1

I have to give my computer back to my boss. I want to delete all the data from my SSD. I found "ThinkShield secure wipe" which is implemented in the BIOS apparently.

It gives me two options: ATA Secure Erase method or ATA Cryptographic Key Reset

Which one should I use? Will it delete all my data and make it unavailable so nobody can recover history and datas who were on my computer? I read in this documentation that ATA Cryptographic Key Reset "simply" changes the key but doesn't remove the content of my SSD? I feel like it doesn't make my data unavailable then because it still exists? Also, I have a Thinkpad490 and this documentation says it's for "P-series Workstations" so it doesn't talk about my computer but I have the exact same "ThinkShield secure wipe" took in my BIOS.

Finally, will my computer still be functional? "After the Resetting the Cryptographic Key of FDE is done, you cannot boot your computer from the HDD nor read data in the HDD. The HDD itself makes a cryptographic key and manages it, but the ThinkPad computer does not store any cryptographic key information. Once a new cryptographic key is defined by doing the Resetting the Cryptographic Key, as there is no way to restore the previous key, recovery of the HDD data is impossible."

Thank you for your help.

mat
  • 13
  • 2

1 Answers1

1

They'll both erase all your data.

Which one should I use?

Resetting the key is faster, but you have to trust that the drive is able to generate truly random keys. Using standard ATA Secure Erase is slower, although it is actually often implemented using SED, which is similar (they both involve wiping a key). Either way, your data will be unrecoverable.

I feel like it doesn't make my data unavailable then because it still exists

It may exist in the theoretical sense but it cannot be recovered. If the key that was generated is random and unpredictable and is successfully erased, then the rest of your data will be rendered unrecoverable. Destroying a cryptographic key is just as effective as destroying the data itself.

Finally, will my computer still be functional?

Your drive will no longer have an operating system on it. The computer will still work, but you'll need to install a new operating system if you want to do anything other than play in the BIOS menu.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Do you think it matters if my computer isn't referenced in the documentation ? [link](https://download.lenovo.com/pccbbs/thinkcentre_pdf/secure_erase_using_lenovo_p_series_workstations.pdf) Because I have the functionnality in my BIOS so I think it should work, right? Which method would you recommend me? And are they good or should I use some software? Because I asked lenovo support and they told me to use Windows to erase but this is not what I want, and they told me to seek for a "software" if I really want to erase sensitive data. Finally how could I check if "full erase" worked? Thanks. – mat Aug 12 '22 at 16:26
  • @mat If your BIOS supports it, then it should be fine to do that. These erasure techniques are built into the hard drive firmware, so all any software would do is activate it. You can use either method. You could even use both if you want. – forest Aug 12 '22 at 21:54
  • Does my SSD need to have a cryptographic key to use the key reset option? Because I never did anything to my SSD, no idea if an SSD comes with a cryptographic key or if you have to do it yourself. – mat Aug 13 '22 at 12:45
  • @mat It's generated automatically. All data on modern SSDs is encrypted by default so that wiping the drive is as simple as telling the device to wipe the key. – forest Aug 13 '22 at 21:06