How to Secure erase devices attatched to LSI HBA

[stu2000]

---

Dear all,
I discovered how to secure erase drives using hdparm which is incredibly useful. However, it appears that the commands dont work when the drives are plugged in using the LSI SAS 9201-16e HBA. I get the following output:
"HDIO_GET_IDENTITY failed: Invalid argument"


Does anyone know if there is something i can download to get the HBA to trigger a secure erase? MegaRaid keeps popping up everywhere, but I'm not sure I can use that CLI as this does not support RAID and is just an HBA.

(getting information with smartctl works, but cant trigger secure erase with that.)

Stu

[mobaus]

having same issue, any news from your end? cheers.

[stu2000]

Unfortunately not. LSI have been in contact with me a few times. It doesn't appear that they support secure-erase. You can easily find out what drives are plugged in by using the SAS2IRCU exe that comes on the cd that comes with the product (but is not on their website for some reason). They talk about 'instant secure-erase' available on drives plugged into their megaraid card, but I'm seriuosly dubious about that. I dont doubt that it would be hard/impossible to retrieve data from, but there are other benefits to running a proper hdparm secure erase other than making the data unreadable, such as restoring an SSD to peak performance.

[stu2000]

Hey all,
Still having the same issue, but running centos 6 and the hdparm commands seem to be working now but still can't get the secure erase command to run.
The following commands work and run correctly (sdx is an example drive):

Code:

sudo hdparm -I /dev/sdx
sudo hdparm --user-master u --security-set-pass p /dev/sdx

Unfortunately when I run:

Code:

sudo hdparm --user-master u --security-erase p /dev/sdx

It states that it is passing the argument and after a while returns with:

Code:

Issuing SECURITY_ERASE command, password="p", user=user
SECURITY_ERASE: Invalid exchange

The drives are still connected through a HBA (LSI) and using sas2ircu program I can query information but there is no command for secure erasure. Can someone confirm my theory that the hba causes the 'invalid exchange' and the only way to perform a secure erase if for the drive to be connected directly to the motherboard sata port and not an HBA.

[stu2000]

Ok so the issue is the hdparm version
In Centos 6 it is version 9.16 (hdparm -V)

You need 9.31 or later to run hdparm secure erase requests through 'intelligent devices' such as firewire, usb, or an HBA.

Installing ubuntu and running the same commands worked for me because it has a much later version of hdparm. The nice thing is that ubuntu automatically supported the hba too right from a live cd.

Found out by reading this paragraph:

DISCLAIMER: The security-erase command is a single command which typically takes minutes or hours to complete, whereas most ATA commands take milliseconds, or seconds to complete. Whilst drives directly attached to a straight-forward SATA controller should work reliably, some "intelligent" interfaces such as USB or firewire to PATA/SATA bridges, SAS controllers or hardware RAID controllers may try to reset devices which they have decided are no longer responding. They may also decide that locked devices are faulty, and hence not provide any access to them in order to issue unlock commands. Such devices may still be unlocked by connecting them directly to a different SATA interface. Additionally, hdparm versions prior to 9.31 do not pass-through the long command time-outs required for the erase commands to the SCSI-ATA Command Translation ("SAT") layer which such devices use. Do not use versions of hdparm prior to 9.31 with such interfaces.

Source