Re: SSD erase question

From: Damian Weber <dweber_at_htwsaar.de>
Date: Mon, 21 Mar 2022 20:59:13 UTC
>  camcontrol security -s anypass -e anypass -y ada[X]

Thanks to all who answered to my question, I'll stick with
camcontrol, having dc3dd as a second option in mind.

Best wishes,

  Damian


On Mon, 21 Mar 2022, Royce Williams wrote:

> Date: Mon, 21 Mar 2022 18:26:25
> From: Royce Williams <royce@techsolvency.com>
> To: freebsd-security@freebsd.org
> Subject: Re: SSD erase question
> 
> Even multi-pass overwrite of SSDs is not a sufficient purge, due to how
> writing is distributed / optimized on SSDs. So  dd / dc3dd is insufficient.
> Only invoking the on-controller ATA Secure Erase / sanitize command (using
> 'camcontrol security -e' as Eugene said elsewhere in the thread) is the
> validated[1] method:
> 
>     camcontrol security -s anypass -e anypass -y ada[X]
> 
> This also happens to be much faster than an overwrite, because it's
> implemented as "encrypt the entire medium with a random key, then discard
> the key".
> 
> 1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.p
> df, p. 36, Table A-8
> 
> -- 
> Royce
> 
> 
> On Mon, Mar 21, 2022 at 7:19 AM Sam Ricchio <sam.ricchio@gmail.com> wrote:
>       On and SSD if you have erased everything ssd ?garbage collection?
>       should help you if the drive it powered on.
> But if you want to overwrite the drive
> A simple overwrite with a text pattern with dc3dd.
> dc3dd wipe=/dev/sdb tpat=nothingtoseehere
> However if you are still worried that some controller optimization is
> interfering
> with and actual memory location overwrite.  Go old school with dd and
> write
> a file of random to the existing file system until it runs out of
> space.
> dd if=/dev/urandon of=garbagetxtfile.txt
> 
> 
> 
> 
> On Mar 21, 2022, at 7:14 AM, Damian Weber <dweber@htwsaar.de> wrote:
> 
> 
> Hi all,
> 
> I'd like to have an answer on a secure FreeBSD way to erase
> SSDs before giving these away to someone for reusing it.
> 
> Is the following enough to protect confidential data
> previously stored there?
> 
> 1)  dd : overwriting with random bits (complete capacity)
> 2)  gpart create
> 3)  gpart add
> 4)  newfs
> 
> Details for an example with /dev/ada1 see below.
> 
> Thanks a lot,
> 
>   Damian
> 
> 
> # fdisk ada1
> ******* Working on device /dev/ada1 *******
> parameters extracted from in-core disklabel are:
> cylinders=484521 heads=16 sectors/track=63 (1008 blks/cyl)
> 
> Figures below won't work with BIOS for partitions not in cyl 1
> parameters to be used for BIOS calculations are:
> cylinders=484521 heads=16 sectors/track=63 (1008 blks/cyl)
> 
> Media sector size is 512
> Warning: BIOS sector numbering starts with sector 1
> Information from DOS bootblock is:
> The data for partition 1 is:
> sysid 238 (0xee),(EFI GPT)
>    start 1, size 488397167 (238475 Meg), flag 0
>        beg: cyl 0/ head 0/ sector 2;
>        end: cyl 1023/ head 255/ sector 63
> The data for partition 2 is:
> <UNUSED>
> The data for partition 3 is:
> <UNUSED>
> The data for partition 4 is:
> <UNUSED>
> 
> # gpart show ada1
> =>       40  488397088  ada1  GPT  (233G)
>         40       1024     1  freebsd-boot  (512K)
>       1064  480246784     2  freebsd-ufs  [bootme]  (229G)
>  480247848    8149280     3  freebsd-swap  (3.9G)
> 
> # dd if=/dev/random of=/dev/ada1 bs=512 count=488397088
> 
> # gpart create -s gpt ada1
> 
> # gpart add -t freebsd-ufs ada1
> 
> # newfs -U /dev/ada1p1
> 
> 
> 
> 
>