Solid state drives (SSDs) have become increasingly popular in personal computers and data centers due to their faster speeds and lower power consumption compared to traditional hard disk drives (HDDs). However, one key feature that is missing from SSDs is the ability to securely erase data.
What is secure erase?
Secure erase is a feature available on HDDs that allows the drive to completely delete all data on it by overwriting the drive with random bit patterns. This makes it extremely difficult to recover any residual data left on the drive using forensic data recovery techniques.
Secure erase adheres to standards set by organizations like the US Department of Defense (DoD 5220.22-M) to sanitize storage media. By writing over all addressable locations with random data patterns multiple times, secure erase aims to prevent unauthorized recovery of deleted files and make previously stored data unrecoverable.
Why don’t SSDs support secure erase?
There are a few key technical reasons why secure erase capabilities are not currently available on SSDs:
- SSD architecture – Unlike HDDs, SSDs use flash memory chips to store data instead of magnetic platters. The way data is written, read and erased on flash memory makes it challenging to implement a secure erase scheme.
- Wear leveling – To extend the lifespan of SSDs, wear leveling algorithms are used to evenly distribute writes across all flash memory cells. This results in data being moved around without the user’s knowledge, making it difficult to locate and overwrite specific data.
- Garbage collection – SSDs perform garbage collection to reclaim unused pages and blocks. This will essentially “rewrite” user data to different locations without informing the operating system, again making secure erases problematic.
- Extra over-provisioning space – SSDs have extra spare capacity that is hidden from the user and contains stale data for the drive to use internally. Securely erasing this space is not feasible.
- TRIM command – The TRIM command tells an SSD which blocks of data are no longer in use and can be erased internally. But TRIM does not guarantee secure deletion or make previously deleted data unrecoverable.
These types of operations are unique to the technical constraints of NAND flash storage and make it challenging for SSDs to support the same type of secure erase capability as traditional HDDs.
Does deleting files or formatting the drive securely erase an SSD?
No, the normal delete and format functions of an operating system are not considered secure erase methods for SSDs. Here’s why:
- Deleting files or formatting the drive using the OS does not overwrite data – It simply removes pointers to the files or resets the file system.
- Data remains in place until new content overwrites it – Any data that has not been overwritten can still be recovered using forensic tools.
- The OS has limited visibility into the internal operations of the SSD – It cannot access or overwrite data held in spare area or blocks used internally.
- TRIM merely flags data as eligible for erasure – The SSD decides if and when to actually erase those blocks as part of garbage collection.
So regular delete and format procedures do not rise to the data sanitization levels achieved by a secure erase on HDDs. Important deleted files or forensic artifacts could still be recoverable from an SSD even after an OS delete or format.
Is there any way to securely erase an SSD?
While SSDs do not have an internal secure erase command, there are some third party tools and techniques that attempt to simulate a secure erase on NAND flash memory:
- Block erase tools – These issue the SSD’s internal block erase command to overwrite blocks of flash memory with zeroes. But they may not reach all user data.
- Encryption erase – The SSD’s encryption key is deleted rendering all data inaccessible. But data still physically exists.
- Overwriting with random data – Software can try writing random bit patterns to the entire SSD several times over. But wear leveling effects and spare area may leave some old data intact.
- Deletion of mapping table – The flash translation layer (FTL) mapping table maps logical block addresses to physical blocks. Erasing this table renders data unreadable but it still resides in the flash cells.
These techniques provide more data sanitization than a simple file delete or format in the OS, but they still may not achieve the same level of data erasure seen in HDD secure erase standards.
Other methods to retire SSDs securely
To fully sanitize an SSD and prevent any possible data recovery, more drastic physical measures can be taken:
- Destroying or shredding the SSD
- Exposing the NAND flash chips to extreme heat, cold or electric charge to damage the cells
- De-soldering and removing the flash memory chips
Physically destroying the SSD ensures no data can ever be recovered from that particular drive again. But this is obviously impractical for safely recycling most retired SSDs.
Is Secure Erase Important for SSDs?
Secure erase became an important feature for HDDs to completely remove sensitive data before disposing of or reusing a hard drive. But the value of secure erase for SSDs is under more debate for a few reasons:
- No technical standard – There is no agreed upon method to securely erase SSDs unlike HDD standards like DoD 5220.22-M covering secure erase on magnetic media.
- Wear limits – Unnecessarily writing to the entire SSD with random data to simulate secure erase adds write cycles and wears the device.
- Less residual risk – SSDs inherently have less recoverable residual data risk than HDDs after a standard delete due to higher density NAND flash memory.
The lack of a defined standard, wear concerns and relatively low residual risk has led SSD vendors to deprioritize implementing a proper secure erase technique. The cost and complexity to overwrite the entire high density NAND flash memory is often seen as unnecessary.
Should You Use Software to “Secure Erase” an SSD?
Trying to software erase your SSD is unlikely to make data recovery completely impossible. But it may still provide some benefit in certain cases if done correctly.
Block erase utilities or overwriting the disk with random data several times could still help sanitize recoverable deleted files and forensic artifacts that were not already overwritten through normal SSD garbage collection. This reduces the chances of recovering sensitive data like financial records or passwords with specialist tools.
However, you must verify that the software’s process fully overwrote the entire drive and did not just target the user addressable space. Confirm the tool actually issued TRIM commands and ATA secure erase commands to SSD areas not visible to the OS.
If you need cryptographic levels of data destruction though, physical SSD destruction is the most foolproof option.
The limitations of software secure erase tools should be weighed against the reduced lifespan of unnecessary writes if the threat model does not warrant it. Standard delete or encryption may provide sufficient practical sanitize levels in many consumer use cases.
SSD Secure Erase – Standards and Research
With the rise of SSD adoption, regulators, security researchers and standards bodies have looked closer at sanitize and secure erase techniques for NAND flash memory:
- NIST Special Publication 800-88 – Updated guidelines on media sanitization from the US National Institute of Standards and Technology now include guidance for purging data from SSDs.
- TCG Opal – The Trusted Computing Group standards for self-encrypting drives include cryptographic erase capabilities. But this requires compatible SSDs and OS support.
- ISO/IEC 19944 – The ISO standard for SSD data integrity during media sanitization is still under development. But it aims to define verifiable SSD erase verification methodologies.
- Academic research – Studies have demonstrated data recovery risks from SSDs and evaluated techniques from simple erases to destruction methods. But research is still ongoing into optimal algorithms and processes.
While standards bodies have not yet codified a definitive secure SSD erase specification, refinements to best practices are ongoing. Regulators recommend balancing data security needs with unnecessary write cycles when considering secure erase techniques for SSDs.
Conclusions
In summary, key reasons secure erase capabilities are not currently feasible for SSDs include:
- The emerging standards and research have not yet produced an agreed upon method for securely erasing SSDs unlike legacy HDD standards.
- Technical constraints like wear leveling make it difficult to reliably overwrite or locate all prior user data.
- The higher density of SSDs amplifies the drive wear impact of unnecessary writes required by traditional secure erase algorithms.
- Regulators acknowledge SSDs pose less inherent residual data risk than HDDs after a standard delete or format.
While software tools exist claiming to simulate secure erase on SSDs, they may be unable to reach all internal storage areas. Physically destroying the drive is the only fully reliable data destruction method.
In the future, native SSD secure erase commands tailored to NAND flash memory properties may emerge. But vendors currently prioritize other features given the lack of agreed upon standards. Users should assess their specific risks and sanitize requirements when retiring SSD storage.