Security engineering
Building a NIST-Compliant Boot-and-Nuke USB Tool: Secure Automated Purge
From BitLocker-specific to universal: How I built an open-source NIST-compliant disk sanitization tool that works on any system
This is Part 2 of my Secure Data Erasure Tools series. Part 1: Introducing the BitLocker Cryptographic Erase Utility: Secure Data Destruction Made Simple
How I evolved from a BitLocker-specific solution to creating a universal disk sanitization tool that automatically detects and securely erases all internal drives

The Problem: Secure Data Destruction at Scale
Last month, I was tasked to arrange a solution securely wiping workstations according to NIST SP 800–88 standards (Purge-level) before disposal. The options were:
- Manual commands: Boot each system with Linux, run different commands for different drive types. Time-consuming and error prone.
- Surface Data Eraser limited for Microsoft Surface machines, and Lenovo ThinkShield Secure Wipe limited for Lenovo new Gen. machines.
- Enterprise tools: Expensive licenses, often require network infrastructure.
- Physical destruction: Wasteful when drives could be reused.
Initially, I tackled this by creating a PowerShell-based BitLocker Cryptographic Erase tool. It worked brilliantly for Windows systems with BitLocker enabled, achieving NIST-compliant crypto erase in seconds. But I quickly realized its limitations which one of them it has only worked on Windows machines with BitLocker On.
This led me to think bigger. What I really needed was a universal tool that would:
- Boot from USB and run automatically
- Detect all drive types (NVMe, SATA SSD, HDD)
- Use the optimal erasure method for each drive
- Meet Purge-level NIST 800–88 compliance requirements
- Provide audit logs for compliance documentation
- Be completely free and open source
So, I built one.
Introducing Secure Automated Purge USB
The Secure Automated Purge USB Utility is a bootable Linux ISO that performs NIST-compliant data sanitization automatically. Just boot from USB, confirm the operation, and walk away. When you come back, all internal drives are securely erased and the system has shut down.
🔗 GitHub: github.com/CyberKareem/SecureAutomatedPurge-USB
Main Features
- Fully Automated: No technical knowledge required
- NIST 800–88 Compliant: Meets federal standards for data sanitization (Purge-level)
- Multi-Drive Support: NVMe, SATA SSD, and HDD
- Optimal Methods: Uses the fastest secure method for each drive type
- Audit Logs: Detailed logs for compliance documentation
- Safety First: Requires explicit confirmation, excludes USB drives
The Evolution: From BitLocker to Universal Purge
This project actually started with my BitLocker Cryptographic Erase tool. That PowerShell utility leverages BitLocker’s encryption to achieve instant NIST-compliant sanitization (Purge-level). It’s incredibly fast.
But real-world IT is messy. In 50 workstations, for example:
- 30 had BitLocker enabled (BitLocker tool worked perfectly)
- 10 were Linux workstations
- 5 had corrupted Windows installations
- 5 had BitLocker disabled
This led to an important realization: I needed both tools in my arsenal.

▪️ Windows with BitLocker enabled
Best Tool: BitLocker Crypto Erase
Why: Instant and can be performed remotely
▪️ Corrupted or non-booting OS
Best Tool: Secure Automated Purge
Why: Doesn’t require a functioning operating system
▪️ Linux or Unix systems
Best Tool: Secure Automated Purge
Why: BitLocker is not available on these platforms
▪️ Mixed environment (Windows + Linux)
Best Tool: Secure Automated Purge
Why: A universal solution for all OS types
▪️ Remote management needed
Best Tool: BitLocker Crypto Erase
Why: Can be triggered via PowerShell remoting
▪️ Unknown drive encryption status
Best Tool: Secure Automated Purge
Why: Works regardless of encryption method
And both tools follow NIST 800–88 (Purge-level) guidelines, they just approach it differently:
- BitLocker tool: Uses existing encryption for cryptographic erase
- This tool: Uses drive controller commands or overwriting
Together, they cover virtually every secure erasure scenario an IT professional might encounter.
Starting with a specialized tool (BitLocker) taught me the value of cryptographic erasure. But real-world complexity demanded a universal solution. Sometimes the best toolkit isn’t one perfect tool, but multiple tools that excel in different scenarios.
The Technical Challenge
Creating this tool involved solving several interesting technical challenges:
1. Automatic Drive Detection and Classification
The script needs to differentiate between:
- NVMe SSDs (require
nvme-clitools) - SATA SSDs (support ATA Secure Erase)
- Traditional HDDs (require overwriting)
- USB drives (must be excluded for safety)
Here’s how I implemented it:
identify_drive_type() { local drive=$1 local drive_name=$(basename "$drive") # Check if USB if [[ $(readlink -f /sys/block/"$drive_name") =~ usb ]]; then echo "usb" # Check if NVMe elif [[ "$drive" =~ nvme ]]; then echo "nvme" # Check if SSD elif [[ $(cat /sys/block/"$drive_name"/queue/rotational 2>/dev/null) == "0" ]]; then echo "ssd" else echo "hdd" fi}2. NIST-Compliant Erasure Methods
NIST SP 800–88 Rev. 1 defines different sanitization levels. I implemented “Purge” level:
For NVMe Drives: Cryptographic Erase
nvme format "$drive" --ses=2nvme format "$drive" --ses=1nvme sanitize "$drive" --sanact=2This destroys the encryption keys in the drive controller, rendering all data unrecoverable in seconds.
And it will fall back to block erase using NVMe format command, and it will also use the crypto erase sanitize command as the last resort, achieving comprehensive data sanitization.
For SATA SSDs: ATA Secure Erase
hdparm --user-master u --security-set-pass p "$drive"hdparm --user-master u --security-erase p "$drive"hdparm --sanitize-crypto-scramble "$drive"hdparm --sanitize-block-erase "$drive"This triggers the drive’s built-in secure erase function which is the most compatible, and the controller executes internally. Then tries the newer sanitize commands, also achieving comprehensive approach.
For HDDs: 3-Pass Overwrite
shred -v -n 3 "$drive"This overwrites the entire drive three times: random data, random data, zeros.
3. Building a Bootable Environment
I used Debian 12 netinst Live Build to create a minimal Linux environment that:
- Boots entirely into RAM (no persistence)
- Includes only necessary tools (
nvme-cli,hdparm,shred) - Automatically starts the purge script
- Has no network connectivity (security feature)
The key was configuring rc.local to launch immediately after boot:
#!/bin/shexec < /dev/console > /dev/console 2>&1clear/usr/local/bin/secure_purge.shexit 04. Safety Mechanisms
With great power comes great responsibility. The tool includes multiple safety features:
- USB drives excluded: Prevents accidentally wiping the boot drive
- Explicit confirmation: Must type (all caps)
ERASE ALL DATAto proceed - Detailed drive listing: Shows model and serial numbers
- No network access: Prevents remote triggering
- Auto-shutdown: Ensures clean completion
Real-World Usage
Here’s what it looks like in action:
NVMe System


SATA SSD System



HDD System


After countless hours coding, testing, debugging, and refining, seeing this tool flawlessly purge HDDs, NVMe, and SATA SSDs feels genuinely rewarding. It’s not just code, it’s trust, reliability, and a bit of my stubbornness combined. Moments like these remind me why I chose cybersecurity in the first place.
Lessons Learned
1. Drive Controllers Are Smart
Modern drives have sophisticated controllers that can perform secure erasure far faster than any software-based overwriting. Using these built-in capabilities is key to efficient sanitization.
2. One Size Doesn’t Fit All
Different drive types require different approaches. NVMe drives support cryptographic erase, SATA drives have ATA Secure Erase, and only HDDs require actual overwriting.
3. Automation Reduces Errors
By automating the entire process, we eliminate the risk of human error, wrong commands, skipped drives, or incomplete erasure.
4. Compliance Requires Documentation
The tool generates detailed logs showing:
- Drive serial numbers
- Erasure methods used
- Completion timestamps
- Verification results
Building Your Own
I have already uploaded an ISO file of the tool ready to fire available on my GitHub: SecureAutomatedPurge USB utility
The tool is completely open source. To build your own ISO:
# Clone the repositorygit clone https://github.com/CyberKareem/SecureAutomatedPurge-USB.gitcd SecureAutomatedPurge-USB# Run the build script (Debian/Ubuntu)sudo ./build/build_iso.shThe build process:
- Creates a Debian Live environment
- Installs required packages
- Adds the purge script
- Configures auto-start
- Generates a bootable ISO
Security Considerations
What It Protects Against
- Data recovery software
- Filesystem undelete tools
- Forensic recovery methods
- Casual data thieves
What It Doesn’t Protect Against
- Nation-state level forensics
- Electron microscopy on HDDs
- Hidden drive areas (HPA/DCO)
- Damaged sectors that can’t be overwritten
For classified data, physical destruction remains the gold standard.
Use Cases
IT Asset Disposal
Perfect for decommissioning corporate workstations. Boot, confirm, and move to the next machine while the first one wipes.
Personal Privacy
Selling your old computer? This ensures your personal data doesn’t go with it.
Compliance Requirements
Many regulations (HIPAA, GDPR, PCI-DSS) require secure data disposal. This tool provides both the sanitization and documentation needed.
Donation Programs
Refurbishing computers for charity? Ensure previous data is completely removed first.
Future Enhancements
I’m thinking of adding:
- Network boot support (PXE)
- Parallel drive processing
- Cloud logging for centralized reporting
- GUI version for less technical users
- Support for external drives (with safety controls)
In Short
Building this tool reminded me why I love open-source development. What started as a PowerShell script for BitLocker evolved into a comprehensive solution for secure data destruction. Each tool taught me something new:
- BitLocker Crypto Erase: The power of leveraging existing encryption
- Secure Automated Purge: The importance of universal solutions
Together, they form a complete toolkit for modern data sanitization. The BitLocker tool handles the “easy” cases where Windows and encryption are already in place. This boot-and-nuke tool handles everything else.
The combination of modern drive capabilities and NIST guidelines allowed me to create something that’s both faster and more secure than traditional approaches. It’s particularly satisfying to see a 500GB NVMe drive securely erased in 5 seconds instead of 2 hours.
If you’re responsible for secure data disposal, I encourage you to:
- Try both tools: Use BitLocker Crypto Erase for Windows, this for everything else
- Read NIST SP 800–88: Understand the standards behind the tools
- Contribute: Both projects are open source and welcome improvements
- Stay secure: Make data sanitization part of your standard procedures
The journey from a simple PowerShell script to a full bootable Linux ISO taught me that sometimes the best solution isn’t one tool, but a collection of tools that work together. Each has its place, and together they ensure that no drive gets left behind.
Remember: with data breaches making headlines regularly, secure disposal is just as important as secure storage.
Resources
My Secure Erasure Tools
- Secure Automated Purge USB: GitHub | Download ISO
- BitLocker Crypto Erase: GitHub | Blog Post
Standards & References
- NIST SP 800–88 Rev. 1: Guidelines for Media Sanitization
Related Reading:
About me
I’m Abdullah Kareem, an IT specialist and cybersecurity enthusiast. Connect with me on LinkedIn or check out my other projects on GitHub.
Have you faced challenges with secure data disposal? What tools do you use? I’d love to hear about your experiences in the comments!