Created dateUpdated dateAffects versionFix version


7.6.0 and older7.7.0


When a drive shows "TCG LOCKED" in the Drive Eraser user interface the previous user or owner has enabled the TCG feature and Drive Eraser can not access the drive to perform an erasure. The drive has to be manually unlocked via a separate tool To unlock the drive follow the steps listed below.

Manual steps to unlock the drive

  1. Download RESCUE64.img.gz image from the sedutil page
  2. Decompress the Rescue system
    1. Linux: gunzip RESCUE64.img.gz
    2. Windows: Use 7-Zip
  3. Transfer the Rescue image to the USB stick
    1. Linux: dd if=RESCUE64.img of=/dev/sdX
    2. Windows: Use Win32DiskImager to write the image to the USB stick
  4. Boot the USB stick.
  5. You will see the login prompt, enter "root" there is no password and you will get a root shell prompt
  6. Check for TCG Enterprise compliant drives using

    sedutil-cli --scan

    Output will look like this

    Scanning for Opal compliant disks
    /dev/sda    E SAS ST600MP0015      NT03
  7. Check Locking status of the drive using 

    sedutil-cli --query

    Output will look like this

    /dev/sda SAS ST600MP0015      NT03 SEAGATE
    TPer function (0x0001)
        ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
    Locking function (0x0002)
        Locked = Y, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
    Geometry function (0x0003)
        Align = N, Alignment Granularity = 1 (528), Logical Block size = 528, Lowest Aligned LBA = 0
    Enterprise function (0x0100)
        Range crossing = Y, Base comID = 0x07fe, comIDs = 2

    If output shows "Locked = Y" then this drive shall be unlocked

  8. Note PSID on the drive label

    Note that every drive has its own unique PSID!
  9. With the matching PSID the drive can be unlocked with following command, replace "sda" with the matching "sdX" number of the drive you want to unlock
    1. For HGST and Western Digital drives
      1. For TCG Enterprise drives

        sedutil-cli --PSIDrevertAdminSP PSIDpasswordPrintedOnLabel /dev/sda
      2. For TCG Opal/Pyrite/Ruby drives

        sedutil-cli –-yesIreallywanttoERASEALLmydatausingthePSID PSIDpasswordPrintedOnLabel /dev/sda
    2. For Seagate drives

      sedutil-cli –-yesIreallywanttoERASEALLmydatausingthePSID PSIDpasswordPrintedOnLabel /dev/sdX
  10. If multiple drives are used and to find the matching "sdX" and disk serial use following command

    find -L /sys/class/block -maxdepth 4 -name vpd_pg80 -exec cat {} \; -exec echo {} \;

    This will show a list of all connected drives, including the "sdX" and disk serial

    W461R3VJ /sys/class/block/sde/device/vpd_pg80

  11. Repeat these steps with all drives which need to be unlocked.