How To Secure Erase ESXi Disks (HPE or Generic Hardware)

If you want to verify that there is no data left on the device, use the od command. The following example is from a disk that contains valid partitions and data:

# od -b /dev/disks/t10.NVMe_Samsung_SSD_960_EVO -N 1000 -v
0000000 372 061 300 216 330 216 320 274 000 174 211 346 006 127 216 300
0000020 373 374 277 000 006 271 000 001 363 245 352 037 006 000 000 122
0000040 122 264 101 273 252 125 061 311 060 366 371 315 023 162 023 201
0000060 373 125 252 165 015 321 351 163 011 146 307 006 107 007 264 102
0000100 353 023 132 264 010 315 023 203 341 077 211 345 121 017 266 306
0000120 100 367 341 122 120 146 061 300 146 231 100 273 000 174 123 350

An empty disk should look like this. The output is omitted the * indicates that there a duplicate line, which means all data on the drive is zero.

# od /dev/disks/t10.NVMe____Samsung_SSD_950_PRO 
0000000 000000 000000 000000 000000 000000 000000 000000 000000
*

HPE Gen 8 or later

HPE Gen 8 or later Raid Controllers have a Secure Erase feature that allows Industry-standard disk sanitation. It's important to know that erasing SSDs and HDDs isn't the same. Magnetic HDDs can be erased by overwriting every sector. This method is slow and not sufficient for SSDs because they are typically overprovisioned (by having more cells as exposed) which makes it impossible to erase all data. To overcome this issue, the “Security Erase Unit” command has been introduced. The command tells the SSD to apply a voltage spike to all available NAND cells and thus resetting every available block in one operation

Secure Erase can be used from the ESXi console with ssacli when the HPUtil bundle is installed. Either use the HPE-Customized bundle or install it from the HPE Vibs Depot.

Show all available Disks

# /opt/smartstorageadmin/ssacli/bin/ssacli ctrl all show config

Smart Array P440ar in Slot 0 (Embedded)
   Unassigned
      physicaldrive 1I:1:1 (port 1I:box 1:bay 1, SATA HDD, 4 TB, OK)
      physicaldrive 1I:1:2 (port 1I:box 1:bay 2, SATA HDD, 4 TB, OK)
      physicaldrive 1I:1:3 (port 1I:box 1:bay 3, SATA SSD, 400 GB, OK)
      physicaldrive 1I:1:4 (port 1I:box 1:bay 4, SATA SSD, 400 GB, OK)

Verify that "Sanitize Erase" is supported. This command will also display the estimated time to complete. Thanks to the "Secure Erase Unit" command, deleting SSDs only takes a minute.

# /opt/smartstorageadmin/ssacli/bin/ssacli ctrl slot=0 pd 1I:1:1 show |grep -i 'physicaldrive|Sanitize'
      physicaldrive 1I:1:1
         Sanitize Erase Supported: True
         Sanitize Estimated Max Erase Time: 8 hour(s)14 minute(s)

# /opt/smartstorageadmin/ssacli/bin/ssacli ctrl slot=0 pd 1I:1:3 show |grep -i 'physicaldrive|Sanitize'
      physicaldrive 1I:1:3
         Sanitize Erase Supported: True
         Sanitize Estimated Max Erase Time: 2 minute(s) 0 second(s)
         Unrestricted Sanitize Supported: True

Start the erase process for HDD (erasepattern=overwrite)

# /opt/smartstorageadmin/ssacli/bin/ssacli ctrl slot=0 pd 1I:1:1 modify erase erasepattern=overwrite unrestricted=off forced

Start the erase process for SSD (erasepattern=block)

# /opt/smartstorageadmin/ssacli/bin/ssacli ctrl slot=0 pd 1I:1:1 modify erase erasepattern=block unrestricted=off forced

Check the progress

# /opt/smartstorageadmin/ssacli/bin/ssacli ctrl all show config |grep "1I:1:1"
      physicaldrive 1I:1:1 (port 1I:box 1:bay 1, SATA HDD, 4 TB, Erase In Progress)

# /opt/smartstorageadmin/ssacli/bin/ssacli ctrl all show config |grep "1I:1:1"
      physicaldrive 1I:1:1 (port 1I:box 1:bay 1, SATA HDD, 4 TB, Erase Complete. Reenable Before Using.)

When the erase process is completed, the disk needs to be re-enabled

# /opt/smartstorageadmin/ssacli/bin/ssacli ctrl slot=0 pd 1I:1:1 modify enableeraseddrive