I have a SSD, that used to have windows on it. It’s been used over the years, I don’t fully trust it in it’s current state. I won’t be replacing it, but what would you recommend:
Should I erase the disk or wipe it with some command? Qubes custom installation suggests ```
dd if=/dev/zero of=/dev/sda bs=1M status=progress
but that's not a good idea for SSD's, what would you suggest?For one of my SSD I used the brand’s app, for the other, after which I installed Qubes, there was a BIOS available service. Both of them did the same thing. It is 1-2s process.
From what I remember it was the best available option, as it uses an impulse to bring everything to a default.
Seems too quick to overwrite anything, it probably just destroyed the partition table.
It’s actually recommended that before you encrypt anything, you fill the drive with random data (not zero):
dd if=/dev/urandom of=/dev/nvme0n1 bs=1M status=progress
Isn’t urandom only for making data absolutely unrecoverable? As for virus’ it does seem /dev/zero should be sufficient, since it writes 0’s to the whole drive. While the data will be more easy to recover by data specialists, the virus is unlikely going to be able to recover itself.
If I was going to be selling this hard drive to getting rid of it, I’d use urandom since that would make data recovery even harder.
I wiped my drive with 0’s using the dev/zero and then I used secure erase after. Judging by what I have read on the internet this should be more than enough.
It’s also used before encrypting a drive, to prevent an attacker from making certain kind of analysis.
That would make sense, although I think my threat model is a little more lenient than this.
Thanks for your replies!
No worries, if you’re interested on this topic there are a lot of resources online that explain it better than I did.
If your question is resolved please pick an answer so this can be closed.
Well, because it is not overwriting it, it uses more “elegant” approach, I guess, caring for your SSD.
Importantly, the ATA Secure Erase command does not write anything to the SSD, unlike a traditional secure wipe tool. Instead, the command causes the SSD to apply a voltage spike to all available flash memory blocks in unison. The process resets every available block of space in a single operation, and the SSD is “clean.”
Yeah the secure erase is apparently the only way to securely erase data, but you could debate that no data is ever truly lost. However secure erase seems to be the best at it. Most modern drives have it implemented well, I know a few years ago there was issues.
Mine took around 20 seconds to run through the process. Extremely quick and will be my good too from now on.
If anyone wants to read up on it I recommend this: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-88r1.pdf
IT media sanitization (ITSP.40.006) - Canadian Centre for Cyber Security
ATA Secure Erase - ata Wiki
I reminded of slcoleman great posts and
Depending on the type of SSD (SATA vs. NVMe), there are different tools available:
https://wiki.archlinux.org/title/Solid_state_drive/Memory_cell_clearing
I think that only applies to HDDs.