{ "content": [ { "type": "text", "text": "# SG_SANITIZE (man)\n\n## NAME\n\nsgsanitize - remove all user data from disk with SCSI SANITIZE command\n\n## SYNOPSIS\n\nsgsanitize [--ause] [--block] [--count=OC] [--crypto] [--dry-run] [--desc] [--early]\n[--fail] [--help] [--invert] [--ipl=LEN] [--overwrite] [--pattern=PF] [--quick] [--test=TE]\n[--timeout=SECS] [--verbose] [--version] [--wait] [--zero] [--znr] DEVICE\n\n## DESCRIPTION\n\nThis utility invokes the SCSI SANITIZE command. This command was first introduced in the\nSBC-3 revision 27 draft. The purpose of the sanitize operation is to alter the information in\nthe cache and on the medium of a logical unit (e.g. a disk) so that the recovery of user data\nis not possible. If that user data cannot be erased, or is in the process of being erased,\nthen the sanitize operation prevents access to that user data.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **OPTIONS** (21 subsections)\n- **NOTES**\n- **EXAMPLES**\n- **EXIT STATUS**\n- **AUTHORS**\n- **REPORTING BUGS**\n- **COPYRIGHT**\n- **SEE ALSO**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "SG_SANITIZE", "section": "", "mode": "man", "summary": "sgsanitize - remove all user data from disk with SCSI SANITIZE command", "synopsis": "sgsanitize [--ause] [--block] [--count=OC] [--crypto] [--dry-run] [--desc] [--early]\n[--fail] [--help] [--invert] [--ipl=LEN] [--overwrite] [--pattern=PF] [--quick] [--test=TE]\n[--timeout=SECS] [--verbose] [--version] [--wait] [--zero] [--znr] DEVICE", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [ { "flag": "-A", "long": "--ause", "arg": null, "description": "sets the AUSE bit in the cdb. AUSE is an acronym for \"allow unrestricted sanitize exit\". The default action is to leave the AUSE bit cleared." }, { "flag": "-B", "long": "--block", "arg": null, "description": "perform a \"block erase\" sanitize operation." }, { "flag": "-c", "long": "--count", "arg": null, "description": "where OC is the \"overwrite count\" associated with the \"overwrite\" sanitize operation. OC can be a value between 1 and 31 and 1 is the default." }, { "flag": "-C", "long": "--crypto", "arg": null, "description": "perform a \"cryptographic erase\" sanitize operation. Note that this erase is often very quick as it simply overwrites an internal cryptographic key with a new value. Those keys are not accessible to users and encrypt all data written then decrypt all data read from the media. The primary reason for doing that is to make this operation fast. This operation can not be reversed." }, { "flag": "-d", "long": "--desc", "arg": null, "description": "sets the DESC field in the REQUEST SENSE command used for polling. By default this field is set to zero. A REQUEST SENSE polling loop is used after the SANITIZE command is issued (assuming that neither the --early nor the --wait option have been given) to check on the progress of this command as it can take some time." }, { "flag": "-D", "long": "--dry-run", "arg": null, "description": "this option will parse the command line, do all the preparation but bypass the actual SANITIZE command." }, { "flag": "-e", "long": "--early", "arg": null, "description": "the default action of this utility is to poll the disk every 60 seconds to fetch the progress indication until the sanitize is finished. When this option is given this utility will exit \"early\" as soon as the SANITIZE command with the IMMED bit set to 1 has been acknowledged. This option and --wait cannot both be given." }, { "flag": "-F", "long": "--fail", "arg": null, "description": "perform an \"exit failure mode\" sanitize operation. Typically requires the preceding SANITIZE command to have set the AUSE bit." }, { "flag": "-h", "long": "--help", "arg": null, "description": "print out the usage information then exit." }, { "flag": "-i", "long": "--ipl", "arg": null, "description": "set the initialization pattern length to LEN bytes. By default it is set to the length of the pattern file (PF) or 4 if the --zero option is given. Only active when the --overwrite option is also given. It is the number of bytes from the PF file that will be used as the initialization pattern (if the --zero option is not given). The mini‐ mum size is 1 byte and the maximum is the logical block size of the DEVICE (and not to exceed 65535). If LEN exceeds the PF file size then the initialization pattern is padded with zeros." }, { "flag": "-I", "long": "--invert", "arg": null, "description": "set the INVERT bit in the overwrite service action parameter list. This only affects the \"overwrite\" sanitize operation. The default is a clear INVERT bit. When the INVERT bit is set then the initialization pattern is inverted between consecutive overwrite passes." }, { "flag": "-O", "long": "--overwrite", "arg": null, "description": "perform an \"overwrite\" sanitize operation. When this option is given then the --pat‐ tern=PF or the --zero option is required." }, { "flag": "-p", "long": "--pattern", "arg": null, "description": "where PF is the filename of a file containing the initialization pattern required by an \"overwrite\" sanitize operation. The length of this file will be used as the length of the initialization pattern unless the --ipl=LEN option is given. The length of the initialization pattern must be from 1 to the logical block size of the DEVICE." }, { "flag": "-Q", "long": "--quick", "arg": null, "description": "the default action (i.e. when the option is not given) is to give the user 15 seconds to reconsider doing a sanitize operation on the DEVICE. When this option is given that step (i.e. the 15 second warning period) is skipped." }, { "flag": "-T", "long": "--test", "arg": null, "description": "set the TEST field in the overwrite service action parameter list. This only affects the \"overwrite\" sanitize operation. The default is to place 0 in that field." }, { "flag": "-t", "long": "--timeout", "arg": null, "description": "where SECS is the number of seconds used for the timeout on the SANITIZE command." }, { "flag": "-v", "long": "--verbose", "arg": null, "description": "increase the level of verbosity, (i.e. debug output)." }, { "flag": "-V", "long": "--version", "arg": null, "description": "print the version string and then exit." }, { "flag": "-w", "long": "--wait", "arg": null, "description": "the default action (i.e. without this option and the --early option) is to start the SANITIZE command with the IMMED bit set then poll for the progress indication with the REQUEST SENSE command until the sanitize operation is complete (or fails). When this option is given (and the --early option is not given) then the SANITIZE command is started with the IMMED bit clear. For a large disk this might take hours. [A crypto‐ graphic erase operation could potentially be very quick.]" }, { "flag": "-z", "long": "--zero", "arg": null, "description": "with an \"overwrite\" sanitize operation this option causes the initialization pattern to be zero (4 zeros are used as the initialization pattern). Cannot be used with the --pattern=PF option. If this option is given twice (e.g. '-zz') then 0xff is used as the initialization byte." }, { "flag": "-Z", "long": "--znr", "arg": null, "description": "sets ZNR bit (zoned no reset) in cdb. Introduced in the SBC-4 revision 7 draft." } ], "examples": [ "These examples use Linux device names. For suitable device names in other supported Operating", "Systems see the sg3utils(8) man page.", "As a precaution if this utility is called with no options then apart from printing a usage", "message, nothing happens:", "sgsanitize /dev/sdm", "To do a \"block erase\" sanitize the --block option is required. The user will be given a 15", "second period to reconsider, the SCSI SANITIZE command will be started with the IMMED bit", "set, then this utility will poll for a progress indication with a REQUEST SENSE command until", "the sanitize operation is finished:", "sgsanitize --block /dev/sdm", "To start a \"block erase\" sanitize and return from this utility once it is started (but not", "yet completed) use the --early option:", "sgsanitize --block --early /dev/sdm", "If the 15 second reconsideration time is not required add the --quick option:", "sgsanitize --block --quick --early /dev/sdm", "To do an \"overwrite\" sanitize a pattern file may be given:", "sgsanitize --overwrite --pattern=rand.img /dev/sdm", "If the length of that \"rand.img\" is 512 bytes (a typically logical block size) then to use", "only the first 17 bytes (repeatedly) in the \"overwrite\" sanitize operation:", "sgsanitize --overwrite --pattern=rand.img --ipl=17 /dev/sdm", "To overwrite with zeros use:", "sgsanitize --overwrite --zero /dev/sdm" ], "see_also": [ { "name": "sgrequests", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sgrequests/8/json" }, { "name": "sgformat", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sgformat/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 4, "subsections": [] }, { "name": "DESCRIPTION", "lines": 28, "subsections": [] }, { "name": "OPTIONS", "lines": 3, "subsections": [ { "name": "-A --ause", "lines": 3, "flag": "-A", "long": "--ause" }, { "name": "-B --block", "lines": 2, "flag": "-B", "long": "--block" }, { "name": "-c --count", "lines": 3, "flag": "-c", "long": "--count" }, { "name": "-C --crypto", "lines": 6, "flag": "-C", "long": "--crypto" }, { "name": "-d --desc", "lines": 5, "flag": "-d", "long": "--desc" }, { "name": "-D --dry-run", "lines": 3, "flag": "-D", "long": "--dry-run" }, { "name": "-e --early", "lines": 5, "flag": "-e", "long": "--early" }, { "name": "-F --fail", "lines": 3, "flag": "-F", "long": "--fail" }, { "name": "-h --help", "lines": 2, "flag": "-h", "long": "--help" }, { "name": "-i --ipl", "lines": 8, "flag": "-i", "long": "--ipl" }, { "name": "-I --invert", "lines": 5, "flag": "-I", "long": "--invert" }, { "name": "-O --overwrite", "lines": 3, "flag": "-O", "long": "--overwrite" }, { "name": "-p --pattern", "lines": 5, "flag": "-p", "long": "--pattern" }, { "name": "-Q --quick", "lines": 4, "flag": "-Q", "long": "--quick" }, { "name": "-T --test", "lines": 3, "flag": "-T", "long": "--test" }, { "name": "-t --timeout", "lines": 2, "flag": "-t", "long": "--timeout" }, { "name": "-v --verbose", "lines": 2, "flag": "-v", "long": "--verbose" }, { "name": "-V --version", "lines": 2, "flag": "-V", "long": "--version" }, { "name": "-w --wait", "lines": 7, "flag": "-w", "long": "--wait" }, { "name": "-z --zero", "lines": 5, "flag": "-z", "long": "--zero" }, { "name": "-Z --znr", "lines": 2, "flag": "-Z", "long": "--znr" } ] }, { "name": "NOTES", "lines": 33, "subsections": [] }, { "name": "EXAMPLES", "lines": 36, "subsections": [] }, { "name": "EXIT STATUS", "lines": 9, "subsections": [] }, { "name": "AUTHORS", "lines": 2, "subsections": [] }, { "name": "REPORTING BUGS", "lines": 2, "subsections": [] }, { "name": "COPYRIGHT", "lines": 4, "subsections": [] }, { "name": "SEE ALSO", "lines": 5, "subsections": [] } ], "sections": { "NAME": { "content": "sgsanitize - remove all user data from disk with SCSI SANITIZE command\n", "subsections": [] }, "SYNOPSIS": { "content": "sgsanitize [--ause] [--block] [--count=OC] [--crypto] [--dry-run] [--desc] [--early]\n[--fail] [--help] [--invert] [--ipl=LEN] [--overwrite] [--pattern=PF] [--quick] [--test=TE]\n[--timeout=SECS] [--verbose] [--version] [--wait] [--zero] [--znr] DEVICE\n", "subsections": [] }, "DESCRIPTION": { "content": "This utility invokes the SCSI SANITIZE command. This command was first introduced in the\nSBC-3 revision 27 draft. The purpose of the sanitize operation is to alter the information in\nthe cache and on the medium of a logical unit (e.g. a disk) so that the recovery of user data\nis not possible. If that user data cannot be erased, or is in the process of being erased,\nthen the sanitize operation prevents access to that user data.\n\nOnce a SCSI SANITIZE command has successfully started, then user data from that disk is no\nlonger available. Even if the disk is power cycled, the sanitize operation will continue af‐\nter power is re-instated until it is complete.\n\nThis utility requires either the --block, --crypto, --fail or --overwrite option. With the\n--block, --crypto or --overwrite option the user is given 15 seconds to reconsider whether\nthey wish to erase all the data on a disk, unless the --quick option is given in which case\nthe sanitize operation starts immediately. The disk's INQUIRY response strings are printed\nout just in case the wrong DEVICE has been given.\n\nIf the --early option is given then this utility will exit soon after starting the SANITIZE\ncommand with the IMMED bit set. The user can monitor the progress of the sanitize operation\nwith the \"sgrequests --num=9999 --progress\" which sends a REQUEST SENSE command every 30\nseconds. Otherwise if the --wait option is given then this utility will wait until the SANI‐\nTIZE command completes (or fails) and that can be many hours.\n\nIf the --wait option is not given then the SANITIZE command is started with the IMMED bit\nset. If neither the --early nor the --wait options are given then this utility sends a RE‐\nQUEST SENSE command after every 60 seconds until there are no more progress indications in\nwhich case this utility exits silently. If additionally the --verbose option is given the\nexit will be marked by a short message that the sanitize seems to have succeeded.\n", "subsections": [] }, "OPTIONS": { "content": "Arguments to long options are mandatory for short options as well. The options are arranged\nin alphabetical order based on the long option name.\n", "subsections": [ { "name": "-A --ause", "content": "sets the AUSE bit in the cdb. AUSE is an acronym for \"allow unrestricted sanitize\nexit\". The default action is to leave the AUSE bit cleared.\n", "flag": "-A", "long": "--ause" }, { "name": "-B --block", "content": "perform a \"block erase\" sanitize operation.\n", "flag": "-B", "long": "--block" }, { "name": "-c --count", "content": "where OC is the \"overwrite count\" associated with the \"overwrite\" sanitize operation.\nOC can be a value between 1 and 31 and 1 is the default.\n", "flag": "-c", "long": "--count" }, { "name": "-C --crypto", "content": "perform a \"cryptographic erase\" sanitize operation. Note that this erase is often very\nquick as it simply overwrites an internal cryptographic key with a new value. Those\nkeys are not accessible to users and encrypt all data written then decrypt all data\nread from the media. The primary reason for doing that is to make this operation fast.\nThis operation can not be reversed.\n", "flag": "-C", "long": "--crypto" }, { "name": "-d --desc", "content": "sets the DESC field in the REQUEST SENSE command used for polling. By default this\nfield is set to zero. A REQUEST SENSE polling loop is used after the SANITIZE command\nis issued (assuming that neither the --early nor the --wait option have been given) to\ncheck on the progress of this command as it can take some time.\n", "flag": "-d", "long": "--desc" }, { "name": "-D --dry-run", "content": "this option will parse the command line, do all the preparation but bypass the actual\nSANITIZE command.\n", "flag": "-D", "long": "--dry-run" }, { "name": "-e --early", "content": "the default action of this utility is to poll the disk every 60 seconds to fetch the\nprogress indication until the sanitize is finished. When this option is given this\nutility will exit \"early\" as soon as the SANITIZE command with the IMMED bit set to 1\nhas been acknowledged. This option and --wait cannot both be given.\n", "flag": "-e", "long": "--early" }, { "name": "-F --fail", "content": "perform an \"exit failure mode\" sanitize operation. Typically requires the preceding\nSANITIZE command to have set the AUSE bit.\n", "flag": "-F", "long": "--fail" }, { "name": "-h --help", "content": "print out the usage information then exit.\n", "flag": "-h", "long": "--help" }, { "name": "-i --ipl", "content": "set the initialization pattern length to LEN bytes. By default it is set to the length\nof the pattern file (PF) or 4 if the --zero option is given. Only active when the\n--overwrite option is also given. It is the number of bytes from the PF file that will\nbe used as the initialization pattern (if the --zero option is not given). The mini‐\nmum size is 1 byte and the maximum is the logical block size of the DEVICE (and not to\nexceed 65535). If LEN exceeds the PF file size then the initialization pattern is\npadded with zeros.\n", "flag": "-i", "long": "--ipl" }, { "name": "-I --invert", "content": "set the INVERT bit in the overwrite service action parameter list. This only affects\nthe \"overwrite\" sanitize operation. The default is a clear INVERT bit. When the INVERT\nbit is set then the initialization pattern is inverted between consecutive overwrite\npasses.\n", "flag": "-I", "long": "--invert" }, { "name": "-O --overwrite", "content": "perform an \"overwrite\" sanitize operation. When this option is given then the --pat‐\ntern=PF or the --zero option is required.\n", "flag": "-O", "long": "--overwrite" }, { "name": "-p --pattern", "content": "where PF is the filename of a file containing the initialization pattern required by\nan \"overwrite\" sanitize operation. The length of this file will be used as the length\nof the initialization pattern unless the --ipl=LEN option is given. The length of the\ninitialization pattern must be from 1 to the logical block size of the DEVICE.\n", "flag": "-p", "long": "--pattern" }, { "name": "-Q --quick", "content": "the default action (i.e. when the option is not given) is to give the user 15 seconds\nto reconsider doing a sanitize operation on the DEVICE. When this option is given\nthat step (i.e. the 15 second warning period) is skipped.\n", "flag": "-Q", "long": "--quick" }, { "name": "-T --test", "content": "set the TEST field in the overwrite service action parameter list. This only affects\nthe \"overwrite\" sanitize operation. The default is to place 0 in that field.\n", "flag": "-T", "long": "--test" }, { "name": "-t --timeout", "content": "where SECS is the number of seconds used for the timeout on the SANITIZE command.\n", "flag": "-t", "long": "--timeout" }, { "name": "-v --verbose", "content": "increase the level of verbosity, (i.e. debug output).\n", "flag": "-v", "long": "--verbose" }, { "name": "-V --version", "content": "print the version string and then exit.\n", "flag": "-V", "long": "--version" }, { "name": "-w --wait", "content": "the default action (i.e. without this option and the --early option) is to start the\nSANITIZE command with the IMMED bit set then poll for the progress indication with the\nREQUEST SENSE command until the sanitize operation is complete (or fails). When this\noption is given (and the --early option is not given) then the SANITIZE command is\nstarted with the IMMED bit clear. For a large disk this might take hours. [A crypto‐\ngraphic erase operation could potentially be very quick.]\n", "flag": "-w", "long": "--wait" }, { "name": "-z --zero", "content": "with an \"overwrite\" sanitize operation this option causes the initialization pattern\nto be zero (4 zeros are used as the initialization pattern). Cannot be used with the\n--pattern=PF option. If this option is given twice (e.g. '-zz') then 0xff is used as\nthe initialization byte.\n", "flag": "-z", "long": "--zero" }, { "name": "-Z --znr", "content": "sets ZNR bit (zoned no reset) in cdb. Introduced in the SBC-4 revision 7 draft.\n", "flag": "-Z", "long": "--znr" } ] }, "NOTES": { "content": "The SCSI SANITIZE command is closely related to the ATA SANITIZE command, both are relatively\nnew with the ATA command being the first one defined. The SCSI to ATA Translation (SAT) def‐\ninition for the SCSI SANITIZE command appeared in the SAT-3 revision 4 draft.\n\nWhen a SAT layer is used to a (S)ATA disk then for OVERWRITE the initialization pattern must\nbe 4 bytes long. So this means either the --zero option may be given, or a pattern file (with\nthe --pattern=PF option) that is 4 bytes long or set to that length with the --ipl=LEN op‐\ntion.\n\nThe SCSI SANITIZE command is related to the SCSI FORMAT UNIT command. It is likely that a\nblock erase sanitize operation would take a similar amount of time as a format on the same\ndisk (e.g. 9 hours for a 2 Terabyte disk). The primary goal of a format is the configuration\nof the disk at the end of a format (e.g. different logical block size or protection informa‐\ntion added). Removal of user data is only a side effect of a format. With the SCSI SANITIZE\ncommand, removal of user data is the primary goal. If a sanitize operation is interrupted\n(e.g. the disk is power cycled) then after power up any remaining user data will not be\navailable and the sanitize operation will continue. When a format is interrupted (e.g. the\ndisk is power cycled) the drafts say very little about the state of the disk. In practice\nsome of the original user data may remain and the format may need to be restarted.\n\nFinding out whether a disk (SCSI or ATA) supports SANITIZE can be a challenge. If the user\nreally needs to find out and no other information is available then try 'sgsanitize --fail\n-vvv ' and observe the sense data returned may be the safest approach. Using the\n--fail variant of this utility should have no effect unless it follows an already failed san‐\nitize operation. If the SCSI REPORT SUPPORTED OPERATION CODES command (see sgopcodes) is\nsupported then using it would be a better approach for finding if sanitize is supported.\n\nIf using the dd command to check the before and after data of a particular block (i.e. check\nthe erase actually worked) it is a good idea to use the 'iflag=direct' operand. Otherwise the\nfirst read might be cached and returned when the same LBA is read a little later. Obviously\nthis utility should only be used to sanitize data on a disk whose mounted file systems (if\nany) have been unmounted prior to the erase!\n", "subsections": [] }, "EXAMPLES": { "content": "These examples use Linux device names. For suitable device names in other supported Operating\nSystems see the sg3utils(8) man page.\n\nAs a precaution if this utility is called with no options then apart from printing a usage\nmessage, nothing happens:\n\nsgsanitize /dev/sdm\n\nTo do a \"block erase\" sanitize the --block option is required. The user will be given a 15\nsecond period to reconsider, the SCSI SANITIZE command will be started with the IMMED bit\nset, then this utility will poll for a progress indication with a REQUEST SENSE command until\nthe sanitize operation is finished:\n\nsgsanitize --block /dev/sdm\n\nTo start a \"block erase\" sanitize and return from this utility once it is started (but not\nyet completed) use the --early option:\n\nsgsanitize --block --early /dev/sdm\n\nIf the 15 second reconsideration time is not required add the --quick option:\n\nsgsanitize --block --quick --early /dev/sdm\n\nTo do an \"overwrite\" sanitize a pattern file may be given:\n\nsgsanitize --overwrite --pattern=rand.img /dev/sdm\n\nIf the length of that \"rand.img\" is 512 bytes (a typically logical block size) then to use\nonly the first 17 bytes (repeatedly) in the \"overwrite\" sanitize operation:\n\nsgsanitize --overwrite --pattern=rand.img --ipl=17 /dev/sdm\n\nTo overwrite with zeros use:\nsgsanitize --overwrite --zero /dev/sdm\n", "subsections": [] }, "EXIT STATUS": { "content": "The exit status of sgsanitize is 0 when it is successful. Otherwise see the sg3utils(8) man\npage. Unless the --wait option is given, the exit status may not reflect the success of oth‐\nerwise of the format.\n\nThe Unix convention is that \"no news is good news\" but that can be a bit unnerving after an\noperation like sanitize, especially if it finishes quickly (i.e. before the first progress\npoll is sent). Giving the --verbose option once should supply enough additional output to\nsettle those nerves.\n", "subsections": [] }, "AUTHORS": { "content": "Written by Douglas Gilbert.\n", "subsections": [] }, "REPORTING BUGS": { "content": "Report bugs to .\n", "subsections": [] }, "COPYRIGHT": { "content": "Copyright © 2011-2020 Douglas Gilbert\nThis software is distributed under a FreeBSD license. There is NO warranty; not even for MER‐\nCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n", "subsections": [] }, "SEE ALSO": { "content": "sgrequests(8), sgformat(8)\n\n\n\nsg3utils-1.46 December 2020 SGSANITIZE(8)", "subsections": [] } } } }