security – Scuttle Boot Option

I’m trying to devise a simple boot option that would secure erase one or more drives in a computer. Imagine a scenario such as airport security where somebody has the authority to compel you to turn on and unlock a laptop that contains trade secrets. You power on the device and enter a password, but instead of logging into the OS, a script is triggered that executes a secure erase on the boot device.

I think the following features would be required or desirable:

  1. minimal interaction required. Perhaps selecting an alternate item on
    a bootloader menu
  2. password protected to prevent accidental or unauthorised activation
  3. does not require unlocking device encryption or logging into OS
  4. minimal execution time, like ATA enhanced security erase or ‘nvme format’
  5. minimal footprint

I think a UEFI utility might be ideal in fulfilling requirements 1 and 5, but I’m not aware of the existence of such. I know Lenovo has a bootable utility to erase an nvme device, but it boots in legacy mode and requires multiple steps, including a menu, a security code, a reboot, and fineally entering the security code before the erase is executed. The process wouldn’t meet the first requirement and would not be quick or subtle enough to be practical in the described scenario.

Of course one could set up a dedicated Linux environment similar to the Parted Magic distribution and have a simple erase script executed automatically at boot time or login, but I’d prefer not to dedicate a whole partition to such a utility, and I’m not sure if a secure erase would even run properly on a boot drive in a Linux environment. Any Windows-based secure erase utility I’ve tried won’t work on the boot drive. I’ve secure-erased drives using Linux bootable USB sticks, but I’ve never tried it on the Linux boot device itself.

This points to another possibility if running Linux as a primary OS on the device, to use the installed OS, but configure a dedicated user account that runs the scuttle script on login. But again, I don’t know if this would work on the system boot drive, plus this approach requires unlocking the boot drive, in violation of requirement #3 above.

Any suggestions?