Is it normal for secure erase on a Samsung SSD to take only a few seconds?

I've run several secure erase operations on my 500GB Samsung SSD 850 EVO using the procedure described on the Linux ATA wiki and it takes only a few seconds to complete:

linux-203v:~ # time hdparm --user-master u --security-erase foo /dev/sdb
security_password="foo"

/dev/sdb:
 Issuing SECURITY_ERASE command, password="foo", user=user

real    0m2.745s
user    0m0.001s
sys     0m0.003s

When viewed in a hex editor after the erase, the drive is indeed completely blank.

Is this normal? Has the drive actually erased all NAND cells this quickly?

bwDraco

Posted 2016-12-06T18:58:42.307

Reputation: 41 701

We have one answer that says it's that fast because everything is written concurrently, and another that says it's because it isn't really done at all. This must be one of the "opinion-based" questions. :-) – fixer1234 – 2016-12-07T18:44:17.277

@fixer1234: No, one of the answers is simply wrong (possibly it would be correct for some other brand, but for the model named, the actual behavior is not "opinion-based" in the slightest) – Ben Voigt – 2016-12-07T19:39:04.867

@Ben: If you know, you might to write an answer of your own. – bwDraco – 2016-12-08T00:08:49.127

@bwDraco It's already written? – Ramhound – 2016-12-10T23:00:17.827

Answers

One thing to know is that data is never stored "in clear" in a SSD because storing random data (instead of long series of zeros and ones that are naturally present in a lot of files) has benefits for the SSD endurance and reliability. Older SSD were using LSFR but most (all?) newer SSD are using AES encryption to randomise the data. If you don't set a password the SSD is still encrypted but the key is "publicly available".

For more information, and sources, see Journeyman Geek's answer at Why does my SSD internally encrypt data, even without a password set?

To secure erase the deletion of the encryption key is enough, and that's pretty much instantaneous. A TRIM of all sectors will also be done for wear leveling purposes, that's what takes your 3 seconds.

When you check that the sectors are really blank they are most probably not even read, there is no need from the controller point of view as you told it to TRIM them so it knows they are blank.

Sacha K

Posted 2016-12-06T18:58:42.307

Reputation: 877

1I'm already aware of this—I wrote the top answer on the question you're referring to. – bwDraco – 2016-12-07T18:22:31.193

Didn't notice. But basically encryption key deletion: instant, TRIM whole drive: 3 seconds, overwrite whole drive: not done as it's pointless. – Sacha K – 2016-12-07T18:29:55.370

Yes, that's normal.

Mechanical disks need to go to each sector on the disk one at a time and actually write over the previous data with a random data bit.

SSDs can simply send a wipe command to each of their sectors more or less simultaneously and the same thing happens.

This capability is built into the SATA interface, though different drives support it in different ways.

music2myear

Posted 2016-12-06T18:58:42.307

Reputation: 34 957

...and then there might be, I expect, a few cheap drives which don't bother erasing anything and just remap all sectors to a single empty cell via the FTL. – user1686 – 2016-12-06T21:22:10.930

Possibly. I work in a job that values security right now and we wipe all drives with mil-spec wipeage before we shred them (redundant, I know) and we're starting to get SSDs and so the question came "how do you wipe these". There are commands that'll wipe the drive, but it requires the drive to support the command (which it should be be called ATA, but not all do). – music2myear – 2016-12-06T22:07:28.110

1It is worth pointing out that, if you are truely worried about the data that once existed on a SSD, these wipe functions are truely only effective if you also use FDE. The obvious reasons is that SSDs have additional space, to help wear out the cells better, what and how the wipe functions is up to the device itself. When this feature is used there is no guarantee it works correct, wipes that additional space, you are simply told it happens. Built-in encryption of the drives is fine to use, but also use, FDE provided by your OS. – Ramhound – 2016-12-07T16:32:36.970

1Wipe all sectors (as in overwrite and destroy content) is not actually done for a secure erase. – Sacha K – 2016-12-07T18:32:26.607

There are some efficiencies to bulk erase of flash memories, but the times are still much MUCH longer than for single block erase. It's not possible to parallel erase the whole die for reasons of power consumption. – Ben Voigt – 2016-12-07T19:44:03.783