2
1
Assume that I have a file which I want to securely delete in a ssd. If I do a regular detele and then fill all unused space with a random data file, would this works?
Marco
Posted 2014-12-24T14:32:17.293
Reputation: 215
What is the theory behind securely delete files on a SSD?
Answers
4
Because of wear leveling in flash storage devices (like SSD), in order to be certain of overwriting a deallocated block you'd need to write all unallocated flash storage blocks. Unfortunately, even doing the overwrite before deleting the file would require overwriting every single block not part of other files, because each write may land anywhere on the entire storage device as part of the wear leveling process. That means that in order to securely erase by overwriting, you effectively need to overwrite all space on the device not already part of other files outside the flash storage block(s) occupied by the file to be deleted, and even then you can't be certain you've overwritten the block that originally held the file in question, if there are other files (or fragments of them) in the same flash storage block.
Because of this, SSD (or flash storage in any form) is a bad choice for storing data that may need to be securely erased short of physical destruction of the device; stick with optical media which can be shredded, or magnetic storage that's amenable to mil-spec erasure with multiple pattern and random overwrites (and where data stays where it was so you can be sure it's been overwritten). If you must use flash media, I'd suggest the smallest capacity SD or thumb drive that will hold what you need, along with a reliable method to avoid physical loss of the storage device. That will both simplify the "overwrite the whole device" requirement for secure deletion, and reduce the cost of physical destruction of the device for absolutely certain deletion security.
Zeiss Ikon
Posted 2014-12-24T14:32:17.293
Reputation: 1 291
1This is not entirely correct. Using the secure_erase command has been found by organizations such NIST to be superior to erasure via OS because it erases parts of the disk an OS cannot reach. It is part of the ATA standard and is performed via a command to the disk itself. Although it does require trusting proper hardware implementation of the standard, the NIST found this to not be an issue. I wish I had a link, but I can't find it right now. – Paul – 2014-12-24T19:10:46.460
Also, Bruce Schneier recently posted on his blog (last 6 months?) a study on using standard erasure methods, such as those available on tools like DBAN, and they determined that the data on even SSDs was completely erased (this did not address deleting areas not accessible by the OS). IIRC, it was only addressing full disk data destruction, not by file, as the question is asking. – Paul – 2014-12-24T19:13:02.733
A secure_erase isn't practical when only wiping a few files, but should work; a comment to another Q said that some SSD's didn't always correctly implement a secure_erase command (no reference though) http://superuser.com/a/22282/307834
3
AFAIK there is no truly secure way to delete files from an SSD, as the comments point out the SSD's controller can decide to "move" it's internal storage blocks from one accessible sector to another at whim (for wear leveling), and most keep an "extra" unused amount of blocks to swap out for bad ones in the future, or randomly.
So even if you overwrote every accessible block on an SSD there could still be blocks holding data that are unaccessible using normal tools.
There's sometimes a secure_erase ATA command available, but that should securely overwrite the entire drive, so couldn't be used for just wiping out a few files. (It's been commented that not all drives may secure_erase correctly too.)
If you want to keep sensitive data on an SSD and you're concerned about someone seeing the data later there's two recommendations:
Don't
Encryption - Then you don't worry about erasing your mistakes later, since they're already effectively "gone" without the key.
Encrypt only the sensitive data, and never write any sensitive non-encrypted data - watch out for non-encrypted memory cache / swap / system hibernation files).
Encrypt the entire SSD from the start, before writing any sensitive data to it, and keep all data on it encrypted - memory to disk files included.
Xen2050
Posted 2014-12-24T14:32:17.293
Reputation: 12 097
1My understanding is that full disk encryption would only work for an initial install, as any file that was saved to the disk without being encrypted will still remain, unless overwritten through normal operations. – Paul – 2014-12-24T19:18:45.137
@Paul True, I'll clarify my answer to explicitly specify that – Xen2050 – 2014-12-25T12:38:43.530
1
Annoyingly academic papers disagree on how you can usually destroy data.
There's a few things worth considering. Traditional disk sanitisation techniques are designed for hard drives - these write data more or less sequencially and are 'simpler' than the modern SSD. Generally treating a SSD like a HDD tends to destroy both performance and the SSD and things like garbage collection are generally triggered by specific ata commands like TRIM and Secure Delete.
Now, there's two viewpoints - One espoused by Boddington et al (whose paper seems inaccessible), and an older paper by Gubanov et al is that the garbage collection algorithms used by SSDs destroy data on their own.
On the other hand Wei et al and a newer paper by Gubanov et al indicates uou can never actually delete all the data and sometimes conventional data sanitasation tools fail with SSDs.
In theory the right way to delete files permanantly from a SSD is to use the secure deletion ATA command. In practice, if you want to be sure, you may want to consider full disk encryption with a password, or a keyfile in a traditional harddrive or destructable
storage of some sort.
Journeyman Geek
Posted 2014-12-24T14:32:17.293
Reputation: 119 122
2
Memory management on SSD is depend on controller. AFAIK, at moment of write, flash controller can decide to write to different physical block and just mark old physical block as unused. http://superuser.com/questions/22238/how-to-securely-delete-files-stored-on-a-ssd
– Mikhail Moskalev – 2014-12-24T14:38:35.850It depends, a 120GB SSD could actually have 140GB of storage. The unused storage blocks could be used as "backup" sectors if previously "good" sectors go bad. I am not sure whether or not the SSD controller will rotate through these sectors throughout the course of normal use. Marking a file as deleted and then writing over it is slow so it's possible that the sector gets marked as not in use and your file gets written somewhere else. This is why SSDs are sold at such wildly different storage capacities; load them up with storage cells and just tell the controller what to report! – MonkeyZeus – 2014-12-24T14:47:10.290
In addition to my comment above: http://superuser.com/a/747249
– MonkeyZeus – 2014-12-24T14:53:20.300