With the rise in popularity of solid state drives (SSDs), many computer users wonder if the standard method of erasing traditional hard disk drives—Secure Erase—is sufficient for permanently deleting data from an SSD. Secure Erase utilizes the drive’s native erase functions to reset all data back to factory settings. While this works well for traditional mechanical hard drives, the different architecture and operation of SSDs requires a deeper look at whether Secure Erase provides adequate data sanitization for SSDs.
In this article, we will examine the challenges of erasing data from NAND flash memory, take a closer look at how Secure Erase works, analyze if it can guarantee permanent data deletion on SSDs, and explore other methods that provide verifiable data erasure. A definitive answer depends on a variety of factors from the design of the SSD controller to the wear state of NAND flash cells. We will cover the key considerations and latest research to help you make an informed decision on Secure Erase versus other data destruction methods when an SSD reaches end-of-life.
How NAND Flash Memory Works in SSDs
Before analyzing the effectiveness of Secure Erase specifically on SSDs, it is helpful to understand the basics of how NAND flash memory works and where potential data retention issues can occur.
NAND Logic Gates
The NAND flash memory cells that make up an SSD’s storage are transistors with added floating gate electrodes. These floating gates can hold an electrical charge, which allows each cell to store one or more bits of data based on the charge level. The cell design is known as NAND flash because transistors are connected in series resembling a NAND logic gate.
Write Operations
To write data to a NAND flash cell, voltages are applied to the control gate and data inputs to inject electrons into the floating gate electrode until the desired charge level is reached. This increases the cell’s threshold voltage (VT) to represent a bit value of 1. An uncharged cell with lower VT represents a 0 bit value.
Read Operations
During reads, the control gate voltage is varied while monitoring the transistor channel current to determine if the VT is above or below the threshold for a 1 or 0 value. The SSD controller maps voltage ranges to the appropriate bit values.
Erasing Data
Resetting cells back to the erased state requires removing electrons from the floating gate. This is accomplished by quantum tunneling induced by applying a high positive voltage to the semiconductor substrate while grounding the control gate.
Why Securely Erasing SSDs is Challenging
Due to the physics involved in programming and erasing NAND flash cells, secure data deletion on SSDs can be more complicated than traditional hard disk drives. Some of the reasons are outlined below.
Wear Leveling
To evenly distribute write/erase cycles across all NAND cells and prevent premature cell wearing out, SSD controllers employ wear leveling algorithms that move data around between blocks. This means logically sequential data gets fragmented physically across the drive over time. Wear leveling can potentially leave data residue from invalid pages scattered in unused blocks rather than erasing them immediately.
Garbage Collection
Closely tied to wear leveling is garbage collection, which consolidates data to free up blocks for reuse. The process copies valid data to new blocks before erasing old blocks. Until the old blocks are processed by garbage collection, they still contain viable user data. This can delay secure erasure.
Over-provisioning
SSDs reserve extra spare NAND capacity as over-provisioning space to operate efficiently. Over-provisioning is not visible to the host so data in these areas are not erased during standard delete operations. A secure erase utility may not touch over-provisioned areas.
Page Corruption
Due to the physics of NBAND charge loss/gain over time, pages can develop bit errors leading to data corruption. The SSD controller may be unable to read those pages, preventing data erasure by software utilities.
TRIM Functionality
The TRIM command informs SSDs which pages contain deleted data. This allows garbage collection to target those pages first. If TRIM is not enabled, the pages may be inaccessible to erasure until a future rewrite.
Encryption
On self-encrypting SSDs, the controller encrypts writes and decrypts reads using an internal encryption key. Erasing this key can render data unrecoverable, but controllers may retain a copy preventing permanent destruction.
How Does Secure Erase Work?
Now that we understand some of the challenges with NAND flash data deletion, how does the standard Secure Erase process attempt to address them?
ATA Secure Erase
The Secure Erase protocol was standardized in the ATA specification for SATA hard drives and SSDs. It provides the drive with a SECURITY ERASE UNIT command along with access credentials. Circuitry on the drive executes the cryptographic erase procedure to reset all user data areas to an initialized state.
Cryptographic Erase
For self-encrypting SSDs, a cryptographic erase can be performed by deleting the encryption key. The encrypted user data becomes irretrievable without the key. This instantly renders all data unreadable but does not physically erase it.
Block Erase
Unsupported or non-compliant SSDs may implement Secure Erase using a simpler block erase command built into NAND flash. This applies an erase voltage to the entire chip or planes within the chip to reset all cell charge levels.
Controller Initiated
The SSD controller receives the erase command and manages the internal process based on knowledge of data locations from the flash translation layer (FTL) mapping. The extent to which the controller erases data in reserved over-provisioning areas can vary.
Reset to Factory State
By design, a complete Secure Erase should return the SSD to close to factory state with all user data removed. But as we will explore next, that is not always guaranteed.
Can Data Remain After Secure Erase?
Secure Erase aims to provide effective data clearing on SSDs but researchers have uncovered scenarios where it falls short of a full data wipe. These cases illustrate the difficulty of achieving definitive erasure on NAND flash.
Erasing Over-provisioning
Any over-provisioned areas excluded from the mapping tables may avoid erasure during Secure Erase. One study found unerased data in 1.4% of over-provisioned space on multiple tested drives.
Incomplete Block Erase
If the voltage or duration of a block erase operation is insufficient, floating gate charge levels may only drop partially. Enough residual charge could remain to reconstruct data.
Damaged NAND Cells
Unresponsive or damaged NAND cells with extremely slow charge leakage may retain data for extended periods or indefinitely. These cells resist erasure through standard block erase cycling.
Data Recovery Attacks
Researchers have demonstrated the ability to retrieve data on a Secure Erased SSD by analyzing physical characteristics of the NAND charge levels or exploiting firmware vulnerabilities.
Encryption Key Persistence
Self-encrypting SSD controllers may retain an internal copy of encryption keys after a cryptographic erasure to reconstruct data. This preserves a path to decrypt data.
Wear Level Data Movement
Wear leveling never stops, so previously erased pages can be recharged with new data, while their outdated data gets relocated prior to erasure. Data persistence may increase with SSD age.
Is Secure Erase Sufficient for SSD Sanitization?
Based on what we have examined regarding NAND flash erasure challenges and holes found in Secure Erase efficacy, can the standard method provide adequate data clearing for SSD sanitization? Here are guidelines to consider:
Match Data Sensitivity
The level of overwriting acceptable depends on the sensitivity of data involved. Secure Erase mitigates much risk for low-moderate security data, but greater assurance may be needed for highly confidential data.
Complement With Encryption
Combining whole disk encryption with Secure Erase significantly raises the difficulty of extracting any data remnants. This may meet data deletion regulations for many use cases.
Verify Erasing Over-Provisioning
Check that the SSD properly erases all over-provisioned areas outside of user visibility and control. If they remain untouched, sensitive data in these regions has higher recovery potential.
Perform Multiple Overwrite Passes
Executing Secure Erase commands in succession induces further charge dissipation and remapping to reduce chances of forensic data reconstruction.
Utilize Purge Firmware Commands
Check for any manufacturer-specific extended or enhanced erase features that purge reserve areas and provide verification. These tend to offer more thorough data clearing than standard Secure Erase.
Other Methods to Erase SSDs
For maximum data destruction assurance with SSDs, alternatives to standard Secure Erase warrant consideration:
Cryptographic ATA Secure Erase
This enhanced version in the ATA-8 specification cryptographically erases all disk content encryption keys. Without the keys, stored encrypted data cannot be decrypted even if recovered.
NIST Purge
NIST Special Publication 800-88 Rev. 1 guidelines define the Purge process for cryptographic and solid state drives. It provides steps for sanitizing encryption keys, remapping storage, and verifying erasure.
Degaussing
Exposing SSD circuitry to strong magnetic fields realigns floating gate electrons and erases charge levels. Degaussing is effective for physical data removal without software dependence.
Destruction
Physical destruction via shredding, crushing, or incinerating SSD chips represents final fail-safe data eradication. It is warranted when regulatory requirements dictate definitive unrecoverable erasure.
Firmware Based Block Erase
Checking for and utilizing firmware or tool commands that perform repeated, localized erase cycles on each block can help purge persistent data in problematic cells.
Conclusion
Standard Secure Erase offers a baseline SSD sanitization method that may sufficiently erase data for many consumer and business scenarios. However, researchers and experts have demonstrated that more sophisticated techniques involving encryption key scrubbing, controller command extensions, physical erasure, destruction, or their combination can provide higher confidence in rendering all SSD data unrecoverable.
The optimal approach depends on your specific data security requirements. With proper auditing and verification procedures, Secure Erase alone can be justified for low-moderate risk data, while highly confidential data merits additional overwrite cycles and cryptographic erasure safeguards. As SSD technology continues advancing, best practices will evolve to ensure deleted data on NAND flash stays deleted.
| Data Security Level | Recommended Erase Method |
|---|---|
| Low | ATA Secure Erase |
| Moderate | ATA Secure Erase with multiple passes |
| High | Cryptographic ATA Secure Erase + NIST Purge Verification |
| Maximum | Physical Destruction via Degaussing, Shredding, or Incineration |