help re using nvme-cli to sanitize SSD

help re using nvme-cli to sanitize SSD

[Deane Coleman]

Hi Gang,

I'm pre-novice when it comes to command lines, let alone nvme-cli, and
respectfully seek your assistance to successfully achieve the objective now
described.

I have an Acer laptop containing 1 x internal Samsung NVMe PCIe SSD running
Win11 OS and I wish to completely sanitize the SSD of all user data,
including over-provisioned / non-allocated space, whilst leaving vendor boot
capability intact (if possible) and causing least wear on the SSD. Once
sanitized, I wish to clean install Win 11 OS on the SSD. This is the
objective.

Win11 reports the SSD has 3 unencrypted partitions, as follows: 1) Fat32 EFI
system partition / volume; 2) NTFS data partition / boot volume; and 3) NTFS
MS recovery partition.

My limited use of nvme-cli identifies the SSD has only one controller
'nvme0' (with nvme0 containing all SSD data) and one namespace 'nvme0n1',
however I presume (and please correct me if I'm wrong) the 3 above mentioned
partitions in Linux = nvme0n1p1 + nvme0n1p2 + nvme0n1p3.

Based on above info (and presuming that info is sufficient), I respectfully
ask whether the following procedure will 'smoothly' achieve the objective:

1: backup all user data currently on SSD
2: have bootable Win11 ISO file prepped on USB drive via Rufus
3: boot laptop using Ubuntu Live USB
4: Open command terminal and run command - 'nvme sanitize -a 2 /dev/nvme0n1'
to start block erase sanitize operation
5: when sanitize operation is complete, exchange Ubuntu Live USB for Win11
USB and reboot laptop
6: Follow Win11 install procedures
7: Install Acer drivers
8: Install target apps

Additional questions arising from above:
- If any above element won't achieve objective, please clarify what needs
amending?
- I currently understand 'nvme sanitize -a 4 /dev/nvme0n1' (crypto erase)
causes least SSD wear but because all user data on the SSD is currently
unencrypted, I presume crypto erase is pointless to achieve objective?
- I've tried researching the following sanitize options but am currently
unable to appreciate their significance or relevance for the objective: 'No
Deallocate After Sanitize' and 'Sanitize Action...001b - Exit Failure Mode'.
Would you please help me discern whether I need to include either of these
options to meet the objective and, if so, the correct syntax placement in
the sanitize command for it/ them.

As I'm so novice, please respond in most simplistic terms for my sake.
Thanks for considering my request and kind regards,

Deane Coleman

Re: help re using nvme-cli to sanitize SSD

[Keith Busch]

> I have an Acer laptop containing 1 x internal Samsung NVMe PCIe SSD running
> Win11 OS and I wish to completely sanitize the SSD of all user data,
> including over-provisioned / non-allocated space, whilst leaving vendor boot
> capability intact (if possible) and causing least wear on the SSD. Once
> sanitized, I wish to clean install Win 11 OS on the SSD. This is the
> objective.

What do you mean by "vendor boot capability"? The acer laptop? Or the
SSD bootstrapping itself? If there's something on the SSD that acer
needs to boot, sanitize will likely wipe it out.
 
> My limited use of nvme-cli identifies the SSD has only one controller
> 'nvme0' (with nvme0 containing all SSD data) and one namespace 'nvme0n1',
> however I presume (and please correct me if I'm wrong) the 3 above mentioned
> partitions in Linux = nvme0n1p1 + nvme0n1p2 + nvme0n1p3.
> 
> Based on above info (and presuming that info is sufficient), I respectfully
> ask whether the following procedure will 'smoothly' achieve the objective:
> 
> 1: backup all user data currently on SSD
> 2: have bootable Win11 ISO file prepped on USB drive via Rufus
> 3: boot laptop using Ubuntu Live USB
> 4: Open command terminal and run command - 'nvme sanitize -a 2 /dev/nvme0n1'
> to start block erase sanitize operation
> 5: when sanitize operation is complete, exchange Ubuntu Live USB for Win11
> USB and reboot laptop
> 6: Follow Win11 install procedures
> 7: Install Acer drivers
> 8: Install target apps

I don't know about step 6 there: why would you want to install that OS?

Kidding aside, assuming your device supports sanitize, step 4 will
definitely make all previous data inaccessible on all parititions,
including the partition table itself, essentially giving providing you a
blank slate storage device. If that's what you want, mission
accomplished.

Some devices don't support the sanitize operation though, in which case
'nvme format' is usually sufficient to permanently remove all previous
user data. You often use sanitize only if you're required to have a
paranoid decomissioning process.
 
> Additional questions arising from above:
> - If any above element won't achieve objective, please clarify what needs
> amending?
> - I currently understand 'nvme sanitize -a 4 /dev/nvme0n1' (crypto erase)
> causes least SSD wear but because all user data on the SSD is currently
> unencrypted, I presume crypto erase is pointless to achieve objective?

It's going to be vendor specific what that does, if anything. An SSD
might transparently generate and persistently store a random pattern and
XOR all user data with that, so a crypto erase could just forget the old
key.

> - I've tried researching the following sanitize options but am currently
> unable to appreciate their significance or relevance for the objective: 'No
> Deallocate After Sanitize' and 'Sanitize Action...001b - Exit Failure Mode'.
> Would you please help me discern whether I need to include either of these
> options to meet the objective and, if so, the correct syntax placement in
> the sanitize command for it/ them.

Don't bother with "no-deallocate", it probably doesn't mean anything to
this SSD anyway.

The "Exit Failure Mode" is how the host acknowledges a previous sanitize
attempt failed. You shouldn't have to worry about that because we're
expecting everything to work.

Once you start your 'santize' operation, the only other thing you need
to periodically check with nvme-cli is 'nvme sanitize-log /dev/nvme0'
until the operation is done. You probably don't want to reboot the
machine while the santize operation is in progress.