HDD硬盘securityATAerase事故（HDD被LOCKED）

本次经历完全起源于自己作死，瞎玩和粗心。验证HDD安全擦除时，认为系统hang住，造成事故发生。下面我们讲讲HDD硬盘securityATAerase。

在固太硬盘使用过程中会产生很多碎片，随着碎片的增加固态硬盘的性能也会大大降低，我们可以通过hdparm命令发送ATA Secure Erase 指令将固态硬盘恢复到初始状态来提高硬盘的性能。
使用注意：
1.该操作会擦除硬盘中所有数据且不能恢复，重要数据请提前备份。
2.每次操作为一次P/E，固态硬盘的P/E次数有限，过多执行此操作会影响固态硬盘寿命。
3.操作有风险，如果遇到系统或固态硬盘的bug，可能产生不可逆转的影响。

Step 1 - Make sure the drive Security is not frozen:

Issue the following command, where "X" matches your device (eg. sdb).                        通常不要选择系统盘

hdparm -I /dev/sdb

Step 1a - Ensure the drive is not frozen:

Security:        Master password revision code = 65534               supported       not     enabled       not     locked       not     frozen       not     expired: security count               supported: enhanced erase       2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

If the command output shows "frozen" (instead of "not frozen") then you cannot continue to the next step.

Many BIOSes will protect your drives if you have a password set (security enabled) by issuing a SECURITY FREEZE command before booting an operating system. If your drive is frozen, and it has a password enabled, try removing the password using the BIOS and powering down the system to see if that disables the freeze. Otherwise you may need to use a different motherboard (with a different BIOS).

A possible solution for SATA drives is hot-(re)plug the data cable (this might crash your kernel). If hot-(re)pluging the SATA data cable crashes the kernel try letting the operating system fully boot up, then quickly hot-(re)plug both the SATA power and data cables.

• It has been reported that hooking up the drive to an eSATA SIIG ExpressCard/54 with an eSATA enclosure will leave the drive security state to "not frozen".

• Placing my system into "sleep" (suspend to RAM) worked too---and this may reset other drives to "not frozen" as well. This has worked on PCs from various manufacturers including Dell, Lenovo, and Clevo. Many Live distributions can be suspended to RAM for this purpose:

 echo -n mem > /sys/power/state

• Users have also reported that IDE Drives may be unfreezed by plugging in an IDE cable to a CD-ROM first, booting your system and then moving the IDE cable to the drive in question. This will allow you to bypass "SECURITY FREEZE" commands sent by BIOS and your OS. BE AWARE, that IDE cables are not hot-pluggable and this technique possesses even higher risks; under no circumstances should you connect/disconnect/swap power cables of an HDD or CD-ROM, when your PC is on.

Step 2 - Enable security by setting a user password:

WARNING: When the user password is set the drive will be locked after next power cycle (the drive will deny normal access until unlocked with the correct password).

Step 2a - Set a User Password:

Any password will do, as this should only be temporary. After the secure erase the password will be set back to NULL. For this procedure we'll use the password "Eins".

hdparm --user-master u --security-set-pass user123 /dev/sdb

Step 2a - Command Output:

security_password="user123"/dev/sdd:Issuing SECURITY_SET_PASS command, password="Eins", user=user, mode=high

Step 2b - Make sure it succeeded, execute:

hdparm -I /dev/sdb

Step 2b - Command Output (should display "enabled"):

Security:        Master password revision code = 65534               supported               enabled       not     locked       not     frozen       not     expired: security count               supported: enhanced erase       Security level high       50min for SECURITY ERASE UNIT. 50min for ENHANCED SECURITY ERASE UNIT.

Step 3 - Issue the ATA Secure Erase command:

time hdparm --user-master u --security-erase user123 /dev/sdb

Step 3 Command Output:

Wait until the command completes. 

security_password="Eins" /dev/sdd:Issuing SECURITY_ERASE command, password="user123", user=user0.000u 0.000s 0:39.71 0.0%      0+0k 0+0io 0pf+0w

事故发生于此，因为没有注意擦出时间是50min，以为系统hang住，本人强制关机，结果开机时，会提示你输入sdb硬盘的user passwd。此密码并不是刚刚设置的security_passwd=“user123”，三次输入错误，导致硬盘被locked。进入OS后查看sdb的status。

hdparm -I /dev/sdb

Security:        Master password revision code = 65534               supported               enabled               locked       not     frozen       not     expired: security count               supported: enhanced erase       Security level high       50min for SECURITY ERASE UNIT. 50min for ENHANCED SECURITY ERASE UNIT.
此时sdb已被上锁，执行安全擦除时无效的，本人在网上查了很久都没有找到谁遇到过这种情况，最后看了hdparm命令才知道答案。想把密码擦掉，必选先把硬盘解锁。操作如下

让我们解锁吧
＃hdparm --user-master u --security-unlock user123 / dev / sdbsecurity_password = “user123”的/ dev / SDX： 发出SECURITY_UNLOCK命令，password =“user123”，user = user
并禁用安全性：
＃hdparm --user-master u --security-disable user123 / dev / sdbsecurity_password = “user123”的/ dev / SDX： 发出SECURITY_DISABLE命令，password =“user123”，user = user
现在我们很好：
＃hdparm -I / dev / sdb...
Security:        Master password revision code = 65534               supported       not     enabled       not     locked       not     frozen       not     expired: security count               supported: enhanced erase       Security level high       50min for SECURITY ERASE UNIT. 50min for ENHANCED SECURITY ERASE UNIT.
下面步骤是接第三部，正常情况下的操作。

Step 4 - The drive is now erased! Verify security is disabled:

After a successful erasure the drive security should automatically be set to disabled (thus no longer requiring a password for access). Verify this by running the following command:

hdparm -I /dev/sdb

Step 4 - Command Output (should display "not enabled"):

Security:        Master password revision code = 65534               supported       not     enabled       not     locked       not     frozen       not     expired: security count               supported: enhanced erase       50min for SECURITY ERASE UNIT. 50min for ENHANCED SECURITY ERASE UNIT.

❊❊因为我用的是6T的HDD每一次PE都会需要大约2个小时的时间，所以一定要看清楚自己操作，避免不必要的事发生。