News How to Secure Erase an SSD or HDD Before Selling It or Your PC

InvalidError

Titan
Moderator
One word: Hammer.
If you hammer-erase a HDD or SSD, it becomes kind of difficult to sell or donate.

For normal people, a simple full erase is good enough.

If you are paranoid about security, you should be using full-drive encryption where secure-erasing is as simple as deleting encryption keys. This way, your data is also relatively secure from theft and seizure where you don't get the chance of applying hammer first.
 
If you choose reset windows with deleting personal files you can use ccleaner afterwards to wipe all free space, it also allows for multiple passes for the paranoid.
Make sure you know what to do with your windows registration though.
 
Reactions: artk2219

Sippincider

Commendable
Apr 21, 2020
65
26
1,560
0
If you hammer-erase a HDD or SSD, it becomes kind of difficult to sell or donate.
Replace the drive and reinstall the OS. Storage is too cheap for even normal people to take a non-zero risk of someone getting their data.

But my drive is soldered in, you say? End-of-life the machine and give the drive some physical erasing. New hardware is cheaper than risk.
 
Aug 21, 2022
1
2
15
0
Why in the name of DOS is everyone still stuck on DBAN? Is it the cute name?
Look up when DBAN was last updated. Maybe, just maybe you want to use something from this side of the 21st century?
Please note: for years, DBAN has recommended for commercial purposes BLANCCO Drive Eraser. Those benefits include support and report generation, useful and necessary for business compliance.

Please see for yourself an excellent open source project: ShredOS, utilizing nwipe, found on GitHub. One it's most useful features is that it can be run headless with no input.
 
Reactions: artk2219 and weberd
Why in the name of DOS is everyone still stuck on DBAN? Is it the cute name?
Look up when DBAN was last updated. Maybe, just maybe you want to use something from this side of the 21st century?
Please note: for years, DBAN has recommended for commercial purposes BLANCCO Drive Eraser. Those benefits include support and report generation, useful and necessary for business compliance.

Please see for yourself an excellent open source project: ShredOS, utilizing nwipe, found on GitHub. One it's most useful features is that it can be run headless with no input.
It's not like deleting sectors has somehow changed, we are still using the same ones and zeros from 70 years ago, it still works and does a good job, home users don't need business compliance.
Please see for yourself an excellent open source project: ShredOS, utilizing nwipe, found on GitHub. One it's most useful features is that it can be run headless with no input.
Yeah that's a great thing to suggest to beginners, a way to destroy all of their data on all of their disks without them even having to do any input...
This is a fluff piece for noobs not a CIA report for counter espionage.
 

InvalidError

Titan
Moderator
Replace the drive and reinstall the OS. Storage is too cheap for even normal people to take a non-zero risk of someone getting their data.
A simple proper full erase makes the data unrecoverable through conventional means. Nobody is going to spend the tens of thousands of dollars and hundreds of man-hours required for low-level forensic data recovery on a drive purchased from a normal person since the likelihood of recovering anything usable of any value is slim to none.

I'd be 1000X more worried about personal data loss from theft than resold drive.
 

Aaron Priest

Commendable
Sep 21, 2019
7
4
1,515
0
The Secure Erase command built into the controller firmware works better than DBAN and Diskpart to ensure all data blocks are erased, and much faster. You can do it with hdparm on Linux, or you can use PartedMagic if you want a nice GUI for it:

https://grok.lsu.edu/article.aspx?articleid=16716

 

thisisaname

Distinguished
Feb 6, 2009
434
175
18,860
0
If you hammer-erase a HDD or SSD, it becomes kind of difficult to sell or donate.

For normal people, a simple full erase is good enough.

If you are paranoid about security, you should be using full-drive encryption where secure-erasing is as simple as deleting encryption keys. This way, your data is also relatively secure from theft and seizure where you don't get the chance of applying hammer first.
Does that just slow down a sufficiently novated adversary?
 
Reactions: artk2219

InvalidError

Titan
Moderator
Does that just slow down a sufficiently novated adversary?
Good enough to keep your data out of the hands of people who don't have access to a forensic lab and hundreds of hours to spend on it.

For HDDs, you need more accurate and sensitive heads to read magnetism with sufficient resolution and accuracy to correctly guess what the previous value may have been, sort sector bits from best to worst signal-to-noise ratio, then attempt every permutation stating with the worst bits until the sector error correction checks out. Rinse and repeat a billion times for a 4TB HDD. For an SSD, it is a similar process, except you need to strip the NAND layer by layer and record individual cell charges using an atomic force microscope or equivalent.

Your grumpy neighborhood long-bearded black-hat hacker is unlikely to have either of those in his basement.

BTW, if your data is top-secred SCI, hammer-erase is not be good enough since chip and HDD platter chunks large enough to be identifiable can still be read using an atomic force microscope. You still need to either secure-erase them first to make most individual chunks impossible to solve or grind them into a fine enough powder that there is very little chance any single piece carries intelligible data.

If you want to be absolutely certain nobody can recover data regardless of the amount of effort they are willing to put in it, you need molecular-scale destruction. For an HDD, you could fill it with salt + hydrogen peroxide to rust the platters off or bring the whole thing to the curie point at ~400C. NAND chips also self-erase in a similar way at ~600C.
 

techfreak

Distinguished
Jun 11, 2006
3
1
18,510
0
Despite the article is helpful but it could be improve as well as there is a misleading fact that clean all command will only take few minutes.
"Enter clean all. After several seconds or perhaps a few minutes, you will see a message telling you that the process has completed. "
Only clean command it is instant since it isn't a zero fill, clean all wise even for SSD will take some time or hours depending on the capacity.
SSD wise recommend is to use the manufacturer SSD tool box, unless there are no such software than have to use the motherboard secure erase.
I only know Gigabyte motherboards doesn't have SSD secure erase feature in the BIOS so have to either use SSD toolbox or Diskpart.
Hard disk wise I will not recommend using DBan as risk of hard disk failure will be very high so for hard disk just use Diskpart Clean all.
Let the Clean all zero fill the hard disk as well as check for any bad sectors during the process than using DBAN.
 
Reactions: artk2219

InvalidError

Titan
Moderator
SSD wise recommend is to use the manufacturer SSD tool box, unless there are no such software than have to use the motherboard secure erase.
Yup, using the SSD's full-erase function is best. With NAND that supports chip-erase, all the controller needs to do is spam the chip-erase function as fast as its power budget allows it to and absolutely all data is gone beyond practical data recovery within seconds at the expense of only one erase cycle. No worries about data hidden in over-provisioning blocks.
 

edzieba

Honorable
Jul 13, 2016
110
89
10,660
0
How to Securely Erase Your SSD with Windows Diskpart
Diskpart erases no files. It will remove the partition table (hence the name, from DISK PARTitioning tool) but merely cleaning the partition table does not delete any data.
Whether the data remaining is left readable by a host machine or merely by a NAND transplant is dependant on how the SSD controller is designed. But that data has not been erased.
The Secure Erase command built into the controller firmware works better than DBAN and Diskpart to ensure all data blocks are erased, and much faster. You can do it with hdparm on Linux, or you can use PartedMagic if you want a nice GUI for it:

https://grok.lsu.edu/article.aspx?articleid=16716

Bingo! And the ATA Secure Erase command beats DBAN up and down the street in terms of data remanence on HDDs, as it also clears blocks in the G-list which DBAN cannot access. Faster too, as the only bottleneck is controller-to-head bandwidth, the host interface is not involved. Secure Erase is also the best option for SSDs: for those with all-block encryption then it wipes the encryption key store and renders all data permanently inaccessible without any additional block wear.

If you want to securely erase a HDD or SSD, your first option is the Secure Erase command, and you second option is a lump-hammer. No other software options are ever worth bothering with, you're just making more work for yourself.
 
Aug 22, 2022
5
4
15
0
"Sufficiently motivated"

There are 2 levels:
  1. NSA/CIA/FBI/GCHQ/FSB
  2. Everyone else.
Unless you are a target of those in #1, no one cares.
If you ARE a target of #1, Hammer Erase is the only thing that works.
Strongly disagree: there are plenty of gray areas in-between, proportional with one's bank account size, celebrity, office held, profession (e.g. journalists protecting sources), etc.
 
Reactions: artk2219

The Net Avenger

Distinguished
Sep 12, 2014
15
6
18,515
0
If you're selling your PC or storage drive, you need to wipe it so well that the next person can't recover your data.

How to Secure Erase an SSD or HDD Before Selling It or Your PC : Read more
A tip for Windows users, you can simply enable device encryption - this will encrypt the entire drive and then an OS Reset or format of the drive later will be secure.


If running Pro/Enterprise - Windows users can also turn on Bitlocker for specific drives, just be sure to select 'Whole Disk' - so that unused space is also encrypted and overwritten. Then when you reset or format/delete your content - nobody will ever be able to recover the information.


Microsoft's device encryption and Bitlocker work better than traditional methods of overwriting data on the drive with random 1s/0s - as cell testing on SSD and magnetic variance testing on HDD can be used to recover sub layers of data. Device encryption/Bitlocker takes these adavanced recovery methods into consideration when encrypting the drive - so even electrical forensics will not be able to see older unencrypted states of the cells or the platters.

(Surprisingly, these low-level/electrical-level recovery methods work better than people would assume and often can negate random overwrites - especially if they use a common language seed randomizer - and even if they don't.)
 
Reactions: artk2219

InvalidError

Titan
Moderator
Strongly disagree: there are plenty of gray areas in-between, proportional with one's bank account size, celebrity, office held, profession (e.g. journalists protecting sources), etc.
Regardless of who you are, attempting to recover data from a properly erased HDD or SSD is far too expensive and time-consuming for even the most consummate crooks. The only people who can afford to waste tens, possibly hundreds of thousands of dollars attempting to recover data from an erased storage device with no guarantee of having a penny to show for their trouble is national security agencies.

The NSA, FBI, etc. will attempt to seize your actively-in-use devices long before attempting to do deep data recovery on erased ones to see whether they can get what they need without the trouble.
 
Aug 22, 2022
2
4
10
0
I am disappoint to see the voodoo about "overwriting multiple times with random data" for HDDs.

No one has ever demonstrated, not even once, not even under controlled conditions to make it as easy as possible, the ability to get any data from a drive overwritten with all 0s.

Call up a data recovery company and say "someone overwrote the drive, but don't worry, they only did it once and with all zeroes." They will tell you there is nothing to be done, not for any amount of money.



If you're selling your PC or storage drive, you need to wipe it so well that the next person can't recover your data.

How to Secure Erase an SSD or HDD Before Selling It or Your PC : Read more
 
Aug 22, 2022
1
3
15
0
I'm glad the article has now been updated to remove some of the glaring inaccuracies. Some further points.
  • If you have enabled Device encryption / bitlocker (which on a laptop you really should), the data will be unrecoverable even without needing to wipe it.
  • Doing multiple passes on modern drives is unnecessary. See https://www.wipedrive.com/white-papers/are-multiple-passes-necessary/. Note even the DoD no longer use DoD 5220.22-M and instead use standard NIST 800-88 which states "A single write pass should suffice to Purge the media". Doing a single pass will be much quicker.
  • Doing diskpart clean all on an SSD is OK as a once-off but will reduce the lifespan so shouldn't be done regularly. I assume it will also leave every cell in a written state, decreasing performance, as compared to the internal secure erase which leaves all cells in an unwritten state.
 
Aug 22, 2022
2
4
10
0
Does that just slow down a sufficiently novated adversary?
No one is breaking AES full disk encryption.

A number of businesses have a policy that nothing with any business data can be sent elsewhere, not even returned to the manufacturer. It all goes to the shredder. This may or may not be overkill but when you are doing something at scale it's too much expensive manpower to do anything else.
 

ASK THE COMMUNITY