Here's the 31st post highlighting key new features of the current v257 release of systemd. #systemd257
In an earlier installment of this series we already talked about "systemd-repart", systemd's "elastic", automatic repartitioning tool, that can also be used as installer and image building tool.
One thing systemd-repart can do for you is to initialize the partitions it creates with initial data. This can be a freshly generated fs that it copies files into, but there's also CopyBlocks=…
… which operates on the block layer, and can initialize the partition from either a regular file (which then would typically contain a pre-made fs image), or another block device (in order to maybe replicate an existing partition onto a new disk, in a byte exact fashion).
With v257 CopyBlocks= gained one new feature: in addition to regular files and block devices you can now specify character devices as source to copy from too.
You wonder what that might be good for?
Well, one device in particular: /dev/urandom. Or in other words: you can now do CopyBlocks=/dev/urandom to initialize a partition with entirely random data, which is sometimes useful to systematically overwrite any previous contents it might have had.
Note that whenever systemd-repart initializes a partition it will anyway use the DISCARD hardware operation first to empty it, and it also ensures that any remaining super blocks from an older fs are erased no matter what.
@pid_eins afaik securely overwriting an entire SSD manually, to prevent recovery of old disk contents, is not really possible though because SSDs have more storage space than they advertise and transparently remap logical blocks to physical blocks. you'd have to use the SSD's special "securely wipe the entire disk" command for that
@jann yeah i guess this feature is not so much about total destruction of the data, it's really just about making the stuff invisible.
I guess we could teach repart also to fire the right nvme commands to do a secure erase of the disk on request. Afaiu this couldnt be done for parts of the disk though, would always cover the full thing, hence probably would have to be exposed quite differently.