How to securely erase an NVMe SSD

Question

It's generally accepted that SSDs cannot be securely wiped by writing patterns to the drive, due to features such as wear leveling and over-provisioning, and that the most secure way to wipe a modern SSD is using the ATA Secure Erase firmware commands.

However, from my understanding this doesn't seem to apply to NVMe drives because they're not ATA-based - instead, they connect via the PCIe bus. Looking at the Parted Magic tool seems to confirm that NVMe drives have their own equivalent to the ATA Secure Erase command for SATA SSDs:

However, I haven't been able to find an NVMe equivalent for hdparm. How exactly can I securely erase an NVMe SSD? I'm running Windows, but also have access to a Unix-like environment using Cygwin.

Answer 1

Yes, it's true that hdparm will not work for NVMe drives, because they don't use the traditional ATA interface protocol that SATA drives use to send low-level firmware commands to the drive.

Thankfully, there's an open-source tool that allows sending the equivalent commands to NMVe drives - nvme-cli. The tool has already been made available as a package for many distributions, and can be compiled for many more.

Once you have the tool installed with something like:

apt-get install nvme-cli

You can then list all recognised NVMe devices with:

nvme list 

To securely erase a listed NVMe SSD, run:

nvme format -s1 /dev/nvme0n1

...where /dev/nvme0n1 is the block name of the listed device.

Answer 2

As an alternative to nvme-cli one can do "PSID revert" using sedutil. Some vendor-specific software also provide this function (e.g. "Secure Erase" in Samsung Magician).