Secure data deletion for NVMe drive
You can use Linux commands to securely delete data from NVMe drives.
Before you begin
Note: If namespaces are detached or deleted, they are not erased. If you cannot
determine the condition of the previous namespaces, you must use the procedure to delete stray NVMe
namespaces of an NVMe drive in order to ensure that data is safely deleted.
To check whether
the NVMe drive supports the crypto-erase operation, run the following
command:nvme id-ctrl /dev/nvmeX |grep fna
In the output, drives that support
the crypto-erase operation are identified by an fna
value in which the 0x4 bit
set.About this task
To securely delete data for the NVME drive, choose one of the following options depending on how
many namespaces you want to erase.
- If you want to erase the entire NVMe drive including all namespaces, use the
nvme
formatcommand, which is part of the
nvme-cli
package. Depending on whether the NVMe drive that you are working with supports the crypto-erase operation, choose one of the following options:- If the NVMe drive supports the crypto-erase operation, run the following
command:
nvme format /dev/nvmeX -n 0xffffffff –ses=2 ...
- If the NVMe drive does not support the crypto-erase operation, run the following
command:
nvme format /dev/nvmeX -n 0xffffffff -ses=1 …
Notes:- The
/dev/nvmeX
control device is used in the preceding NVMe commands and the namespace device,/dev/nvmeXnY
is not used. - Detaching or deleting the namespaces of an NVMe drive does not delete the encryption key of an NVMe drive.
- The
- If the NVMe drive supports the crypto-erase operation, run the following
command:
- If you want to erase a few namespaces of an NVMe drive while preserving the remaining namespaces
of the NVMe drive, use the nvme
format command, which is part of the
nvme-cli
package to reformat each namespace of the NVMe drive. Depending on whether the NVMe drive that you are working with supports the crypto-erase operation, choose one of the following options.- If the NVMe drive supports the crypto-erase operation, run the following
command:
nvme format /dev/nvmeXnY --ses=2 ...
- If the NVMe drive does not support the crypto-erase operation, run the following
command:
nvme format /dev/nvmeXnY --ses=1 ...
- If the NVMe drive supports the crypto-erase operation, run the following
command: