Re: SSD erase question
- In reply to: Royce Williams : "Re: SSD erase question"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 21 Mar 2022 20:59:13 UTC
> camcontrol security -s anypass -e anypass -y ada[X] Thanks to all who answered to my question, I'll stick with camcontrol, having dc3dd as a second option in mind. Best wishes, Damian On Mon, 21 Mar 2022, Royce Williams wrote: > Date: Mon, 21 Mar 2022 18:26:25 > From: Royce Williams <royce@techsolvency.com> > To: freebsd-security@freebsd.org > Subject: Re: SSD erase question > > Even multi-pass overwrite of SSDs is not a sufficient purge, due to how > writing is distributed / optimized on SSDs. So dd / dc3dd is insufficient. > Only invoking the on-controller ATA Secure Erase / sanitize command (using > 'camcontrol security -e' as Eugene said elsewhere in the thread) is the > validated[1] method: > > camcontrol security -s anypass -e anypass -y ada[X] > > This also happens to be much faster than an overwrite, because it's > implemented as "encrypt the entire medium with a random key, then discard > the key". > > 1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.p > df, p. 36, Table A-8 > > -- > Royce > > > On Mon, Mar 21, 2022 at 7:19 AM Sam Ricchio <sam.ricchio@gmail.com> wrote: > On and SSD if you have erased everything ssd ?garbage collection? > should help you if the drive it powered on. > But if you want to overwrite the drive > A simple overwrite with a text pattern with dc3dd. > dc3dd wipe=/dev/sdb tpat=nothingtoseehere > However if you are still worried that some controller optimization is > interfering > with and actual memory location overwrite. Go old school with dd and > write > a file of random to the existing file system until it runs out of > space. > dd if=/dev/urandon of=garbagetxtfile.txt > > > > > On Mar 21, 2022, at 7:14 AM, Damian Weber <dweber@htwsaar.de> wrote: > > > Hi all, > > I'd like to have an answer on a secure FreeBSD way to erase > SSDs before giving these away to someone for reusing it. > > Is the following enough to protect confidential data > previously stored there? > > 1) dd : overwriting with random bits (complete capacity) > 2) gpart create > 3) gpart add > 4) newfs > > Details for an example with /dev/ada1 see below. > > Thanks a lot, > > Damian > > > # fdisk ada1 > ******* Working on device /dev/ada1 ******* > parameters extracted from in-core disklabel are: > cylinders=484521 heads=16 sectors/track=63 (1008 blks/cyl) > > Figures below won't work with BIOS for partitions not in cyl 1 > parameters to be used for BIOS calculations are: > cylinders=484521 heads=16 sectors/track=63 (1008 blks/cyl) > > Media sector size is 512 > Warning: BIOS sector numbering starts with sector 1 > Information from DOS bootblock is: > The data for partition 1 is: > sysid 238 (0xee),(EFI GPT) > start 1, size 488397167 (238475 Meg), flag 0 > beg: cyl 0/ head 0/ sector 2; > end: cyl 1023/ head 255/ sector 63 > The data for partition 2 is: > <UNUSED> > The data for partition 3 is: > <UNUSED> > The data for partition 4 is: > <UNUSED> > > # gpart show ada1 > => 40 488397088 ada1 GPT (233G) > 40 1024 1 freebsd-boot (512K) > 1064 480246784 2 freebsd-ufs [bootme] (229G) > 480247848 8149280 3 freebsd-swap (3.9G) > > # dd if=/dev/random of=/dev/ada1 bs=512 count=488397088 > > # gpart create -s gpt ada1 > > # gpart add -t freebsd-ufs ada1 > > # newfs -U /dev/ada1p1 > > > > >