Hey guys,

I want to shred/sanitize my SSDs. If it was a normal harddrive I would stick to ShredOS / nwipe, but since SSD’s seem to be a little more complicated, I need your advice.

When reading through some posts in the internet, many people recommend using the software from the manufacturer for sanitizing. Currently I am using the SSD SN850X from Western digital, but I also have a SSD 990 PRO from Samsung. Both manufacturers don’t seem to have a specialized linux-compatible software to perform this kind of action.

How would be your approach to shred your SSD (without physically destroying it)?

~sp3ctre

  • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
    42 days ago

    I did some light reading. I see claims that wear leveling only ever writes only to zeroed sectors. Let me get this straight:

    If I have a 1TB ssd, and I write 1TB of SecretData, and then I delete and write 1TB of garbage to the disk, it’s not actually holding 2TB of data, with the SecretData hidden underneath wear leveling? That’s the claim? And if I overwrite that with another 1TB of garbage it’s holding, what now, 3TB of data? Each data sequence hidden somehow by the magic of wear leveling?

    Skeptical Ruaraidh is skeptical. Wear leveling ensures data on an SSD is written to free sectors with the lowest write count. It can’t possibly be retaining data if data the maximum size of the device is written to it.

    I see a popular comment on SO saying you can’t trust dd on SSDs, and I challenge that: in this case, wiping an entire disk by dumping /dev/random must clean the SSD of all other data. Otherwise, someone’s invented the storage version of a perpetual motion device. To be safe, sync and read it, and maybe dumb again, but I really can’t see how an SSD world hold more data than it can.

    dd if=/dev/random of=/dev/sdX bs=2048 count=524288

    If you’re clever enough to be using zsh as your shell:

    repeat 3 (dd if=/dev/random of=/dev/sdX bs=2048 count=524288 ; sync ; dd if=/dev/sdX ba=2048)

    You reduce every single cell’s write lifespan by 2 times; with modern life spans of 3,000-100,000 writes per cell, it’s not significant.

    Someone mentioned blkdiscard. If you really aren’t concerned about forensic analysis, this is probably the fastest and least impactful answer: it won’t affect cell lives by even a measly 2 writes. But it also doesn’t actually remove the data, it just tells the SSD that those cells are free and empty. Probably really hard to reconstruct data from that, but also probably not impossible. dd is a shredding option: safer, slower, and with a tiny impact on drive lifespan.

    • @patatahooligan@lemmy.world
      11 day ago

      in this case, wiping an entire disk by dumping /dev/random must clean the SSD of all other data.

      Your conclusion is incorrect because you made the assumption that the SSD has exactly the advertised storage or infinite storage. What if it’s over-provisioned by a small margin, though?

      • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
        11 day ago

        Then over-writing the size by a few gigs, reading the entire disk, and writing it again - as I put in my example - should work. In any case blkdiscard is not guaranteed to zero data unless the disk specifically supports that capability, and data can be forensically extracted from a blkdiscarded disk.

        The Arch wiki says blkdiscard -z is equivalent to running dd if=/dev/zero.

        • @patatahooligan@lemmy.world
          124 hours ago

          I don’t see how attempting to over-write would help. The additional blocks are not addressable on the OS side. dd will exit because it reached the end of the visible device space but blocks will remain untouched internally.

          The Arch wiki says blkdiscard -z is equivalent to running dd if=/dev/zero.

          Where does it say that? Here it seems to support the opposite. The linked paper says that two passes worked “in most cases”, but the results are unreliable. On one drive they found 1GB of data to have survived 20 passes.

          • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
            119 hours ago

            Sorry, it wasn’t the Arch wiki. It was this page.

            I hate using Stack Exchange as a source of truth, but the Arch wiki references this discussion which points out that not all SSDs support “Deterministic read ZEROs after TRIM”, meaning a pure blkdiscard is not guaranteed to clear data (unless the device is advertised with that feature), leaving it available for forensics. Which means having to use --secure, which is (also) not supported by all devices, which means having to use -z, which the previous source claims is equivalent to dd if=/dev/zero.

            So the SSD is hiding extra, inaccessible, cells. How does blkdiscard help? Either the blocks are accessible, or they aren’t. How are you getting a the hidden cells with blkdiscard? The paper you referenced does not mention blkdiscard directly as that’s a Linux-specific command, but other references imply or state it’s just calling TRIM. That same paper, in a footnote below section 3.3, claims TRIM adds no reliable data security.

            It looks like - especially from that security paper - that the cells are inaccessible and not reliably clearable by any mechanism. blkdiscard then adds no security over dd, and I’d be interested to see whether, with -z, it’s any faster than dd since it perforce would have to write zeros to all blocks just the same, rather than just marking them “discarded”.

            I feel that, unless you know the SDD supports secure trim, or you always use -z, dd is safer, since blkdiscard can give you a false sense of security, and TRIM adds no assurances about wiping those hidden cells.

            • @patatahooligan@lemmy.world
              114 hours ago

              So the SSD is hiding extra, inaccessible, cells. How does blkdiscard help? Either the blocks are accessible, or they aren’t. How are you getting a the hidden cells with blkdiscard?

              The idea is that blkdiscard will tell the SSD’s own controller to zero out everything. The controller can actually access all blocks regardless of what it exposes to your OS. But will it do it? Who knows?

              I feel that, unless you know the SDD supports secure trim, or you always use -z, dd is safer, since blkdiscard can give you a false sense of security, and TRIM adds no assurances about wiping those hidden cells.

              After reading all of this I would just do both… Each method fails in different ways so their sum might be better than either in isolation.

              But the actual solution is to always encrypt all of your storage. Then you don’t have to worry about this mess.

              • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
                13 hours ago

                The idea is that blkdiscard will tell the SSD’s own controller to zero out everything

                Just to be clear, blkdiscard alone does not zero out anything; it just marks blocks as empty. --secure tells compatible drives to additionally wipe the blocks; -z actually zeros out the contents in the blocks like dd does. The difference is that - without the secure or z options - the data is still in the cells.

                always encrypt all of your storage

                Yes! Although, I don’t think hindsight is helpful for OP.

    • flatbieldEnglish
      32 days ago

      This is the way. Use urandom though. Then after that you can just blkdiskard to wipe. I would add sync between the commands.

    • @bizdelnick@lemmy.ml
      32 days ago

      /dev/random, seriously? This will take ages and have no advantages over /dev/zero. Even when you really need to fill your drive with random data, use /dev/urandom, there’s a chance that this will finish in couple days at least. And no, there’s no guarantee that it will wipe all blocks because there are reserved blocks that only device firmware can access and rotate. Some data on rotated blocks still can be accessible for forensic analysis if you care about this.

      • @catloaf@lemm.eeEnglish
        22 days ago

        I think most modern distros use urandom for random too. These days, the PRNG is strong enough it doesn’t need to stop and wait for more entropy.