Adventures in SSD wiping!

[britechguy]

Edit: It looks like it can be reused but you have to of course wipe it.

That has been true for a very long time for virtually anything other than certain military specs and national security level specs.

Destroying media, whether physically or via degausser, is the easy way, but terrribly, terribly wasteful way.

 

[Markverhyden]

Eventually, my son gave me an idea. After connecting the drive to a machine with Windows Pro I enabled Bitlocker on the Crucial and let it run. Then after it reported the drive was 100% encrypted I ran Diskpart and blew away all the partitions, placed the drive back into its original machine and ran Windows 10 setup from my flash drive.

My thinking is that since the old data was encrypted before I installed a new copy of Windows and the encryption key is no longer available, only a government actor would be able to recover any of the old data.

Any thoughts on if I'm correct in my thinking?

This is an often overlooked but time saving technique to prevent data breaches. If the drive is encrypted then all you have to do is wipe the space with the keys and it's, for all intent and purposes, unretrievable.

 

[SlickMinnow]

I've long used what I've seen referred to as the SAFE model. Scramble And Finally Erase. I'll use an offline boot disk, engage TrueCrypt or VeraCrypt to do a Full Disk Encryption, then boot to an offline boot disk and zero fill the drive.

 

[Philippe]

IMHO encrypting is overkill. Filling the SSD (fully) with any data, encrypted or not, 00 or not, will make the original data unrecoverable.

 

[britechguy]

Filling the SSD (fully) with any data, encrypted or not, 00 or not, will make the original data unrecoverable.

As will triggering a secure erase, which is much, much faster, and designed into SSD technology from the get-go.

Now that I know diskpart's "clean all" command actually can be relied upon to trigger a secure erase on an SSD, or a zero-fill on an HDD, that will be my go-to method.

 

[Markverhyden]

IMHO encrypting is overkill. Filling the SSD (fully) with any data, encrypted or not, 00 or not, will make the original data unrecoverable.

It's been that way for many years. The problem is legal requirements. In the case of data destruction the laws, which have never been changed that I'm aware, are still based on 25 year old HD technologies. So if you have a statutory requirement, 3 passes - 0's, 1's, and rand you must full fill that requirement.

 

[britechguy]

So if you have a statutory requirement, 3 passes - 0's, 1's, and rand you must full fill that requirement.

I'm curious if you have any direct examples of such a statutory requirement? I'm not doubting that such exist, but I've never seen this as a matter of general law.

Contract stipulations are a thing of their own, and those are a different kettle of fish.

But you're absolutely correct that if you have a contractual and/or statutory requirement, you must meet it. But for most of us not dealing with any contractual or statutory requirements, a secure erase for SSD or complete zero fill for an HDD is enough (more than enough, really).

 

[Markverhyden]

I'm curious if you have any direct examples of such a statutory requirement? I'm not doubting that such exist, but I've never seen this as a matter of general law.

Contract stipulations are a thing of their own, and those are a different kettle of fish.

But you're absolutely correct that if you have a contractual and/or statutory requirement, you must meet it. But for most of us not dealing with any contractual or statutory requirements, a secure erase for SSD or complete zero fill for an HDD is enough (more than enough, really).

As we all know nothing is clear or simple when the government is concerned. All by design of course. In my book it’s just give elected an out when something goes wrong.

Statutory requirements almost never list specific details, such as a number of steps of doing something. Instead they reference certain keywords or a particular standard. Which, of course, is less than descriptive. So let’s look at HIPAA and specifically data destruction.

HIPAA Faq 575 discusses this.


“ • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

The definitions of the three terms above helps define action. But other references are used which need to be included. The next references NIST SP 800-88. NIST it THE standards create for the US Feds. And that doc is standard for data destruction. There are some other references being made such as to https://disa.mil but a lot of that is behind private walls. Look through SP 800-88 and you’ll see where each term above is referenced with context of the type of media and available techniques. But most important of all it keeping logs.

 

[Diggs]

I'm curious if you have any direct examples of such a statutory requirement? I'm not doubting that such exist, but I've never seen this as a matter of general law.

I've always been told/heard that gov/mil spec was three passes but I couldn't quote the code.