Secure data deletion for NVMe drive

Edit online

You can use Linux commands to securely delete data from NVMe drives.

Before you begin

Note: If namespaces are detached or deleted, they are not erased. If you cannot determine the condition of the previous namespaces, you must use the procedure to delete stray NVMe namespaces of an NVMe drive in order to ensure that data is safely deleted.
To check whether the NVMe drive supports the crypto-erase operation, run the following command:
nvme id-ctrl /dev/nvmeX |grep fna
In the output, drives that support the crypto-erase operation are identified by an fna value in which the 0x4 bit set.

About this task

To securely delete data for the NVME drive, choose one of the following options depending on how many namespaces you want to erase.
  • If you want to erase the entire NVMe drive including all namespaces, use the nvme formatcommand, which is part of the nvme-cli package. Depending on whether the NVMe drive that you are working with supports the crypto-erase operation, choose one of the following options:
    • If the NVMe drive supports the crypto-erase operation, run the following command:
      nvme format /dev/nvmeX -n 0xffffffff –ses=2 ...
    • If the NVMe drive does not support the crypto-erase operation, run the following command:
      nvme format /dev/nvmeX -n 0xffffffff -ses=1 …
      Notes:
      • The /dev/nvmeX control device is used in the preceding NVMe commands and the namespace device, /dev/nvmeXnY is not used.
      • Detaching or deleting the namespaces of an NVMe drive does not delete the encryption key of an NVMe drive.
  • If you want to erase a few namespaces of an NVMe drive while preserving the remaining namespaces of the NVMe drive, use the nvme format command, which is part of the nvme-cli package to reformat each namespace of the NVMe drive. Depending on whether the NVMe drive that you are working with supports the crypto-erase operation, choose one of the following options.
    • If the NVMe drive supports the crypto-erase operation, run the following command:
      nvme format /dev/nvmeXnY --ses=2 ...
    • If the NVMe drive does not support the crypto-erase operation, run the following command:
      nvme format /dev/nvmeXnY --ses=1 ...