2

I've read some articles and they appear to suggest the idea of using the dd command to wipe an entire SSD before encrypting it. The drive in question is a Samsung 970 EVO PCIe NVMe V-NAND M.2 2280 250GB MZ-V7E250BW

Correct me if I'm wrong: SSDs maintain a layer of indirection between logical addresses and physical address, so there are risks if you do NOT wipe the entire SSD.

SSDs also don't overwrite on the same page of the modified data. Instead, they write to a new page and leave the original data untouched.

My question is, is it secure to wipe an entire SSD using dd for example: dd if=/dev/zero of=/dev/mapper/something_to_wipe status=progress?

EDIT: A comment mentioned 7 years ago answered part of my question, I'd like a more specific answer to my question.

xorist
  • 870
  • 4
  • 15
Tuyen Pham
  • 181
  • 4

1 Answers1

-1

You do not need to delete a new SSD before enabling encryption. Deleting is only relevant in case there already is sensitive data on the drive. If you enable encryption before writing any data to the SSD, there will never be any unencrypted data on the SSD that you need to delete.

If the SSD was used before, but the data on it is not sensitive, then you can just format the SSD. There is no need to delete the SSD securely, if you don't care about the unencrypted data on it.

If there is sensitive data on the SSD that you want to securely delete, then this answer explains why it is not safe. Generally, if you want to be completely secure, set up a new encrypted SSD, transfer the data and then physically destroy the old, unencrypted SSD. There is no 100% way of wiping the whole SSD, only probabilistic attempts that would wear out your SSD anyway.

Peter Harmann
  • 7,778
  • 5
  • 20
  • 28
  • As my first post, I have new SSD and then do I need to wipe it before do the first encryption on it or not ? If I still need to wipe it, `dd` on the `mapper` is good enough? – Tuyen Pham Sep 17 '18 at 11:36
  • @TuyenPham Okey, your question is not celar, I will edit the answer. – Peter Harmann Sep 17 '18 at 11:37
  • @TuyenPham Is it better now? – Peter Harmann Sep 17 '18 at 11:43
  • @PeterHarmann This is not true, because file information can be inferred by borders between zeros and random data on the drive. File system information, file sizes, file types and other properties become more obvious. – Itay Grudev May 11 '21 at 16:03
  • @ItayGrudev I will admit I was thinking more in terms of VeraCrypt, so I did not realize this is a concern. Then again, if you are interested in obscuring that king of information, maybe you should use encryption designed to do so? I am not sure writing random data is a way to go about it, especially since we are talking about SSD. Also writing zeroes as in the question would make this worse, not better? – Peter Harmann May 14 '21 at 13:11
  • Yes, but encrypted data is indistinguishable from random data. Thus if the background is random data, borders are impossible to detect. Algorithms designed to do so, use up space very inefficiently. While preparing the disk with random data is a much better alternative. – Itay Grudev May 16 '21 at 07:19
  • Yes and no. While it is true that "encrypted data is indistinguishable from random data", that only matters if everything is just one encrypted blob of data. If you have a filesystem there, the file structure and some other metadata may not be encrypted (to allow faster access, per file encryption), which would reveal everything. So you need to be careful about what kind of encryption you use. And again, the question was about zeroing, not wiping with random data. – Peter Harmann May 24 '21 at 09:23