Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Comments on How to securely erase data from a thumb (solid state) drive

Parent

How to securely erase data from a thumb (solid state) drive

+0
−0

How do you securely erase data from a thumb (USB/flash) drive?

With traditional (magnetic/spinny) hard drives, it used to be that you could use various tools to simply overwrite with random data, and make it unrecoverable. You even have tools like shred that can do it for a specific file.

Many of these don't work on solid state devices (which most thumb drives are) because those have less predictable patterns over where data get written.

Does that mean that it's impossible to erase an SSD beyond recovery? Or is there a way to do it? Can you do individual files too, or is it only possible for the whole drive?

Note: I want to still use the drive after the erase, so no melting it in the raging flames of Mt. Doom.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

Post
+1
−1

Answering your question as written, this is a hardware-specific question. Since solid-state storage chips typically keep the details of which cells are being used to write data hidden from the OS, never mind the user, in order to be sure you've erased any unit of data beyond recovery, your hardware vendor would need to have written that functionality into its drivers somehow, and then you'd need a way to access it, from Linux. And you would need to trust that your hardware vendor is both competent at this task (which is rarely verified by consumers, after all) and uncompromised by the threats you're concerned about.

In my experience, the best approach is to encrypt a solid state device before ever using it, and store the key, or a passphrase used to decrypt the key, on a device from which it is more difficult to recover. Wetware works well.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

1 comment thread

Of course, you would still have the secure erase problem if you leaked the key, because you can no lo... (6 comments)
Of course, you would still have the secure erase problem if you leaked the key, because you can no lo...
matthewsnyder‭ wrote over 1 year ago

Of course, you would still have the secure erase problem if you leaked the key, because you can no longer consider the cryptodisk secure.

I get that there is variation between hardware implementations. For that matter, same could be said for magnetic HDDs. But at the end of the day, I doubt all the sweatshops in China that make 1001 novelty flash drives have an army of wild geniuses work for them that come up with a completely different design every day. They're also extremely allergic to adding any more redundancy than strictly necessary (sometimes not). So there probably are a couple of "typical" designs in circulation, and it would suffice to have a method for those, with the caveat that if you have an atypical device it might not work.

For example, I would expect that at some point the meager wear leveling of a cheap drive gets saturated with writes and very little, if any, of the data survives.

davidgo‭ wrote over 1 year ago

If you use secure erase you don't ever actually get the key - its just kept on the disk. The risk (which is relatively low unless you are talking about multi-million dollar secrets) is that secure erase has been backdoored or improperly implemented (and this is not theoretical - some early disks had this issue). The whole point of using Secure Erase is it works fine with SSD's and does not cause write amplification, while providing FDE in case of erase.

matthewsnyder‭ wrote over 1 year ago

What I'm saying is, the logic in this answer appears to be:

Encrypt the SSD, and then it doesn't matter if people can recover the data because they wouldn't be able to decrypt it

However, the flaw in this logic appears to be:

If your encryption key happens to leak, you can no longer consider the encryption safe, because now anybody could have the key, so you would need to securely erase the encrypted data to prevent someone in the possession of the leaked key from recovering and decrypting the data

r~~‭ wrote over 1 year ago

It's all defense in depth. Do nothing, and the adversary just has to get their hands on your drive. Erase the data, and the adversary has to get their hands on your drive and find the data on a discarded but not erased block. Encrypt and erase the data, and the adversary has to get their hands on your drive, find the data on a discarded but not erased block, and get access to the key from a second device. Arrange to erase that device in addition to the above, and .... There is no ‘safe’; there is only increasing the cost of defeating your defenses.

matthewsnyder‭ wrote over 1 year ago

It seems like "encryption" doesn't really answer my question in that case.

r~~‭ wrote over 1 year ago · edited over 1 year ago

As I said, to answer your question as written would require knowledge of your hardware—not because every USB stick is manufactured by a maverick genius, but because there are no standards for secure erase in common use across SSDs and USB sticks. The bargain basement devices are unlikely to let you do it at all; your data may live in retired cells until the NAND charge leaks out and unless you have the equipment to read those cells directly, you'll never know. ‘Encryption’ was not intended as an answer to your question; it was a description of what I do knowing that the answer to your question rounds down to ‘good luck’.