How not to securely erase a NVME drive (2022)
38 points
4 days ago
| 8 comments
| peterbabic.dev
| HN
digiown
1 hour ago
[-]
And this is why you always encrypt the drive with software. All of these methods seem to put a lot of faith into the drive controller doing what it claim it does, which you can never be all that sure about. Even Microsoft-backed Bitlocker would help here.
reply
SoftTalker
57 minutes ago
[-]
For SATA SSDs i've used the hdparm secure erase and then verified that dd | hexdump is all zeros. That was good enough for me.
reply
Joel_Mckay
1 hour ago
[-]
Indeed, LUKS + F2FS for /home with an external key file imported into initrd solves a lot of issues.

Primarily, when an SSD slowly fails the sector replacement allotment has already bled data into read-only areas of the drive. As a user, there is no way to reliably scrub that data.

If the drive suddenly bricks, the warranty service will often not return the original hardware... and just the password protection on an embedded LUKS key is not great.

There are effective disposal methods:

1. shred the chips

2. incinerate the chips

Wiping/Trim sometimes doesn't even work if the Flash chips are malfunctioning. =3

reply
Neywiny
13 minutes ago
[-]
Gotta love breaking EFI changes. I don't know how many times my work laptop would do that and I couldn't boot anymore, only to remember some stressful time later that Linux would only boot with some of the settings flipped from their defaults. At least I never had to reinstall anything.
reply
wtallis
21 minutes ago
[-]
It's very common for both NVMe and SATA drives that they'll be locked/frozen during boot and thus will not honor a secure erase command until the drive has been power-cycled, which can usually be accomplished with the system-level sleep/wake cycle. I'm not sure what useful purpose this is meant to serve other than possibly making it hard for malware to instantly and irretrievably wipe your storage.
reply
SoftTalker
59 minutes ago
[-]
Smash it with a hammer and move on. I'd never buy a used storage device anyway, no telling what malware it might contain.
reply
NegativeK
49 minutes ago
[-]
I had a drawn out conversation with a friend about erasing NVME drives in a way that met compliance needs. The procedure they were given was to install Windows, with Bitlocker, twice with no effort to retain the key.

But that doesn't even overwrite the visible drive space; you can do a simple PoC to demonstrate that Windows won't get to all the mapped blocks. And that still hasn't gotten to the overprovisioned blocks and wear leveling issues that the article references.

You could use the BIOS or whatever CLI tool to tell the drive to chuck its encryption key, but are you sure that tool meets whatever compliance requirements you're beholden to? Are you sure the drive firmware does?

So they went with paying a company to shred the drives. All of them. It's disgustingly wasteful.

reply
protocolture
13 minutes ago
[-]
Used to do recycling. Before secure erase was widespread there used to be cheapish 16 and 32GB SSDs for embedded devices, but a few of them made it into the thin/zero client space and a few white labelled low end pc's. they were actually twice the size. Basically 2 16s in a single 16 chassis. And what you would get is that the 2 drives were sort of in sync, I think it was a failover mechanism to deal with shitty drive quality. If drive A failed it would just connect to drive B instead and the user might not know about the failure. But the second drive would not wipe necessarily depending on how you wiped the first one. A few people retrieved data from the second disk under lab conditions, after wiping the first, so we had a report come through that we couldnt certify these disks as erased until they demonstrated compliance with secure erase. So we shredded probably a few thousand of them.

I heard of similar issues with early nvme drives.

reply
wtallis
24 minutes ago
[-]
If compliance is the goal, just use FIPS certified self-encrypting drives and trust them to wipe their encryption keys when instructed to do so. At that point, any failure is clearly the vendor's fault, not your own.
reply
e40
3 days ago
[-]
That was way longer than I expected. Wow.
reply
russfink
1 hour ago
[-]
sedutil-cli —yesIwantToEraseALLmydata $PSID /dev/sda1 or something like that.
reply
theandrewbailey
1 hour ago
[-]
Tip: Get a barcode scanner. The PSID is usually encoded in a bar/matrix code on the drive's label, next to the plaintext PSID.
reply
buckle8017
38 minutes ago
[-]
Smash it with a hammer.

If you insist on erasing the data, overwrite the entire contents of the drive twice with random data.

Doing it twice will blow away any cached as well (probably).

reply