forked from Real-Time-Kodi/PiBAN
-
Notifications
You must be signed in to change notification settings - Fork 0
/
secure_erase.sh
executable file
·99 lines (90 loc) · 2.42 KB
/
secure_erase.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/bin/bash
# This file will use hdparm to determine if a drive can be secure-erased and
# run the secure-erase. It takes the drive's device node as an argument and
# returns:
# 0: OK
# 1: Drive should be erased manually
# 2: ERROR(Drive is locked)
# Note that we aren't checking for freezing because it shouldn't happen on a
# raspi.
erase_mode="--security-erase"
drive=$1
# Determine if our drive supports security using HDPARM. If it does,
# Store it and return 0 else return 1
readSecurity() {
sec=$(hdparm -I $drive | pcregrep -M "^Security:.*(\n\t.*)*")
return $?
}
if readSecurity
then
echo "Security Supported"
else
echo "Security not supported."
exit 1
fi
echo "$sec"
if (echo "$sec" | grep -q -P "^\t\tenabled")
then
echo "Security enabled. Attempting to disable."
if hdparm --user-master u --security-disable "password" $drive
then
echo "Disabled Successfully"
#Update $sec for the next group of ifs.
readSecurity
else
echo "Disable failed."
exit 1
fi
fi
if (echo "$sec" | grep -q -P "^\tnot\tlocked")
then
echo "Drive is Not Locked"
else
if(echo "$sec" | grep -q -P "^\t\tlocked")
then
echo "Weird drive(locked but security disabled)"
#Half-assed attempt to unlock the drive. If we're at this line
#and the drive is locked, there's something wrong.
if hdparm --user-master u --security-unlock "password" $drive
then
#once again, if we're here, we've failed to disable security, so we'll use fallback
exit 1
else
exit 2
fi
else
#This is here because I have a weird drive that reports that it
#Supports secure erase, but not security. Just use a fallback in
#that case.
echo "Weird Drive(not locked or unlocked)"
exit 1
fi
fi
if (echo "$sec" | grep -q "enhanced erase")
then
echo "Enhanced Security Erase Supported"
if (( $USE_ENHANCED_ERASE ))
then
erase_mode="--security-erase-enhanced"
echo "Enhanced Security Erase will be used. See PiBAN.conf"
else
echo "Enhanced Erased supported but not enabled. See PiBAN.conf"
fi
fi
if (( $DRY_RUN ))
then
ret=0
echo "DRY RUN OF SECURE_ERASE COMPLETED"
else
# Enable security
hdparm --user-master u --security-set-pass "password" $drive
# Run our secure-erase
sleep 1
hdparm --user-master u $erase_mode "password" $drive
ret=$?
# Disable security Just-in-case.
# We really don't care what happens here as long as the command runs. No need
# for logging
hdparm --user-master u --security-disable "password" $drive &> /dev/null
fi
exit $ret