Security engineering

Building a NIST-Compliant Boot-and-Nuke USB Tool: Secure Automated Purge

From BitLocker-specific to universal: How I built an open-source NIST-compliant disk sanitization tool that works on any system

This is Part 2 of my Secure Data Erasure Tools series. Part 1: Introducing the BitLocker Cryptographic Erase Utility: Secure Data Destruction Made Simple

How I evolved from a BitLocker-specific solution to creating a universal disk sanitization tool that automatically detects and securely erases all internal drives

Building a NIST-Compliant Boot-and-Nuke USB Tool: Secure Automated Purge, figure 1

The Problem: Secure Data Destruction at Scale

Last month, I was tasked to arrange a solution securely wiping workstations according to NIST SP 800–88 standards (Purge-level) before disposal. The options were:

  1. Manual commands: Boot each system with Linux, run different commands for different drive types. Time-consuming and error prone.
  2. Surface Data Eraser limited for Microsoft Surface machines, and Lenovo ThinkShield Secure Wipe limited for Lenovo new Gen. machines.
  3. Enterprise tools: Expensive licenses, often require network infrastructure.
  4. Physical destruction: Wasteful when drives could be reused.

Initially, I tackled this by creating a PowerShell-based BitLocker Cryptographic Erase tool. It worked brilliantly for Windows systems with BitLocker enabled, achieving NIST-compliant crypto erase in seconds. But I quickly realized its limitations which one of them it has only worked on Windows machines with BitLocker On.

This led me to think bigger. What I really needed was a universal tool that would:

  • Boot from USB and run automatically
  • Detect all drive types (NVMe, SATA SSD, HDD)
  • Use the optimal erasure method for each drive
  • Meet Purge-level NIST 800–88 compliance requirements
  • Provide audit logs for compliance documentation
  • Be completely free and open source

So, I built one.

Introducing Secure Automated Purge USB

The Secure Automated Purge USB Utility is a bootable Linux ISO that performs NIST-compliant data sanitization automatically. Just boot from USB, confirm the operation, and walk away. When you come back, all internal drives are securely erased and the system has shut down.

🔗 GitHub: github.com/CyberKareem/SecureAutomatedPurge-USB

Main Features

  • Fully Automated: No technical knowledge required
  • NIST 800–88 Compliant: Meets federal standards for data sanitization (Purge-level)
  • Multi-Drive Support: NVMe, SATA SSD, and HDD
  • Optimal Methods: Uses the fastest secure method for each drive type
  • Audit Logs: Detailed logs for compliance documentation
  • Safety First: Requires explicit confirmation, excludes USB drives

The Evolution: From BitLocker to Universal Purge

This project actually started with my BitLocker Cryptographic Erase tool. That PowerShell utility leverages BitLocker’s encryption to achieve instant NIST-compliant sanitization (Purge-level). It’s incredibly fast.

But real-world IT is messy. In 50 workstations, for example:

  • 30 had BitLocker enabled (BitLocker tool worked perfectly)
  • 10 were Linux workstations
  • 5 had corrupted Windows installations
  • 5 had BitLocker disabled

This led to an important realization: I needed both tools in my arsenal.

Info graph that shows BitLocker vs Boot-USB solution Comparison

▪️ Windows with BitLocker enabled
 Best Tool: BitLocker Crypto Erase
 Why: Instant and can be performed remotely

▪️ Corrupted or non-booting OS
 Best Tool: Secure Automated Purge
 Why: Doesn’t require a functioning operating system

▪️ Linux or Unix systems
 Best Tool: Secure Automated Purge
 Why: BitLocker is not available on these platforms

▪️ Mixed environment (Windows + Linux)
 Best Tool: Secure Automated Purge
 Why: A universal solution for all OS types

▪️ Remote management needed
 Best Tool: BitLocker Crypto Erase
 Why: Can be triggered via PowerShell remoting

▪️ Unknown drive encryption status
 Best Tool: Secure Automated Purge
 Why: Works regardless of encryption method

And both tools follow NIST 800–88 (Purge-level) guidelines, they just approach it differently:

  • BitLocker tool: Uses existing encryption for cryptographic erase
  • This tool: Uses drive controller commands or overwriting

Together, they cover virtually every secure erasure scenario an IT professional might encounter.

Starting with a specialized tool (BitLocker) taught me the value of cryptographic erasure. But real-world complexity demanded a universal solution. Sometimes the best toolkit isn’t one perfect tool, but multiple tools that excel in different scenarios.

The Technical Challenge

Creating this tool involved solving several interesting technical challenges:

1. Automatic Drive Detection and Classification

The script needs to differentiate between:

  • NVMe SSDs (require nvme-cli tools)
  • SATA SSDs (support ATA Secure Erase)
  • Traditional HDDs (require overwriting)
  • USB drives (must be excluded for safety)

Here’s how I implemented it:

identify_drive_type() {    local drive=$1    local drive_name=$(basename "$drive")        # Check if USB    if [[ $(readlink -f /sys/block/"$drive_name") =~ usb ]]; then        echo "usb"    # Check if NVMe    elif [[ "$drive" =~ nvme ]]; then        echo "nvme"    # Check if SSD    elif [[ $(cat /sys/block/"$drive_name"/queue/rotational 2>/dev/null) == "0" ]]; then        echo "ssd"    else        echo "hdd"    fi}

2. NIST-Compliant Erasure Methods

NIST SP 800–88 Rev. 1 defines different sanitization levels. I implemented “Purge” level:

For NVMe Drives: Cryptographic Erase

nvme format "$drive" --ses=2nvme format "$drive" --ses=1nvme sanitize "$drive" --sanact=2

This destroys the encryption keys in the drive controller, rendering all data unrecoverable in seconds.

And it will fall back to block erase using NVMe format command, and it will also use the crypto erase sanitize command as the last resort, achieving comprehensive data sanitization.

For SATA SSDs: ATA Secure Erase

hdparm --user-master u --security-set-pass p "$drive"hdparm --user-master u --security-erase p "$drive"hdparm --sanitize-crypto-scramble "$drive"hdparm --sanitize-block-erase "$drive"

This triggers the drive’s built-in secure erase function which is the most compatible, and the controller executes internally. Then tries the newer sanitize commands, also achieving comprehensive approach.

For HDDs: 3-Pass Overwrite

shred -v -n 3 "$drive"

This overwrites the entire drive three times: random data, random data, zeros.

3. Building a Bootable Environment

I used Debian 12 netinst Live Build to create a minimal Linux environment that:

  • Boots entirely into RAM (no persistence)
  • Includes only necessary tools (nvme-cli, hdparm, shred)
  • Automatically starts the purge script
  • Has no network connectivity (security feature)

The key was configuring rc.local to launch immediately after boot:

#!/bin/shexec < /dev/console > /dev/console 2>&1clear/usr/local/bin/secure_purge.shexit 0

4. Safety Mechanisms

With great power comes great responsibility. The tool includes multiple safety features:

  • USB drives excluded: Prevents accidentally wiping the boot drive
  • Explicit confirmation: Must type (all caps)ERASE ALL DATA to proceed
  • Detailed drive listing: Shows model and serial numbers
  • No network access: Prevents remote triggering
  • Auto-shutdown: Ensures clean completion

Real-World Usage

Here’s what it looks like in action:

NVMe System

NVMe system at the confirmation stage
NVMe system after the purge process completion

SATA SSD System

SATA SSD system at the confirmation stage
SATA SSD system entering sleep/wakup to unfreeze the drive
SATA SSD system after the purge process completion

HDD System

HDD system at the confirmation stage
HDD system during purge process

After countless hours coding, testing, debugging, and refining, seeing this tool flawlessly purge HDDs, NVMe, and SATA SSDs feels genuinely rewarding. It’s not just code, it’s trust, reliability, and a bit of my stubbornness combined. Moments like these remind me why I chose cybersecurity in the first place.

Lessons Learned

1. Drive Controllers Are Smart

Modern drives have sophisticated controllers that can perform secure erasure far faster than any software-based overwriting. Using these built-in capabilities is key to efficient sanitization.

2. One Size Doesn’t Fit All

Different drive types require different approaches. NVMe drives support cryptographic erase, SATA drives have ATA Secure Erase, and only HDDs require actual overwriting.

3. Automation Reduces Errors

By automating the entire process, we eliminate the risk of human error, wrong commands, skipped drives, or incomplete erasure.

4. Compliance Requires Documentation

The tool generates detailed logs showing:

  • Drive serial numbers
  • Erasure methods used
  • Completion timestamps
  • Verification results

Building Your Own

I have already uploaded an ISO file of the tool ready to fire available on my GitHub: SecureAutomatedPurge USB utility

The tool is completely open source. To build your own ISO:

# Clone the repositorygit clone https://github.com/CyberKareem/SecureAutomatedPurge-USB.gitcd SecureAutomatedPurge-USB
# Run the build script (Debian/Ubuntu)sudo ./build/build_iso.sh

The build process:

  1. Creates a Debian Live environment
  2. Installs required packages
  3. Adds the purge script
  4. Configures auto-start
  5. Generates a bootable ISO

Security Considerations

What It Protects Against

  • Data recovery software
  • Filesystem undelete tools
  • Forensic recovery methods
  • Casual data thieves

What It Doesn’t Protect Against

  • Nation-state level forensics
  • Electron microscopy on HDDs
  • Hidden drive areas (HPA/DCO)
  • Damaged sectors that can’t be overwritten

For classified data, physical destruction remains the gold standard.

Use Cases

IT Asset Disposal

Perfect for decommissioning corporate workstations. Boot, confirm, and move to the next machine while the first one wipes.

Personal Privacy

Selling your old computer? This ensures your personal data doesn’t go with it.

Compliance Requirements

Many regulations (HIPAA, GDPR, PCI-DSS) require secure data disposal. This tool provides both the sanitization and documentation needed.

Donation Programs

Refurbishing computers for charity? Ensure previous data is completely removed first.

Future Enhancements

I’m thinking of adding:

  • Network boot support (PXE)
  • Parallel drive processing
  • Cloud logging for centralized reporting
  • GUI version for less technical users
  • Support for external drives (with safety controls)

In Short

Building this tool reminded me why I love open-source development. What started as a PowerShell script for BitLocker evolved into a comprehensive solution for secure data destruction. Each tool taught me something new:

  • BitLocker Crypto Erase: The power of leveraging existing encryption
  • Secure Automated Purge: The importance of universal solutions

Together, they form a complete toolkit for modern data sanitization. The BitLocker tool handles the “easy” cases where Windows and encryption are already in place. This boot-and-nuke tool handles everything else.

The combination of modern drive capabilities and NIST guidelines allowed me to create something that’s both faster and more secure than traditional approaches. It’s particularly satisfying to see a 500GB NVMe drive securely erased in 5 seconds instead of 2 hours.

If you’re responsible for secure data disposal, I encourage you to:

  1. Try both tools: Use BitLocker Crypto Erase for Windows, this for everything else
  2. Read NIST SP 800–88: Understand the standards behind the tools
  3. Contribute: Both projects are open source and welcome improvements
  4. Stay secure: Make data sanitization part of your standard procedures

The journey from a simple PowerShell script to a full bootable Linux ISO taught me that sometimes the best solution isn’t one tool, but a collection of tools that work together. Each has its place, and together they ensure that no drive gets left behind.

Remember: with data breaches making headlines regularly, secure disposal is just as important as secure storage.


Resources

My Secure Erasure Tools

Standards & References


About me

I’m Abdullah Kareem, an IT specialist and cybersecurity enthusiast. Connect with me on LinkedIn or check out my other projects on GitHub.

Have you faced challenges with secure data disposal? What tools do you use? I’d love to hear about your experiences in the comments!


Tags: #SecurityTools #DataSanitization #NIST #OpenSource #DiskWiping #Cybersecurity #Linux #ITCompliance #DataPrivacy #TechTools