PSID Revert and Secure Wipe of a Drive (SSD/HDD)

Tutorial Videos

Data Wipe from Dell UEFI BIOS Setup (Traditional)

Data Wipe from Dell UEFI BIOS Setup (XPS 9350/9360 and 9365)

Data Wipe from Lenovo UEFI BIOS Setup

Parted Magic

Introduction

Windows Installation Media performs a FORMAT of your internal drive(s) during installation which differs from a WIPE.

  • FORMAT → Assigns Old Data to Free Space. Old Data is still present on the Drive and can be read by third party programs.
  • WIPE → Assigns Old Data to Free Space and then overwrites it with Zeros making it unrecoverable by third party programs.
Format vs Wipe3
Example of a Format. Note the "111" assigns old data which was assigned to free space. If this was a malware/virus it would have the potential to reinfect your new Windows Install. If this was sensitive data and you are selling your computer second hand, it could be recovered using third party programs.
WipeStack
Illustrates the difference between a Format and a Wipe. This is an example of the basic algorithm that is used to Wipe a HDD sequentially bit by bit. SATA/mSATA SSDs which use Santize or M.2 NVMe SSDs which use NVMe Secure Erase have a designed mechanism to flush out data from all SSD cells simultaneously greatly reducing the time to wipe a SSD.

In this guide we will use either the inbuilt Data Wipe Utilities within the Dell and Lenovo UEFI BIOS (if included in your UEFI BIOS Setup) or alternatively Parted Magic to perform a Secure Wipe of an internal drive on a older computer which doesn't haven't native data wipe features.

A wipe is recommended if reinstalling Windows due to a malware/virus issue or of course if selling your computer on as a second hand machine.

Parted Magic is a Linux based Bootable USB which has a wide assortment of utilities included although we are only interested in using Secure Erase and Physical Security Identification Revert in this guide. In essence we can Boot to this USB outwith Windows to perform a Secure Wipe of all Internal Drives and then Clean Install Windows.

Data Wipe from Dell UEFI BIOS Setup (Traditional)

Most Dells that support Dell Data Wipe have the traditional UEFI BIOS setup as displayed below. Dell experimented with a touchscreen UEFI BIOS setup on the XPS 9350/9360 and 9365 but users preferred the traditional user interface so newer models also use the traditional UEFI BIOS Setup.

You can usually determine the type of drives you have in your system using the UEFI BIOS Setup. Power down your Dell. Then power it up and press [F2] to get to the UEFI BIOS Setup.

press the [↓] arrow until you get to System Information and then press [Enter].

Here in Device Information, we can see there is a drive in SATA-0 and in M.2 and we hence know we have a SATA interface and a M.2 interface in this system.

There is also a System Configuration field. This can be be expanded by pressing [Enter].

There is a sub field called Drives. Highlighting this shows that the drive in SATA-0 is a Crucial CT240M500SSD1 and in M.2 is a Samsung MZVPW256HEGL-000L7.

Newer Dell Business Models also have a maintenance tab which expanded shows a Data Wipe. The Data Wipe within the UEFI BIOS will allow you to carry out a Secure Wipe of your Internal Drives without third party utilities.

Power down your Dell. Then power it up and press [F2] to get to the UEFI BIOS Setup.

If your UEFI BIOS doesn't look like the above you may have alternative screens if using a Touchscreen Laptop.

press the [↓] arrow until you get to System Information and then press [Enter].

If you have an older system without Dell Data Wipe you'll need to use Parted Magic to perform a Secure Wipe.

Check Wipe on Next Boot:

Select OK to perform the Data Wipe – this will clear the data from all internal storage devices:

To proceed you will need to select No at the dialogue which asks Do you want to cancel this operation:

Now to the bottom right, select Exit:

The UEFI BIOS splash screen will display:

You’ll be taken to Dell Security Manager. Again it will ask you if you want to cancel, with the default setting set to cancel:

Use the [←] arrow to highlight Continue and press [Enter]

It will warn you one last time, with the default option being set to cancel:

Press the [→] arrow and highlight [Erase] and then press [Enter]:

It will now start to erase the internal drives

This will take a couple of minutes for a SSD and will take several hours for a HDD.

When it is done, it will tell you Data Wipe Completed Successfully. Press [OK].

If you get an unsupported error message, your drive may not support Sanitize if it is an old <2013 SSD. However in this case the SSD is supported but Bitlocker has been enabled on this drive and encrypted it. The PSID needs to be unlocked using Parted Magic in order to proceed.

Your computer will now have No Operating System on it. You'll need to install either Windows or Linux from a Bootable USB.

Data Wipe from Dell UEFI BIOS Setup (XPS 9350/9360 and 9365)

You can usually determine the type of drives you have in your system using the UEFI BIOS Setup. Power down your Dell. Then power it up and press [F2] to get to the UEFI BIOS Setup.

To the left hand side touch select General and System Information:

Check your UEFI BIOS Version is up to date as there have been numerous fixes for Dell Data Wipe. At the time of writing Version 2.11.0 for the XPS 13 9365:

There is a dependency on the SATA Operation. An issue I found is that Dell Data Wipe for some reason it only works if it is set to RAID otherwise it hangs on the Dell logo. Select SATA Operation:

Change to RAID:

Accept the Warning:

Now select the Maintenance Tab:

Check Start Data Wipe:

Select OK:

Select No (at the negative question):

Select Apply:

Select OK:

Select Exit BIOS:

Your computer should reboot and you should see the Dell Logo. If the SATA Operation is AHCI it appears to hang here. If the SATA Operation is RAID, the Dell Data Wipes prompts display:

Select Continue:

Select Erase:

Dell Data Wipe will now Securely Erase all Internal Drives. This will take a couple of minutes for a NVMe or SATA SSD and at least several hours for a HDD:

Select OK:

Your computer will now have No Operating System on it and automatically boot into diagnostics (which can be cancelled).

Power it up and press [F12] to get to the UEFI BIOS Boot Menu. Yout Bootable USB should display. If anything else displays such as a Machine Owner Key from an old Linux Installation (in this case). It can be removed by entering the UEFI BIOS Setup. In the general tab, select Boot Sequence:

Scroll down:

Select Remove Boot Device:

Check any items apart from your Bootable USB and select Remove selected Devices:

Select System Configuration and select SATA Operation:

Change the setting back to AHCI if you changed it earlier:

Select Yes:

Select Apply:

Then OK:

Then Exit:

Press [F12] when powering to Enter the UEFI Boot Menu again. Select your Bootable USB and install your OS:

Data Wipe from Lenovo UEFI BIOS Setup

Power up your Lenovo and press [F1] to get to the UEFI BIOS Setup.

You will be on the main tab by default. Press [→] until you get to Security then press [↵]:

Select Hard Disk Password. Although Lenovo call these settings "Hard Disk" they also relate to Solid State Drive.

Press [↓] until you get to (Hard Disk) Drive Password and press [↵]:

In this screen look for Security Erase (HDD) Data. If you do not have this option, your system may be too old to support Data Wipe from the UEFI BIOS and you will have to use a third party utility lke Parted Magic instead.

Press [↓] until you get to Security Erase (HDD) Data.

Unfortunately the Lenovo Data Wipes requires one to setup a temporary Hard Drive Password.

Setting a Drive Password will lock the drive at the drive firmware level and there is some risk doing so. If you set a password and the password is forgotten you will never be able to use the drive again.

Press [↑] until you get to SM.2 Drive Password and press [↵].

You have the option to set a User only password or a User + Master Password.

The first is designed for a User Only in which case the user would have full admin access to perform a data wipe.

The latter is designed for a company with a large IT department. The IT department would have the Master password to unlock the device and to perform a data wipe.

Select [User] and press [↵].

Input a basic password in this case I will use the letter a:

Confirm the password:

Select [Continue]:

Press [F10] to save and Exit. Highlight [Yes] and press [↵]:

Your computer will restart:

You will be prompted for your password as your computer begins to reboot. If you have a master password set you can press [F1] to switch to the master user.

In this case, the user password a will be input.

As soon as the user password is input press [F1] to get to the UEFI BIOS Setup. You will be on the Main tab. Press [→] until you get to Security and press [↵]:

Press [↓] until you highlight (Hard) Disk Password and press [↵]:

Then press [↓] until you get to Security Erase (HDD) SSD Data and press [↵]:

Select Erase NVMe Slot 1 Data and press [↵]:

Highlight [Yes] at the confirmation dialog and press [↵]:

Input your User Password and press [↵].

If a user and a master password are set it may only ask for the master password, so you will need to know the master password.

The Secure Erase will be performed and the Drive password will be removed.

Select [Continue] and press [↵]:

It should then have an error stating no Operating System found, this is because your internal drives are blank.

Your computer will now have No Operating System on it. You'll need to install either Windows or Linux from a Bootable USB.

Purchase and Download Parted Magic

Parted Magic is commercial software and costs quite a lot to develop, keep up to date and obtain a digital certificate from Microsoft to Pass Secure Boot. The installation iso costs ~$11. It can be downloaded using the affiliate link below.

Once purchased you will receive a Download Link to the ISO.

Make a Bootable USB (UEFI and Secure Boot)

To make a Bootable USB, you will need to use Rufus:

Double click the Rufus application:

Accept the User Account Control Prompt:

Your USB Flash Drive should populate at the top.

In the next screen, select "select":

Select your Parted Magic ISO and then select Open:

Your ISO name will populate at the bottom:

Use the default sensible Volume Label:

Before using the ISO, select the ISO checksums button.

The MD5 should match those provided on your download link:

If it does not you have a corrupt ISO, reattempt the download:

The Partition Scheme, Target System and File System will be setup to work for all computers (Legacy BIOS and UEFI BIOS). There is no need to use GPT as Parted Magic is not going to be installed to Drive but just ran as a Live USB.

Select Start:

In the next screen, select Write in ISO Image Mode and select OK:

You will get a warning that you will format your USB Flash Drive. Select OK.

When Rufus is finished making the Bootable USB, it will say "Ready". You may now close Rufus.

Booting from the Parted Magic Bootable USB

Insert your Bootable USB into the computer which you wish to securely wipe and ensure that it is powered down. Then power it up and press [F12] to get to the Boot Menu.

If using a computer manufactured after 2012, the Boot Mode should be set to UEFI and Secure Boot should be On (if not these settings can be amended in the UEFI BIOS setup). If using a computer older than 2011 you will just have a Legacy BIOS and the screen will not mention UEFI.

Select the [↓] until you highlight your Bootable USB and press [Enter].

Select Default Settings 64 (Runs from RAM):

You will see some information display as Parted Magic Loads:

Next you will be prompted to select your Time Zone you can either select it and select OK or close this dialogue:

In this guide, we are interested only in Erase Disk.

Double click it to launch it:

Secure Erase / Sanitize / NVMe Secure Erase

Parted Magic has different Secure Erase Routines.

These are:

  • "Secure Erase" generally is used with older mechanical Hard Drives (HDDs) which are either in the 3.5 " or 2.5 " format as well as Hybrid Solid State Drives (HSSDs). This routine will manually write zeros to each segment on these drive types and is time consuming.
  • "Sanitize" is the method designed for wiping 2.5 " Solid State Drives. If using a 2.5 " SSD such as the Crucial M500, BX or MX series or the Samsung 830, 840, 850 and 860 series or the WD Blue SSD and WD Green SSD, Sanitize should be used in preference to Secure Erase. This routine will remove the mapping routine and zero all data of the SSD.
    • Early generations of SSDs manufactured before 2014 such as the Crucial M4, V4 or Samsung 470 built before Sanitize was created and as a result Sanitize unfortunately cannot be used on them. Secure Erase will remove the mapping scheme of the SSD and all data on the SSD will remain however it will be scrambled and extremely difficult to decipher without the mapping routine.
  • "M.2 Secure Erase" will remove the mapping routine and all data from the SSD. The M.2 interface is newer and all M.2 SSDs support the NVMe Secure Erase.

If unsure of your drive type and the features it supports. See if your drive populates under "M.2 Secure Erase" first and if not check "Sanitize"and if not check "Secure Erase"

M.2 NVMe Secure Erase

If attempting to use the NVMe Secure Erase on a M.2 SSD and you get the error message No NVMe Devices Detected. It may be because your NVMe is setup as a SSD Cache Drive.

To rectify this, power down your system. Then power it up and press [F2] to enter the Dell UEFI BIOS Setup.

Press the [↓] key until you get to System Configuration:

Press [Enter] to expand it:

Press the [↓] key until you get to SATA Operation:

If you want to reinstall Windows using a HDD with a SSD Cache Drive note your original SATA Operation.

Although as mentioned I recommend replacing it with a larger M.2 SSD which you can clean install Windows 10 on directly (if so use AHCI).

Change your SATA Operation to AHCI, so the SSD Cache Drive can be accessed by Parted Magic.

Then accept any dialogue boxes to proceed with the change:

Select Apply:

Then select OK.

Then Exit:

If your SATA Operation is AHCI and you have a NVMe SSD it should display in the NVMe Secure Erase:

Check your NVMe SSD and verify then select Continue:

You will be presented with a confirmation dialogue.

Check, I allow this utility too erase the listed device(s) and then select Start Erase:

Parted Magic will then Secure Erase (zero the data and zero the mapping table) the NVMe SSD:

It will then verify that the operation has been successful:

You can then view the log:

Close the log when finished:

SATA/mSATA SSD Sanitize

If using the SATA/mSATA SSD Sanitize your SSD should display in this menu. If it does not you may need to try a PSID Revert or if it is an early SSD it might not support this wiping routine and you will need to use Secure Erase instead.

Check your SATA/mSATA SSD and verify then select Continue:

You will be presented with a confirmation dialogue.

Check, I allow this utility too erase the listed device(s) and then select Start Erase:

Parted Magic will then Sanitize (zero the data and zero the mapping table) the SATA/mSATA SSD:

It will then verify that the operation has been successful:

You can then view the log:

Close the log when finished:

HDD/HSSD/Early SSD Secure Erase

If using the SATA/mSATA SSD Secure Erase your SSD should display in this menu. If it does not you may need to try a PSID Revert.

If your SATA/mSATA SSD displays as Frozen you will be unable to check it.

In such a case select Sleep.

This will take it out of a Frozen state:

Check your SATA/mSATA SSD or HDD and verify then select Continue:

You will be presented with a confirmation dialogue.

Check, I allow this utility too erase the listed device(s) and then select Start Erase:

Parted Magic will then Secure Erase (zero the mapping table) the SSD or write zeros to a HDD or HSSD.

It will take a few minutes for a SSD but it will take hours on a HDD or HSSD due to the speed of the drive and the wiping routine.

It will then verify that the operation has been successful:

You can then view the log:

Close the log when finished:

Physical Security Identification (PSID) Revert

If your Drive has been encrypted for example if Windows 10 Pro Bitlocker is used. You may be unable to access all data on the drive to wipe it. In order to Wipe it, you will need to unlock the drive using the Physical Security ID. Parted Magic has incorporated suggestions made in these guides to make this as easy as possible on the software side.

However unlocking the PSID unfortunately requires one to look at the label of the Solid State Drive to obtain the PSID and this is far easier to do in some computers than in others.

It is advised to take a picture of your PSID with your phone and read from it:

Type in your PSID without any spaces or – and then select Unlock.

If correct and unlocked it will display green (it wrong it will display in red).

Once the PSID is unlocked, try using the NVMe Secure Erase/Santize/Secure Erase routine again.