PercCLI64 secure erase

petiepooo

7/28/24, 3:36 PM

I have an SSD, Kioxia model KRM6VRUG1T92, in a Dell server with a PERC H730P that has the following policies as shown by perccli64 /c0/e32/s0 show all under Linux:

FDE Type = None
SED Capable = Yes
SED Enabled = No
Secured = No
Cryptographic Erase Capable = Yes
Sanitize Support = Not supported

Looking through the available commands for securely wiping the drive, I see three possible commands. perccli64 /c0/e32/s0 secureerase force works on this drive, but start erase crypto fails with Start Drive erase is not allowed, and start sanitize cryptoerase returns Sanitize is not supported on this controller.

The three possible commands:

NAME: Drive Instant Secure Erase 

SYNTAX: perccli /cx[/ex]/sx secureerase [force]  

DESCRIPTION: This command erases the drive's security configuration and securely 
erases data on a drive.
OPTIONS: 
    force - Use the force option as a confirmation to erase.

NAME: Securely erases non-SED Drives 

SYNTAX: perccli /cx[/ex]/sx start erase 
        [simple| normal| thorough| standard| threepass | crypto]
        [patternA=<val>][patternB=<val>]

DESCRIPTION: Securely erases non-SED drives with specified erasepattern(s). 
OPTIONS: 
    simple| normal| thorough| standard| threepass- erase types 
    simple      -   Single pass, single pattern write
    normal      -   Three pass, three pattern write 
    thorough    -   Nine pass, repeats the normal write 3 times 
    standard    -   Applicable only for DFF's 
    threepass   -   Three pass, pass1 random pattern write, pass2,3 write zero, verify
    crypto  -   Applicable only for ISE capable drives 
    PatternA|PatternB - an 8-Bit binary pattern to overwrite the data.

NAME: Sanitize the Drives 

SYNTAX: perccli /cx[/ex]/sx start sanitize 
            < cryptoerase| overwrite| blockerase > [ause] 

DESCRIPTION:  Sanitize drives with specified pattern(s). 
OPTIONS: 
    sanitize types: 
    cryptoerase -   Keys gets corrupted on the drive.
    overwrite   -   Overwritten by all zero's. 
    blockerase  -   Data is cleared by the drive.
    ause        -   Allow Unrestricted Sanitize Exit.

What is the difference between these three methods, and what drive or controller characteristics need to be present to run them?

1 + 1

dell-poweredge

dell-perc

petiepooo

7/28/24, 3:43 PM

I should note that the other erase options like `start erase normal` also work, but are not ideal for SSDs. There's also `blkdiscard --secure` if the device is present in /dev.

Score:3

Server

Grant Curell

8/2/24, 5:12 PM

(Required note: I work for Dell)

This is the table of what happens when you run a sanitization on the iDRAC and gives you an idea of what is supported on the various drives:

Regarding your question:

Your drive is a SED drive. Worth noting that Dell now only sells SED drives for PowerEdge.

The answer to your question

All three commands are different ways to delete the keys to the SED drive, but not all of them are supported on all drives. Moving forward, different drives support commands for deleting the SED keys, but that's how pretty much all of them work now.

You can see what your drives support with racadm storage get pdisks –o –p SystemEraseCapability

When you run this procedure the lifecycle controller will just pick the right command and run it for you.

Some interesting but only pseudo-related information

As the table mentions, under the hood, not all drives support the same commands. That's something I learned after getting to Dell; the differences between drives can get wicked complicated and Dell puts enormous effort into abstracting that from the user.

When you go look at perccli though, you start to see some of it. As the NVMe row mentions in the table, only newer drives support sanitize so what you're seeing is that Kioxia's underlying firmware doesn't suppport that command so when the PERC goes to issue it the drive tells it to get lost. Dell, along with all the other OEMs, run custom drive firmware... kind of. Companies like Dell and HPE work with manufacturers to take the manufacturer's base firmware and then extend the functionality for the OEM in question. For example, Dell has iDRAC integrations; that's why you can take a non-Dell branded drive and put it in a Dell server and it runs just fine. Drive protocols are drive protocols (SAS/NVMe etc), but the drive won't have our firmware on it to make it play nicely with iDRAC along with all the other stuff we do during drive qualification.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: PercCLI64 secure erase

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.