this post was submitted on 19 May 2025
82 points (96.6% liked)

Linux

54487 readers
568 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
82
Shredding my SSDs (NVMe) under linux? (feddit.org)
submitted 1 week ago by sp3ctre@feddit.org to c/linux@lemmy.ml
52 comments fedilink hide all child comments
 

Hey guys,

I want to shred/sanitize my SSDs. If it was a normal harddrive I would stick to ShredOS / nwipe, but since SSD's seem to be a little more complicated, I need your advice.

When reading through some posts in the internet, many people recommend using the software from the manufacturer for sanitizing. Currently I am using the SSD SN850X from Western digital, but I also have a SSD 990 PRO from Samsung. Both manufacturers don't seem to have a specialized linux-compatible software to perform this kind of action.

How would be your approach to shred your SSD (without physically destroying it)?

~sp3ctre

you are viewing a single comment's thread
view the rest of the comments
[–] bizdelnick@lemmy.ml 5 points 1 week ago (2 children)

Just use blkdiscard.

[–] A_norny_mousse@feddit.org 3 points 1 week ago

TIL! Or should I say TILL! (Today I learned (more about) Linux)

[–] sxan@midwest.social 2 points 1 week ago (2 children)

Educate me.

My response would normally be: dd if=/dev/random of=/dev/sdX ba=1024M, followed by a sync. Lowest common denominator nearly always wins in my book over specialty programs that aren't part of minimal core; tools that also happen to be in BusyBox are the best.

What makes this situation special enough for something more complex than dd? Do SSDs not actually save the data you tell them to? I'm trying to guess at how writing a disk's worth of garbage directly to the device would fail. I'm imagining some holographic effect, where you can actually store more data than the drive holds. A persistent, on disk cache that has no way of directly affecting, but which can somehow be read later and can hold latent data?

If I were really, I'd dd, read the entire disk to /dev/null, then dd again. How would this not be sufficient?

I'm honestly trying to figure out what the catch is, here, and why this was even a question - OP doesn't sound like a novice.

[–] hendrik@palaver.p3x.de 6 points 1 week ago* (last edited 1 week ago) (1 children)

SSDs don't store the data like HDDs, where you'd overwrite the same part on a magnetic platter. The controller on a SSD will instead handle it, do some magic and decide what to do. So if you use dd to replace some part with zeros, it might instead invalidate the old data, allocate new memory to you and not really overwrite anything. That's why SSDs have separate commands for wiping content.

I'd say google for "ssd secure erase":

[–] sxan@midwest.social 2 points 1 week ago (2 children)

I agree dd isn't useful for individual files. I contend that if I have an SSD of size X, and I write X amount of random bytes to it, there's nothing magic about the SSD construction that will preserve any previous information on the drive. Wear leveling can not magically make the drive store more data than it can hold.

[–] hendrik@palaver.p3x.de 10 points 1 week ago* (last edited 1 week ago) (1 children)

Well, in fact it can. That's "overprovisioning". The SSD has some amount of reserved space as replacement for bad cells, and maybe to speed things up. So if you overwrite 100% of what you've access to on the SSD, you'd still have X amount of data you didn't catch. But loosely speaking you're right. If you overwrite the entire SSD and not just files or one partition or something like that, you'd force it to replace most of the content.
I wouldn't recommend it, though. There is secure erase, blkdiscard and some nvme format commands which do it the right way. And 'dd' is just a method that get's it about right (though not 100%) in one specific case.

[–] sxan@midwest.social 3 points 1 week ago (1 children)

Hum. I read that blkdiscard only marks the blocks (cells?) as empty, and doesn't change the contents; and that a sophisticated enough lab can still read the bits.

In particular, the disk has to claim to support "Deterministic read ZEROs after TRIM"; if it doesn't, you have no guarantee of erasure. Without knowing anything about the make and model, blkdiscard would be categorically less secure.

Right?

[–] hendrik@palaver.p3x.de 2 points 1 week ago* (last edited 1 week ago) (1 children)

Yes, thanks. Just invalidating or trimming the memory doesn't cut it. OP wants it erased so it needs to be one of the proper erase commands. I think blkdiscard also has flags for that, so I believe you could do it with that command as well, if it's supported by the device and you append the correct options. (zero, secure) I think other commands are easier to use (if supported).

[–] sxan@midwest.social 2 points 1 week ago (1 children)

I did read (on the Arch wiki) that blkdiscard -z is identical to dd if=/dev/zero, so that tracks. It's (blkdiscard) is easier to use. However, given my memory and how infrequently I'll ever use it, I'll have forgotten the name of the command by next week. I'll never forget dd, though, mainly because it's more general purpose and I use it occasionally.

OP probably wants blkdiscard -z, though.

[–] hendrik@palaver.p3x.de 1 points 1 week ago* (last edited 1 week ago)

I'm not sure about that. I think OP wants something like ATA secure erase. That would be hdparm and a bunch of options, and not blkdiscard. Unless they specifically know what they're doing and what options to pick. And what the controller will do in return.

[–] catloaf@lemm.ee 4 points 1 week ago (1 children)

But it can store more data than it tells you it can. All drives are actually lying about their capacity; they all have extra sectors to replace bad ones.

[–] sxan@midwest.social 2 points 1 week ago (1 children)

Not that much extra.

[–] catloaf@lemm.ee 2 points 1 week ago

Enough to not consider it securely erased.

[–] bizdelnick@lemmy.ml 2 points 1 week ago

Well, first I need to note that blkdiscard is not more secure. But it is much more faster. It does not actually wipe flash memory, it just tells the controller to mark it as unused. So it will drop stored data at the moment it decides the best. Maybe immediately, maybe just before writing new data. But anyway it wont provide ability to read it. It would be still possible if you can get direct access to the flash memory bypassing the controller.

Second, you forgot that SSDs are not HDDs and data are not stored exactly at offset you write them. The controller remaps memory blocks as needed. And it has more blocks than actually available to user. So when you use dd (or cp, or any other program writing directly to block device) you only override blocks that are actually mapped, but some blocks can still keep old data. So using dd is also not secure in case someone can get direct access to the flash memory. But it takes much longer time and reduces the flash lifetime.

Several people here mentioned a secure erase feature of SSDs. I didn't know about it. It should be more secure than both methods if implemented correctly by the manufacturer (i. e. clears all memory cells immediately). In the worst case it could be the same as blkdiscard, I guess.