I understand traditional methods don’t work with modern SSD, anyone knows any good way to do it?

  • sylver_dragon@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    ·
    6 months ago

    This article covers several methods. Personally, I’d look for a BIOS based tool first, as that would be free and easiest. After that, the Diskpart Clean All command is probably fine for anything other than Top Secret data which a government based threat actor would be willing to put a lot of resources into recovering. If it’s just your tax documents and porn archive, no one is going to care enough to dig out anything which that command might have left behind.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      2
      ·
      6 months ago

      Secure Erase doesn’t need to happen from the BIOS, if your BIOS doesn’t offer it, there’s a good chance you can still do it from within your OS. Don’t do it to the drive your OS is running from, though, that’ll probably cause issues.

      • krash@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        If running linux, what command should be run? Shred isn’t viable on a SSD, as it will only tear them down. Shred was designed with HDD in mind.

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          If you’re on a desktop or laptop, you should check the disk/partition manager tooling and see if there’s a button to do this for you. In Gnome, for example, it’s in Disks > three dots > Format Disk > Erase: secure erase. I’m sure KDE and other desktop environments with a complete suite of tools will also have something like this. If you find this option greyed out, check the instructions in the wiki article I link below about unlocking the drive. If it’s not there, there may be another GUI tool, or you could use the command line version.

          If you’re going command line, the exact procedure depends on the disk

          SATA disks

          Based on the Arch wiki

          Step 1: check if the disk is frozen

          Run sudo hdparm -I /dev/sdX | grep frozen (replace X with the drive name, of course, or use /dev/disk/by-* if you don’t know the right letter; should work with all of these commands) to check if it’s frozen. It should say “not frozen”, if it says “frozen”, put the computer to (S3) sleep and wake it again. That should usually do it.

          Step 2: set a password

          Simply put: sudo hdparm --user-master u --security-set-pass PasSWorD /dev/sdX. Don’t reboot without finishing all steps, some hardware is funky. Remember this password.

          Step 3: wipe the drive

          sudo hdparm --user-master u --security-erase PasSWorD /dev/sdX This can take a minute, it can take half an hour (less likely), don’t interrupt the process, definitely don’t turn off the computer.

          Step 4: remove the password

          To make sure people in the future can wipe the drive again, check if there’s still a password. Run sudo hdparm -I /dev/sdX and check for “not enabled” below “password”. If it’s still enabled, try running sudo hdparm --user-master u --security-disable PasSWorD /dev/sdX. With a password set, you will need to unlock the drive with the password you configured before the drive can be used, and most operating systems can’t deal with that automatically.

          NVMe disks

          Based on the same wiki article. Use /dev/nvmeX for the device specification, not /dev/nvmXnY, and obviously substitute for the device you actually want to wipe. You should be able to use paths like /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM as well, in case you don’t know the exact device name.

          Step 1: find capabilities

          sudo nvme id-ctrl /dev/nvmeX -H | grep -E 'Format |Crypto Erase|Sanitize' to find if the device supports formatting or sanitizing.

          Step 2.1: formatting

          Simply put: nvme format /dev/nvmeX -s 2 -n 0xffffffff to do a cryptographic erase. 0xffffffff will erase all namespaces, if multiple namespaces are supported; this is a bit mask, so you can select multiple individual namespaces if you want. If you don’t know what that means, just erase them all, or set use 1 instead of 0xffffffff if the command errors out.

          Step 2.2: sanitizing

          First run nvme sanitize-log /dev/nvmeX to check how long it’ll take, in estimated seconds, for a block erase or a crypto erase to finish, to help you estimate how long you’ll need to leave the computer on for.

          Step 2.2.a: cryptographic erase

          sudo nvme sanitize /dev/nvmeX -a start-crypto-erase will do a cryptographic erase. This should be pretty quick.

          Step 2.2.b: block erase

          sudo nvme sanitize /dev/nvmeX -a start-block-erase will do a block erase. This will can take multiple minutes, maybe longer, depending on your drive and the speed.

          Secure discard

          There’s also a tool called blkdiscard that can tell an SSD to securely discard blocks, if the device supports it, Something like sudo blkdiscard --secure /dev/disk/by-id/nvme-Samsung_SSD_980_1TB_ABCDEFGHIJKLM or sudo blkdiscard --secure /dev/disk/by-id/ata-Samsung_SSD_789_EVO_M.2_9999GB_ABCDEFGHIJLM should work for those.