access times and improved performance. Secure erasing an SSD drive is essential when you want to dispose of or sell your drive. Simply deleting files or formatting the drive is not enough to permanently remove data from an SSD. Secure erasing ensures that all data is irrecoverably wiped. Many SSD models include a secure erase feature in their firmware. This feature allows to initiate a secure erase command that wipes all data on the drive. It typically relies on the advanced technology attachment (ATA) command set to perform the secure erase operation.

The time it takes to secure erase an SSD drive can vary depending on factors such as the drive's capacity, its speed, and the method used. Generally, the process can take anywhere from a few minutes to a couple of hours. It's recommended to be patient and let the secure erase process complete without interruptions. After a successful secure erase, all data on the SSD drive should be permanently removed. The drive becomes empty, and any previous files or partitions are no longer accessible. At this point, you can repurpose the drive, sell it, or dispose of it safely without the risk of someone recovering your old data.


Non-Volatile Memory Express drives (NVMe)

NVMe is a logical-device interface specification for accessing a computer's non-volatile storage media usually attached via the PCI Express bus. NVM Express has been designed from the ground up to capitalizing on the low latency and parallelism of PCI Express disks.

The NVMe specification defines a standardized way to format and sanatize NVMe drives, since those do not use the SATA interface protocol and therefore cannot be cleared in the same way as SATA SSDs. According to the NVMe 1.4 specification, "a sanitize operation alters all user data in the NVM subsystem such that recovery of any previous user data from any cache, the non-volatile media, or any Controller Memory Buffer is not possible."

User Data Erase: All user data shall be erased, contents of the user data after the erase is indeterminate (e.g., the user data may be zero filled, one filled, etc.). The controller may perform a cryptographic erase when a User Data Erase is requested if all user data is encrypted. All user data shall be erased cryptographically. This is accomplished by deleting the encryption key.

Available options are Block Erase and Crypto Erase.

The Block Erase sanitize operation alters user data with a low-level block erase method that is specific to the media for all locations on the media within the NVM subsystem in which user data may be stored. The Crypto Erase sanitize operation alters user data by changing the media encryption keys for all locations on the media within the NVM subsystem in which user data may be stored.