Do secure erase technologies available on different types of media set a status or verification flag?
Is there a industry standard to verify when a drive has gone through the process?
First question: YES and NO
dd if=/dev/sda bs=1M | tr -d '\0' | read -r -d '' && echo "Disk contains non-zero data" || echo "Disk only contains zeros"
Second question: MORE or LESS (ahah sorry for that^^)
No "industry standards", but rather a NIST "guideline" (which could potentially become a standard if mandated by your specific industry). Please refer to the NIST publication at this link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
On page 20 (of NIST SP 800-88r1 document),you will find the guideline concerning the "verification of sanitization results" which explains the principles and requirements of erasure verification. This requirement can be easily satisfied by utilizing a known simple pattern for verification (refer to point 2).
However, it is worth noting the presence of CE (cryptographic erasure), another erasure technique that proves highly effective for modern SSDs featuring internal encryption mechanisms. However, it is important to consider the pros and cons of CE, as its suitability may not be readily apparent in certain cases (e.g critical industries and cybersecurity concerns), as extensively explained in the NIST SP 800-88r1 guidelines.
Hope it helps.
NVMe base spec does define a field in the Sanitize Status Log which indicates whether the drive has ever been sanitized. Look for SSTAT
in the spec file which is publicly available.
With that said, the Sanitize command is just one of the commands defined in the spec that can be used to wipe a drive. Another example would be the Format NVM command, in which a Secure Erase Settings (SES
) field is defined for the user to request a desired Secure Erase operation. The SSTAT
field is most likely not changed if the drive was wiped with this command instead, regardless of the value set in the SES
field. (Btw, I am not so sure in most consumer grade drive, value of the SES
field actually makes a difference behind the scene.)
The Sanitize feaure set introduced in more recent ATA/ACS spec also seem to have a field in its command output to indicate whether a sanitize operation has been completed without error (i.e., it is not clearly defined whether a new drive should have the bit set).