Reliably erasing data from storage devices is critical for secure data management. Solid state drives (SSDs) differ from hard disk drives in how they store and manage data using flash memory instead of magnetic disks. SSDs have an added level between the logical block addresses systems use to access data, and the physical flash addresses where data is actually stored. This layer improves SSD performance and reliability by masking the complex flash memory interface and managing its limited lifespan. However, it can also create hidden copies of data that a skilled attacker could recover, even if the user can't see them anymore. Because of this, it is extremely important to fully remove all data when sanitizing storage devices.
1.1 Built-in sanitize commands
Most modern drives have built-in sanitize commands that tell the drive's firmware to run a sanitization process. Traditionally, security commands specify an "erase unit" command that erases all accessible areas by writing all zeros or ones. There is also an "erase unit enhance" command that writes a pattern set by the manufacturer, like a 1MB file filled with 0x55. Standards specify a "block erase" command as part of sanitize functions. It erases all memory blocks with user data, even inaccessible ones. Industrial SSDs support these standards to effectively sanitize with fast multiple block erasing. For example, a 1TB or 512GB pSLC SSD can sanitize fully in about 10 seconds when triggered through a feature connector starting a 4-way simultaneous block erase process across the whole drive.
1.2 Repeatedly writing over the drive
The second method for sanitizing a drive is to use normal input/output (I/O) commands to overwrite each logical block address on the drive multiple times. Overwriting the entire drive repeatedly with different patterns is at the core of many disk sanitization standards and tools. Most standards and tools overwrite the drive sequentially with patterns of 1 to 35 bits. The U.S. Air Force System Instruction 5020 is a good example; it first fills the drive with zeros, then ones, and finally a random character. The data is then read back to confirm only the random character remains. Using different bit patterns aims to switch as many physical bits on the drive as possible, making the data harder to recover using analog methods.
Bit patterns could also be important for solid state drives (SSDs), but for different reasons. Some SSDs compress data before storing it, so they will write fewer bits to flash if the data is highly compressed. This suggests SSD overwrite procedures should use random data for maximum effectiveness.
The complexity of SSD firmware translation layers means how the drive was used before overwriting could impact the technique's effectiveness. We tested SSDs by writing the first pass of data either sequentially or randomly. Then, we performed 20 sequential overwrites. For the random writes, we wrote each LBA only once in a random order.
In most cases, overwriting the entire disk twice was enough to sanitize the drive, no matter the previous state. However, it takes a significant amount of time to fully sanitize a drive in this way.
1.3 Electrically destroying the drive via a high voltage generator
Degaussing is a quick and effective way to destroy hard drives by removing the drive's low-level formatting and damaging its motor. This erases all the data. However, flash memories in solid state drives (SSDs) don't store data using magnetism like hard drives. So a degausser won't directly erase the flash cells in an SSD.
Alternatively, an SSD could be designed with a high voltage generator and controller to physically destroy the NAND flash chips. But this type of design is not normal for SSDs. Industrial-grade SSDs from SP Industrial have a built-in power management unit for more reliable power than discrete circuits. They also have complete protection against overvoltage, overcurrent, surge and short circuits for higher safety than normal fuse designs. Therefore, using this technique to wipe the entire drive clean is not recommended.
1.4 Leveraging encryption
The self-encrypting drives in SP Industrial SSDs have an AES-256 encryption engine. This provides secure hardware-based data encryption without slowing down the SSD performance. The drive follows the TCG/Opal standard for trusted computer parts. Encryption is always on, but the encryption keys are not managed until security features from TCG/Opal or ATA are turned on. Deleting the encryption key makes the data very hard to access because it would take the encryption key away. This makes wiping the drive a quick way to securely remove all data, in theory.
Pin | Function | I/O | Funtion Description |
---|---|---|---|
1 | Write Protect | input | short to GND pin to enable write protection |
2 | GND | n/a | system ground |
3 | Device activity indicator | output | connect to an LED to indicate device activity |
4 | Security Erase trigger | input | short to GND pin to trigger security erase function |
5 | Erase activity indicator | output | connect to an LED to indicate erase function activity |