Posted: December 23, 2022
This page documents how to securely erase data from disks, hard drives, flash drives, or what have you.
Context
When you “delete” a file from your computer, the data is still recoverable. Securely erasing data requires additional steps.
Without extra care, any and all deleted files can be recovered in full using simple tools. Think saved passwords, tax returns, and private messages.
Secure erasure is particularly important if you need to dispose of an old computer. Even if you’re giving the computer to a trusted friend, you never know where it may end up.
Don’t trust your friend (or anyone else) to securely dispose of your data. This is your responsibility.
Prevention using full disk encryption
If your entire disk is encrypted with strong cryptography, securely erasing data is almost a moot point. Without the password, the data is not recoverable by default.
I always recommend users to fully encrypt every disk using OS-level encryption e.g. LUKS, FileVault, or BitLocker.
This helps whether you’re deleting a single file or need to wipe the entire drive.
So why bother erasing the data? Encryption is not perfect, and encryption algorithms have been defeated before.
Cracking a modern encrypted drive would take an unimaginable amount of energy, but you never know what might happen in the future.
Securely erasing a single file
There are various “shredder” programs you can use for this purpose.
Personally, I’ve never seen a need for this, as all of my drives are fully encrypted.
Unencrypted access to my current drives is not part of my personal threat model. This would only be possible with state-level actors, against which we are totally helpless.
Securely erasing an entire drive
The technique to securely erase an entire drive depends on the type of drive you have.
To see a list of drives on a Linux computer, use the lsblk command. This won’t give you details on the drive types, but does show you the /dev/*** mappings.
Platter-style disk drives (HDD)
With older platter-style drives, a common technique was to fill the disk sequentially with 0s or 1s. I don’t have familiarity with this technique, and I haven’t had an HDD in many years.
This command writes all 0s to a target drive:
sudo dd bs=4k if=/dev/zero of=/dev/***
SSDs and flash memory
Flash memory devices, including SSDs, have limited write endurance.
Overwriting each individual bit on an SSD reduces its useful lifespan. Therefore, we use a different technique for SSDs.
In short, there are various hardware standards for securely erasing SSDs. Manufacturers can implement these standards as they please.
This is a very good reason to choose a trusted SSD manufacturer!
Hardware encryption
Many SSDs support hardware encryption, which is different from OS-level full disk encryption.
Whether you’ve encrypted your disk at the OS level or not, your SSD may apply an additional layer of encryption before storing the data on disk.
If hardware encryption is enabled, the “erasing” process may be near-instantaneous (less than a second). In this case, the SSD is not actually “wiping” any of your data. It simply deletes the encryption keys and regenerates new ones, making the data inaccessible.
This is generally a good thing, as it reduces wear and tear on your SSD.
But there is a downside - if the encryption mechanism is broken, your data could still be accessible! It’s totally possible that state-level actors already have this technology, but it’s not part of my personal threat model. And I don’t see an alternative.
SATA SSDs
If your SSD connects via SATA, it likely supports ATA Secure Erase. The linked page has a bunch of instructions and caveats. I recommend reading closely.
In short, you will use hdparm to send erase commands to the drive itself. See man hdparm for more details.
NVMe SSDs
If your SSD connects via NVMe, you can use the nvme format command:
sudo nvme format -s 1 /dev/nvme***
If you get an error like:
NVMe status: INVALID_FORMAT: The LBA Format specified is not supported. This may be due to various conditions(0x410a)
Try putting the computer to sleep, waking it immediately, and trying the command again.
Note: The Ubuntu package “name” is nvme-format, but it’s actually installed as part of the nvme-cli package:
sudo apt-get install nvme-cli