1

I have been using an SSD with no system-level encryption. If I now switch to full disk encryption using LUKS + LVM, do I effectively wipe the old data, or is it still hanging around until overwritten?

lofidevops
  • 3,550
  • 6
  • 23
  • 32

3 Answers3

3

No, the data is not wiped. It is trivial to make all data "disappear" by TRIMing the whole drive, but all the data are still on the flash chips and are only slowly wiped in a background process.

Fortunately, most SSDs are already encrypted in hardware precisely to avoid costly full disk wipes. Many consumer SSD brands provide utilities to reset the key which effectively wipes the disk. You can probably also send direct ATA commands using something like hdparm.

lofidevops
  • 3,550
  • 6
  • 23
  • 32
billc.cn
  • 3,852
  • 1
  • 16
  • 24
  • Side note: The hdparm [man page](https://linux.die.net/man/8/hdparm) is one of the most entertaining man pages I have ever read. – Kevin Sep 13 '21 at 00:56
2

You need to enable TRIM on LUKS and possibly LVM and then trim the SSD with fstrim. This will zero unused blocks of your SSD.

To enable TRIM on LVM, edit /etc/lvm/lvm.conf and enable issue_discards option.

To enable TRIM on LUKS, edit /etc/crypttab. On some distros like Fedora, it's enough to add discard to options. On some other distros it's allow-discards.

Ideally, before placing LUKS, you could use ATA Secure Erase https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Aria
  • 2,706
  • 11
  • 19
1

It completely depends on your implementation (we don't even know which OS/tools/filesystem you are using).

During encryption configuration, you may see "erase options". For example:

  • OSX disk utility lets you select how many times to overwrite existing data under "Security Options"
  • gnome disk utility also has "erase options"
  • Windows BitLocker has a "encrypt entire drive" which sounds like it overwrites previous data first

With that said, overwriting was somewhat effective in the HDD days. SSDs have been notoriously resistant to sanitizing. You can find a much more in-depth discussion in Can wiped SSD data be recovered?

Marc
  • 4,091
  • 1
  • 17
  • 23
  • I'll update my question with the details, thanks -- but my understanding is that merely overwriting doesn't effectively wipe an SSD? or does that only apply to files and "overwriting the whole SSD" will always work? – lofidevops Jan 03 '18 at 11:24
  • Ah sorry @d3vid, I've added more details about SSDs specifically. I recommend reading the linked answer, it's quite thorough. – Marc Jan 03 '18 at 11:30
  • thanks - I've updated my question to be more specific (LUKS + LVM) – lofidevops Jan 03 '18 at 12:57