How secure is Secure Erase option in BIOS?

Question

I have been exploring data security lately and came across HDD data recovery. I now know that a format simply deletes the "pointers" to files and directories and that data is still there. The only way to completely wipe the drive is to either physically destroy it or overwrite the complete drive with random sequences of 0s and 1s.

But how secure is it really?

I have found a Secure Erase option on my HP laptop's BIOS. I have read multiple articles online and most people recommend DBAN and similar software.

From what I can understand, Secure Erase only differs from other software in the way it overwrites things, meaning, that the overwriting process takes place in the hardware itself (built-in HDD commands or something like this, I'm no expert, correct me please).

So... Let's suppose that you need your data to be destroyed completely so that it's irrecoverable... How secure is Secure Erase really? What if you run it multiple times in a row, let's say 3 - 7. How secure is it if we compare it to other secure erasing tools such as DBAN and so on?

Let's not forget that before you perform the Secure Erase operation, DriveLock asks you for a recovery password just in case your system shuts down during the process... What happens with that DriveLock and password, do they get overwritten too at the end?

Answer 1

Once you have run a certified secure erase function even once, data recovery is almost impossible on an HDD. Note that things are different for a FLASH drive.

To expand on this for clarification, HP Secure Erase does NOT overwrite data on the drive - it is designed for SSDs ONLY. HP used to have another option available for HDD's that did overwrite data.

SSD's (solid state memory) work differently than a traditional HDD. Overwriting an SSD is kind of useless with the way SSD's store information, and would lessen the lifespan of the drive CONSIDERABLY. Because an SSD stores information electrically, the HP Secure Erase option basically sends a voltage spike to your whole drive at once, which forces all of the sectors to reset, and wipes everything securely.

As for transparency, HP has released a technical whitepaper on how Secure Erase works, which can be viewed here: http://www8.hp.com/h20195/v2/GetPDF.aspx/4AA7-2608ENW.pdf

Answer 2

This is a feature that is managed by HP and so it's not very transparant. Proprietary software has this property, and this is often not good for security. The documentation states that it's a mix of ones, zeroes and random data.

DBAN is open source, so you read what it does, and edit it before running it. If you're even more paranoid, boot into linux and run dd if=/dev/urand of=/dev/yourdrive

The drive encryption will be completely destroyed afterwards. Some key data might live on in the TPM, but no content.

Also, be careful with the wording

so that authorities won't be able to recover any of it

Even if you did nothing wrong, this is obstruction of justice in most countries. If the authorities are interested in your HDD you have quite the issue.

Answer 3

Once you have run a certified secure erase function even once, data recovery is almost impossible on an HDD. Note that things are different for a FLASH drive.

If you need to protect from state-level recovery attempts, you will need a few more iterations. Even top-secret requirements only require 3 iterations now.

I don't know about BIOS based functions. However, if you required certified erasure, you will want to use a standardised application.

If you really want to be absolutely certain data is destroyed, physical destruction is generally considered best. A furnace is a good answer to that!