Securely wiping SSDs
(Updated: )
Wiping data carriers can protect personal data when reselling these. Since SSDs have quite some error-handling and buffering logic, these are more difficult to wipe.
I document my best-known method here. TL;DR: as commenters pointed out, ideally use OS-level encryption, then throw away the key. Alternatively, built-in security erasing via hdparm, combined with shred.
Securely wiping data carriers ¶
Securely wiping SSDs is more difficult because the SSD ’thinks’ for itself on when to write or delete data, not always obeying the user commands to optimise performance or durability. Below are some means to (partially) overcome this.
See more info on this here:
- Why You Can’t “Securely Delete” a File, and What to Do Instead (howtogeek.com)
- How to Securely Erase an SSD Without Damaging the Drive (macsales.com)
- www.linuxquestions.org: shred and ssd drives (linuxquestions.org)
Preparation ¶
For the below commands I made a Lubuntu Live CD (lubuntu.net) using unetbootin (github.io) on my Mac (10.14). I chose Lubuntu because it’s a complete distro but with 1GB more manageable than Ubuntu at 3GB. If the 1GB is still too big, one could use Damn Small Linux or other flavour.
shred ¶
Simple yet (moderately) effective, shred(1) (die.net) overwrites files or devices. For example:
sudo shred -n 1 -z /dev/sda1
to wipe a disk randomly once, then overwrite with zeros. Note that this comes with the caveats mentioned above, and is not definitive. I added this in my wiping sequence because it at least helps a bit (bad reason, I know).
Built-in security measures ¶
SSDs appear to have built-in security measures to encrypt or wipe them. Not sure how this works, so whether you trust this is up to you. My Samsung SSD had this feature. For example:
- Ensure SSD is not frozen (check with
hdparm -I /dev/sda
) - If SSD is frozen, suspend/sleep system and wake up. Else reboot
- Set password
hdparm --user-master u --security-set-pass foo /dev/sda
- Securely delete device:
hdparm --user-master u --security-erase-enhanced foo /dev/sda
- Check if finished:
hdparm -I /dev/sda
should show password not enabled More info here: - Advanced: Erasing Solid State Drives by using the Linux hdparm Utility (lsu.edu)
- Securely erasing frozen hard disks with hdparm (co.uk)
- New SSD hdparm shows “frozen” - whether secure erase is needed before installing Linux (superuser.com)
DBAN - Darik’s Boot and Nuke ¶
This one doesn’t work anymore (for me). After having some trouble making a bootable USB stick, the prompt fails because it cannot find /proc/cmdline
somehow. It seems the software is now sold as commercial version and the free version is unmaintained.