diff --git a/overlay/usr/bin/factory-reset b/overlay/usr/bin/factory-reset
new file mode 100755
index 0000000..c4cc513
--- /dev/null
+++ b/overlay/usr/bin/factory-reset
@@ -0,0 +1,27 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+. /lib/gentoo/functions.sh
+
+confirm() {
+    unset _confirm
+    printf '%s [y/N] ' "${1-Do you want to continue?}"
+    read _confirm
+    case "${_confirm}" in
+    [Yy]|[Yy][Ee][Ss])
+        return 0
+        ;;
+    *)
+        return 1
+        ;;
+    esac
+}
+
+printf "${WARN}"
+printf 'This operation will COMPLETELY ERASE all data and information '
+printf 'stored on this system!\n'
+printf "${NORMAL}"
+confirm || exit 9
+ewarn 'The system will now reboot and wipe all data.'
+systemctl enable --runtime factory-reset.service
+systemctl reboot
diff --git a/overlay/usr/lib/systemd/system/factory-reset.service b/overlay/usr/lib/systemd/system/factory-reset.service
new file mode 100644
index 0000000..c4eb1e9
--- /dev/null
+++ b/overlay/usr/lib/systemd/system/factory-reset.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Perform a factory reset
+DefaultDependencies=no
+After=umount.target
+Before=systemd-reboot.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/factory-reset
+StandardOutput=kmsg+console
+
+[Install]
+WantedBy=final.target
diff --git a/overlay/usr/libexec/factory-reset b/overlay/usr/libexec/factory-reset
new file mode 100755
index 0000000..0144043
--- /dev/null
+++ b/overlay/usr/libexec/factory-reset
@@ -0,0 +1,13 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+DATAPART=PARTLABEL=dch-data
+
+seq 1 30
+
+dev=$(findfs "${DATAPART}")
+if [ -z "${dev}" ]; then
+    printf 'Could not find data partition (%s)\n' "${DATAPART}" >&2
+    exit 1
+fi
+wipefs -fa "${dev}"
diff --git a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc
index 5c032b2..85a4fab 100644
--- a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc
+++ b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc
@@ -1,5 +1,6 @@
-/usr/libexec/init-storage	--	gen_context(system_u:object_r:aimee_storinit_exec_t,s0)
 /usr/bin/system-update		--	gen_context(system_u:object_r:aimee_sysupdate_exec_t,s0)
+/usr/libexec/factory-reset	--	gen_context(system_u:object_r:aimee_factory_reset_exec_t,s0)
+/usr/libexec/init-storage	--	gen_context(system_u:object_r:aimee_storinit_exec_t,s0)
 
 /var/run/storinit(/.*)?			gen_context(system_u:object_r:aimee_storinit_runtime_t,s0)
 
diff --git a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
index 70f18af..7ccf9d1 100644
--- a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -19,6 +19,10 @@ userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
 type aimee_sysupdate_tmp_t;
 files_tmp_file(aimee_sysupdate_tmp_t)
 
+type aimee_factory_reset_t;
+type aimee_factory_reset_exec_t;
+init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
+
 ########################################
 #
 # init-storage local policy
@@ -140,6 +144,20 @@ gen_require(`
 ')
 aimee_os_run_system_update(sysadm_t, sysadm_r)
 
+# factory-reset local policy
+#
+
+allow aimee_factory_reset_t self:capability { sys_admin };
+allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_exec_bin(aimee_factory_reset_t)
+dev_read_sysfs(aimee_factory_reset_t)
+kernel_read_system_state(aimee_factory_reset_t)
+fstools_exec(aimee_factory_reset_t)
+fstools_manage_runtime_files(aimee_factory_reset_t)
+miscfiles_read_localization(aimee_factory_reset_t)
+storage_raw_rw_fixed_disk(aimee_factory_reset_t)
+
 ########################################
 #
 # Additional policy rules for Aimee OS-specific behavior