I understand traditional methods don’t work with modern SSD, anyone knows any good way to do it?

  • potentiallynotfelix@lemmy.ml
    0·
    2 months ago

    If it’s really sensitive shit, you should beat the shit out of it with a sledgehammer and make sure you got all the nand modules(see diagram online), then throw parts of it into a large body of water, deeper the better

  • frankyboi@lemmy.ca
    0·
    2 months ago

    Install all your steam library to full your SSD. Should do the job. Empty the disk, rinse and repeat a few times.

  • Goat@lemmy.blahaj.zone
    0·
    2 months ago

    A special feature known as SSD secure erase. The easiest OS-independent way is probably via CMOS setup – modern BIOSes can send secure erase to NVM Express SSDs and possibly SATA SSDs.

      • WhatAmLemmy@lemmy.worldEnglish
        0·
        2 months ago

        Most SSD/flash secure erase methods involve the storage having full disk encryption enabled, and simply destroying the encryption key. Without the encryption key the data can’t be deciphered even with the correct password, as the password was only used to encrypt the encryption key itself. This is why you can “factory reset” an iPhone or Android in seconds.

      • Skull giver@popplesburger.hilciferous.nl
        0·
        2 months ago

        Secure Erase usually works by encrypting all data before writing it to disk, using a key stored in a special area on the SSD. Reading and writing to the drive is transparent, the OS doesn’t notice any encryption, but on a hardware level the data isn’t plainly readable.

        When you issue an erase command, the SSD throws out the old key and generates a new one. All data on the drive instantly becomes unreadable garbage.

        I say usually, because not all SSDs work that way. I wouldn’t trust Secure Erase on some crappy TEMU/Wish/Aliexpress SSD. Some drives will instead drain every cell, effectively erasing the contents in one single operation. As long as reserve space and relocated memory gets wiped as well (it should, if this is done at the hardware level), this is also perfectly safe.

        Encryption also protects data against the types of duplication and relocation an SSD will do by itself to balance write+erase cycles across the SSD’s cells. If you were to try to overwrite the SSD, a significant chunk of old cells would still contain data, because the OS doesn’t get access to the raw flash storage.

        With encryption, it doesn’t really matter how many bytes are still present on the drive, because unless someone cracked open the SSD and extracted the key before, there’s no making sense of any of that data.

        If you don’t trust your SSD’s encryption, you can use the same practice to protect your files: before you store any interesting files on it, enable disk encryption and use a TPM or VERY strong password for the encryption key (you may need to disable uploading a recovery key to the cloud depending on your OS for maximum security). Taken out of your PC, without some key backup in hand, the drive is completely unreadable and can be resold without worry. This also comes with the downside that if your PC breaks and your key is lost, you won’t be able to get to the data, of course.

        • User_already_exist@lemmy.worldOP
          0·
          2 months ago

          Thanks for this informative answer. Then it would make sense that it took only 1 second, then again, I have a modern Asus motherboard (AM5) with a Western Digital NVMe drive, and that drive isn’t listed as Secure Erase compatible on Asus motherboard. I will download the WD dashboard and do it that way, I didn’t know it existed before I posted this question.

          • Skull giver@popplesburger.hilciferous.nlEnglish
            0·
            2 months ago

            SSD erasure is a standard(ish) command. It’s best not to assume it works if there’s no tested compatibility, but I also wouldn’t expect it not to work, unless you notice that the data on the drive still exists (i.e. you boot the machine and there’s already a partition on there).

            There are actually two types of erase commands for NVMe drives (“cryptographic erase” for the encryption method I mentioned, and “block erase” for actually wiping all cells). There’s a command for “user data erase” that lets the SSD decide which of the two options to use, which I assume most tools will do.

            I didn’t know WD had a tool, that’s probably your best bet! While you’re at it, also check for firmware updates, it may just help the next owner enjoy the drive for a while longer if you’ve got a buggy SSD that you didn’t know about.

      • mark3748@sh.itjust.works
        0·
        2 months ago

        It is the only approved method for data destruction for the several banks and government agencies I support. If they trust it, I trust it.

        I have checked a couple of times out of curiosity, after a secure erase the drive is as clean as if it had been DBANed. Sometimes things are standards because they work properly.

    • Scholars_Mate@lemmy.worldEnglish
      0·
      2 months ago

      No. Modern SSDs are quite sophisticated in how they handle wear leveling and are, for the most part, black boxes.

      SSDs maintain a mapping of logical blocks (what your OS sees) to physical blocks (where the data is physically stored on the flash chips). For instance, when your computer writes to the logical block address 100, the SSD might map that to a physical block address of 200 (this is a very simplified). If you overwrite logical block address 100 again, the SSD might write to physical block address 300 and remap it, while not touching the data at physical block address 200. This let’s you avoid wearing out a particular part of the flash memory and instead spread the load out. It also means that someone could potentially rip the flash chips off the SSD, read them directly, and see data you thought was overwritten.

      You can’t just overwrite the entire SSD either because most SSDs overprovision, e.g. physically have more storage than they report. This is for wear leveling and increased life span of the SSD. If you overwrite the entire SSD, there may be physical flash that was not being overwritten. You can try overwriting the drive multiple times, but because SSDs are black boxes, you can’t be 100% sure how it handles wear leveling and that all the data was actually overwritten.

    • Goat@lemmy.blahaj.zone
      0·
      2 months ago

      No, “overwritten” data doesn’t actually get erased right away due to wear levelling. As SSDs get esoterically smart with how they prevent unnecessary erase operations, there’s no way to be sure without secure erase.

  • sylver_dragon@lemmy.worldEnglish
    0·
    2 months ago

    This article covers several methods. Personally, I’d look for a BIOS based tool first, as that would be free and easiest. After that, the Diskpart Clean All command is probably fine for anything other than Top Secret data which a government based threat actor would be willing to put a lot of resources into recovering. If it’s just your tax documents and porn archive, no one is going to care enough to dig out anything which that command might have left behind.

    • Skull giver@popplesburger.hilciferous.nl
      0·
      2 months ago

      Secure Erase doesn’t need to happen from the BIOS, if your BIOS doesn’t offer it, there’s a good chance you can still do it from within your OS. Don’t do it to the drive your OS is running from, though, that’ll probably cause issues.

      • krash@lemmy.ml
        0·
        2 months ago

        If running linux, what command should be run? Shred isn’t viable on a SSD, as it will only tear them down. Shred was designed with HDD in mind.

        • Skull giver@popplesburger.hilciferous.nlEnglish
          0·
          2 months ago

          If you’re on a desktop or laptop, you should check the disk/partition manager tooling and see if there’s a button to do this for you. In Gnome, for example, it’s in Disks > three dots > Format Disk > Erase: secure erase. I’m sure KDE and other desktop environments with a complete suite of tools will also have something like this. If you find this option greyed out, check the instructions in the wiki article I link below about unlocking the drive. If it’s not there, there may be another GUI tool, or you could use the command line version.

          If you’re going command line, the exact procedure depends on the disk

          SATA disks

          Based on the Arch wiki

          Step 1: check if the disk is frozen

          Run sudo hdparm -I /dev/sdX | grep frozen (replace X with the drive name, of course, or use /dev/disk/by-* if you don’t know the right letter; should work with all of these commands) to check if it’s frozen. It should say “not frozen”, if it says “frozen”, put the computer to (S3) sleep and wake it again. That should usually do it.

          Step 2: set a password

          Simply put: sudo hdparm --user-master u --security-set-pass PasSWorD /dev/sdX. Don’t reboot without finishing all steps, some hardware is funky. Remember this password.

          Step 3: wipe the drive

          sudo hdparm --user-master u --security-erase PasSWorD /dev/sdX This can take a minute, it can take half an hour (less likely), don’t interrupt the process, definitely don’t turn off the computer.

          Step 4: remove the password

          To make sure people in the future can wipe the drive again, check if there’s still a password. Run sudo hdparm -I /dev/sdX and check for “not enabled” below “password”. If it’s still enabled, try running sudo hdparm --user-master u --security-disable PasSWorD /dev/sdX. With a password set, you will need to unlock the drive with the password you configured before the drive can be used, and most operating systems can’t deal with that automatically.

          NVMe disks

          Based on the same wiki article. Use /dev/nvmeX for the device specification, not /dev/nvmXnY, and obviously substitute for the device you actually want to wipe. You should be able to use paths like /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM as well, in case you don’t know the exact device name.

          Step 1: find capabilities

          sudo nvme id-ctrl /dev/nvmeX -H | grep -E 'Format |Crypto Erase|Sanitize' to find if the device supports formatting or sanitizing.

          Step 2.1: formatting

          Simply put: nvme format /dev/nvmeX -s 2 -n 0xffffffff to do a cryptographic erase. 0xffffffff will erase all namespaces, if multiple namespaces are supported; this is a bit mask, so you can select multiple individual namespaces if you want. If you don’t know what that means, just erase them all, or set use 1 instead of 0xffffffff if the command errors out.

          Step 2.2: sanitizing

          First run nvme sanitize-log /dev/nvmeX to check how long it’ll take, in estimated seconds, for a block erase or a crypto erase to finish, to help you estimate how long you’ll need to leave the computer on for.

          Step 2.2.a: cryptographic erase

          sudo nvme sanitize /dev/nvmeX -a start-crypto-erase will do a cryptographic erase. This should be pretty quick.

          Step 2.2.b: block erase

          sudo nvme sanitize /dev/nvmeX -a start-block-erase will do a block erase. This will can take multiple minutes, maybe longer, depending on your drive and the speed.

          Secure discard

          There’s also a tool called blkdiscard that can tell an SSD to securely discard blocks, if the device supports it, Something like sudo blkdiscard --secure /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM or sudo blkdiscard --secure /dev/disk/by-id/ata-Samsung_SSD_789_EVO_M.2_9999GB_ABCDEFGHIJLM should work for those.

  • Greg Clarke@lemmy.caEnglish
    0·
    2 months ago

    Fill the drive 100% using data duplicator then delete everything on the drive. Repeat a few times to ensure you scrub all blocks. There is no need to physically destroy the drive.

    edit: fair criticism of this approach in cases when the data is unencryptd and the hard drives has bad blocks. I just wanted to give a counter to the destroying hardware approach which isn’t necessary warranted

    • ramble81@lemm.ee
      0·
      2 months ago

      That doesn’t work with SSDs anymore. Their controllers map “bad” blocks which are put in an RO state and writes no longer go there but data still exists. There is usually a buffer of extra space so you do see the capacity loss, but if you bypass the controller you can still read the data there.

      • Greg Clarke@lemmy.caEnglish
        0·
        2 months ago

        That’s fair, I can appreciate an attack vector in cases where there are bad blocks and the drive was unencrypted. Luckily bad blocks are less common with modern SSDs and assuming the disk was encrypted, a few bad blocks are unlikely to expose any contents. So knowing the number of bad blocks and what data was stored would inform if a fill and empty approach would be suitable to sanitize the drive.

  • Brkdncr@lemmy.world
    0·
    2 months ago
    • Secure erase using the drive OEMs tool.
    • If you were using something like bitlocker then simply dump the key.
    • Wood chipper or some other form of absolute physical destruction.