Hey guys,
I want to shred/sanitize my SSDs. If it was a normal harddrive I would stick to ShredOS / nwipe, but since SSD’s seem to be a little more complicated, I need your advice.
When reading through some posts in the internet, many people recommend using the software from the manufacturer for sanitizing. Currently I am using the SSD SN850X from Western digital, but I also have a SSD 990 PRO from Samsung. Both manufacturers don’t seem to have a specialized linux-compatible software to perform this kind of action.
How would be your approach to shred your SSD (without physically destroying it)?
~sp3ctre
Thankfully it is largely just a few commands with built in tools to tell the drive firmware to secure erase
SATA SSD: https://acceptdefaults.com/2023/01/06/secure-erase-an-ssd/
NVME SSD: https://acceptdefaults.com/2022/08/11/secure-erase-an-nvme-drive/
This. And then when it’s done, use a hex editor and look at the raw disk to make sure it actually worked. Some manufacturers don’t implement it properly.
Sorry, but can you explain a little, how this is done exactly? What should I see, when everything worked correctly?
Preferably all zeroes, possibly random data or a fixed string. Certainly not anything readable.
So much bad advice in here relating to NVME’s.
Any NVME worth it’s salt these days is an OPAL adhering self encrypting capable drive for data storage.
This means in Linux you simply install nvme-cli, then do a mode 2 crypto erase and the crypto key is dropped and all data on the drive becomes unreadable.
Y’all could stand to get with the times a bit more and learn about what NVME’s actually bring to the table
https://tinyapps.org/docs/nvme-secure-erase.html
For drives with it disabled, mode 1 wipe will have the controller fill all regions with meaningless data to wipe it.
for future reference, encrypt your drives from the get-go. even if it’s not a mobile device, you can use on-device keys to unlock it without a pass-phrase.
source: used shred on a couple of 3.5" 4 TB drives before selling them, took ages…
I will take that into consideration. I already encrypted my older laptop (hard drive) with LUKS. Is there something special, when it comes to encrypting SSD’s? Do you experience speed losses of SSD after doing so?
every mobile device I ever owned is encrypted and protected with a reasonably secure pass-phrase so losing it is no big deal. it is conceivable someone could forensic the shit out of my setup but that is highly unlikely; it’s far more likely it’ll get wiped and sold or parted out.
I’ve done no benchmarks but I haven’t experienced any issues ever. the oldest linux device I own is a 2011 MBP (i7-2635qm, so quadcore) and I don’t perceive any speed degradation; it’s possible 1st gen Core i5/i7 could have issues as those don’t have AES-NI in hardware or sumsuch plus they’re SATA2 only, but those would be 15+ years old at this point.
with btrfs that has on-the-fly compression, copy-on-write, and deduping, everything works seamlessly, even when I have database-spanking applications in local development.
so the only thing I’ve changed recently is encrypting every device I have, not just the mobile ones. the standalone devices get unlocked with a key-file from the local filesystem so they boot without the prompt. selling/giving away any of those drives, mechanical or SSD, is now a non-issue.
Don’t ever write any really private data to the SSD in cleartext. Use an encrypted file system. “Erase” by throwing away the key. That said, for modern fast SSD’s the performance overhead of the encryption might be a problem. For the old SATA SSD in my laptop, I don’t notice it.
That said, for modern fast SSD’s the performance overhead of the encryption might be a problem.
How so? I’ve been running LUKS on modern NVMEs for years and there is just the same maybe at worst 10% hit in write/read speeds.
That’s also my experience. There isn’t really any noticeable performance hit, even on modern SSDs. It should be the same amount of data coming from the SSD anyway, since the SSD isn’t even the part doing the cryptography (with LUKS), so it shouldn’t have any effect. And the CPU handles the decryption just fine
Everyone has given Linux answers, its also worth knowing quite a lot of UEFI’s contain the ability to secure erase as well. There are a number of USB bootable disk management tools that can do secure erase as well.
