You are not logged in.
- Topics: Active | Unanswered
#1 2015-06-24 13:55:53
- ceri
- Member
- Registered: 2013-10-12
- Posts: 57
[SOLVED] secure erase for an SSD to be encrypted needed w/ TRIM?
I am setting up a new build and plan on having an encrypted root partition on a new SSD.
The arch wiki states that it is recommended that you secure erase a drive before using it in order to maintain a higher level of data confidentiality:
https://wiki.archlinux.org/index.php/Dm … UKS_header
However, I'm planning on enabling TRIM which will consequently leak information that isn't of concern of me, e.g. filesystem type, which parts of the drive are in use, etc.
Given this in mind, do I really need to secure erase the drive before using it? My understanding is that this would screw up the wear leveling mechanism, or if it was dealt with via TRIM, the data would appear zero'd out, defeating the purpose of secure erasing the drive in the first place.
Is there any other downside I have overlooked?
Last edited by ceri (2015-06-24 23:33:21)
Offline
#2 2015-06-24 14:15:59
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,420
Re: [SOLVED] secure erase for an SSD to be encrypted needed w/ TRIM?
Given paranoia, overwriting with random data (shred -v -n 1 /dev/kaputt) is the best you can do to get rid of old data. Random data can not be optimized away so even untrustworthy hardware is forced to write it somewhere, so the only way for old data to survive is to have a lot of additional, invisible capacity. Which SSD sometimes have but killing 250G of a 256G disk is still better than nothing.
But if you trust the hardware to erase in a timely manner, TRIM is more than sufficient. You're not going to get the data back. TRIM is a huge mess from a data recovery point of view. If those data recovery labs were not primarily about burnt or drowned disks, they could close up shop in the SSD age.
Offline
#3 2015-06-24 17:07:32
- dockland
- Member
- From: Sweden
- Registered: 2015-06-06
- Posts: 861
Re: [SOLVED] secure erase for an SSD to be encrypted needed w/ TRIM?
I am setting up a new build and plan on having an encrypted root partition on a new SSD.
The arch wiki states that it is recommended that you secure erase a drive before using it in order to maintain a higher level of data confidentiality:
https://wiki.archlinux.org/index.php/Dm … UKS_headerHowever, I'm planning on enabling TRIM which will consequently leak information that isn't of concern of me, e.g. filesystem type, which parts of the drive are in use, etc.
Given this in mind, do I really need to secure erase the drive before using it? My understanding is that this would screw up the wear leveling mechanism, or if it was dealt with via TRIM, the data would appear zero'd out, defeating the purpose of secure erasing the drive in the first place.
Is there any other downside I have overlooked?
Make sure you dont secure erase a PCIe M.2. SSD. It can make the drive unusable.
I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.
I use it to look at funny pictures of cats and to argue with strangers.
Offline
#4 2015-06-24 21:55:01
- ceri
- Member
- Registered: 2013-10-12
- Posts: 57
Re: [SOLVED] secure erase for an SSD to be encrypted needed w/ TRIM?
Given paranoia, overwriting with random data (shred -v -n 1 /dev/kaputt) is the best you can do to get rid of old data. Random data can not be optimized away so even untrustworthy hardware is forced to write it somewhere, so the only way for old data to survive is to have a lot of additional, invisible capacity. Which SSD sometimes have but killing 250G of a 256G disk is still better than nothing.
But if you trust the hardware to erase in a timely manner, TRIM is more than sufficient. You're not going to get the data back. TRIM is a huge mess from a data recovery point of view. If those data recovery labs were not primarily about burnt or drowned disks, they could close up shop in the SSD age.
There is no old data on the drive. It's a new SSD.
Offline
#5 2015-06-24 21:56:24
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,420
Re: [SOLVED] secure erase for an SSD to be encrypted needed w/ TRIM?
There is no old data on the drive. It's a new SSD.
No need to do anything then, if you're going to encrypt from the beginning and still use TRIM anyway 
Offline
#6 2015-06-24 23:26:46
- ceri
- Member
- Registered: 2013-10-12
- Posts: 57
Re: [SOLVED] secure erase for an SSD to be encrypted needed w/ TRIM?
ceri wrote:There is no old data on the drive. It's a new SSD.
No need to do anything then, if you're going to encrypt from the beginning and still use TRIM anyway
Ok great. Thanks.
Offline