Most SSD/flash secure erase methods involve the storage having full disk encryption enabled, and simply destroying the encryption key. Without the encryption key the data can’t be deciphered even with the correct password, as the password was only used to encrypt the encryption key itself. This is why you can “factory reset” an iPhone or Android in seconds.
Secure Erase usually works by encrypting all data before writing it to disk, using a key stored in a special area on the SSD. Reading and writing to the drive is transparent, the OS doesn’t notice any encryption, but on a hardware level the data isn’t plainly readable.
When you issue an erase command, the SSD throws out the old key and generates a new one. All data on the drive instantly becomes unreadable garbage.
I say usually, because not all SSDs work that way. I wouldn’t trust Secure Erase on some crappy TEMU/Wish/Aliexpress SSD. Some drives will instead drain every cell, effectively erasing the contents in one single operation. As long as reserve space and relocated memory gets wiped as well (it should, if this is done at the hardware level), this is also perfectly safe.
Encryption also protects data against the types of duplication and relocation an SSD will do by itself to balance write+erase cycles across the SSD’s cells. If you were to try to overwrite the SSD, a significant chunk of old cells would still contain data, because the OS doesn’t get access to the raw flash storage.
With encryption, it doesn’t really matter how many bytes are still present on the drive, because unless someone cracked open the SSD and extracted the key before, there’s no making sense of any of that data.
If you don’t trust your SSD’s encryption, you can use the same practice to protect your files: before you store any interesting files on it, enable disk encryption and use a TPM or VERY strong password for the encryption key (you may need to disable uploading a recovery key to the cloud depending on your OS for maximum security). Taken out of your PC, without some key backup in hand, the drive is completely unreadable and can be resold without worry. This also comes with the downside that if your PC breaks and your key is lost, you won’t be able to get to the data, of course.
Thanks for this informative answer. Then it would make sense that it took only 1 second, then again, I have a modern Asus motherboard (AM5) with a Western Digital NVMe drive, and that drive isn’t listed as Secure Erase compatible on Asus motherboard. I will download the WD dashboard and do it that way, I didn’t know it existed before I posted this question.
SSD erasure is a standard(ish) command. It’s best not to assume it works if there’s no tested compatibility, but I also wouldn’t expect it not to work, unless you notice that the data on the drive still exists (i.e. you boot the machine and there’s already a partition on there).
There are actually two types of erase commands for NVMe drives (“cryptographic erase” for the encryption method I mentioned, and “block erase” for actually wiping all cells). There’s a command for “user data erase” that lets the SSD decide which of the two options to use, which I assume most tools will do.
I didn’t know WD had a tool, that’s probably your best bet! While you’re at it, also check for firmware updates, it may just help the next owner enjoy the drive for a while longer if you’ve got a buggy SSD that you didn’t know about.
It is the only approved method for data destruction for the several banks and government agencies I support. If they trust it, I trust it.
I have checked a couple of times out of curiosity, after a secure erase the drive is as clean as if it had been DBANed. Sometimes things are standards because they work properly.
Did this already, it took 1 second for a 2TB drive. Would you trust that?
Most SSD/flash secure erase methods involve the storage having full disk encryption enabled, and simply destroying the encryption key. Without the encryption key the data can’t be deciphered even with the correct password, as the password was only used to encrypt the encryption key itself. This is why you can “factory reset” an iPhone or Android in seconds.
Secure Erase usually works by encrypting all data before writing it to disk, using a key stored in a special area on the SSD. Reading and writing to the drive is transparent, the OS doesn’t notice any encryption, but on a hardware level the data isn’t plainly readable.
When you issue an erase command, the SSD throws out the old key and generates a new one. All data on the drive instantly becomes unreadable garbage.
I say usually, because not all SSDs work that way. I wouldn’t trust Secure Erase on some crappy TEMU/Wish/Aliexpress SSD. Some drives will instead drain every cell, effectively erasing the contents in one single operation. As long as reserve space and relocated memory gets wiped as well (it should, if this is done at the hardware level), this is also perfectly safe.
Encryption also protects data against the types of duplication and relocation an SSD will do by itself to balance write+erase cycles across the SSD’s cells. If you were to try to overwrite the SSD, a significant chunk of old cells would still contain data, because the OS doesn’t get access to the raw flash storage.
With encryption, it doesn’t really matter how many bytes are still present on the drive, because unless someone cracked open the SSD and extracted the key before, there’s no making sense of any of that data.
If you don’t trust your SSD’s encryption, you can use the same practice to protect your files: before you store any interesting files on it, enable disk encryption and use a TPM or VERY strong password for the encryption key (you may need to disable uploading a recovery key to the cloud depending on your OS for maximum security). Taken out of your PC, without some key backup in hand, the drive is completely unreadable and can be resold without worry. This also comes with the downside that if your PC breaks and your key is lost, you won’t be able to get to the data, of course.
Thanks for this informative answer. Then it would make sense that it took only 1 second, then again, I have a modern Asus motherboard (AM5) with a Western Digital NVMe drive, and that drive isn’t listed as Secure Erase compatible on Asus motherboard. I will download the WD dashboard and do it that way, I didn’t know it existed before I posted this question.
SSD erasure is a standard(ish) command. It’s best not to assume it works if there’s no tested compatibility, but I also wouldn’t expect it not to work, unless you notice that the data on the drive still exists (i.e. you boot the machine and there’s already a partition on there).
There are actually two types of erase commands for NVMe drives (“cryptographic erase” for the encryption method I mentioned, and “block erase” for actually wiping all cells). There’s a command for “user data erase” that lets the SSD decide which of the two options to use, which I assume most tools will do.
I didn’t know WD had a tool, that’s probably your best bet! While you’re at it, also check for firmware updates, it may just help the next owner enjoy the drive for a while longer if you’ve got a buggy SSD that you didn’t know about.
It is the only approved method for data destruction for the several banks and government agencies I support. If they trust it, I trust it.
I have checked a couple of times out of curiosity, after a secure erase the drive is as clean as if it had been DBANed. Sometimes things are standards because they work properly.
Yes. SSDs are different from HDDs.