Previously I talked about data sanitation on magnetic media (see my DoD tutorial). Now I want to explore the same topic, only with solid state drives. Data sanitation for SSDs is very different from data sanitation for HDDs – it is both easier and harder. Easier because there’s no residual data left over – once a solid state transistor is flipped, it’s flipped entirely; there’s no residue left over from the previous value as there is when using a magnetic head.
At the same time it’s harder because wear-leveling on an SSD means you can’t directly overwrite a region of the drive and expect it to work; chances are you’ll end up overwriting a completely different region because that’s how SSDs do things. They have to level the wearing by writing new data to a new region of the drive, and doing this in a rotating fashion, in order to extend the life of the drive. The unfortunate side effect of this is that you can’t securely erase single files in a reliable manner. If you want to securely erase data on an SSD, you have to erase the entire thing.
This is really all you need to know to understand the method I’m about to give you. 1. You don’t need multiple overwrites, and 2. Wear-leveling means an SSD is erased in a circular fashion. Let’s say we have an SD card with data that we’re no longer using, and we want to repurpose it for something else. What we’re going to do is simply overwrite the entire thing with zeros. This method works because even though we may not be writing the zeros to the correct place if we only overwrite part of the drive, if the number of zeros we write is exactly equal to the size of the drive in bits, anything we miss will be overwritten later when we wrap around. The ultimate effect of this is complete sanitation of the entire SSD.
First we open up the Linux terminal and find the device location for the SSD. We can usually tell which one it is by examining its size (with
df), its mount point (with
mount), and the number of partitions on it or the type of those partitions (with
fdisk). Typically we don’t have to do this though, because the identity of the drive will be apparent from our particular use case.
$ ls /dev console random sda2 sr0 urandom full sda sdb tty zero null sda1 sdb1 ttyS0
That’s just a sample listing of the /dev directory in Linux, though a real one would most likely have a lot more in it. In any case, here we see the device files corresponding to our mass storage drives – these will typically be called sdxX where x is a letter that indicates the physical medium and X is a number that indicates the partition. sda almost always refers to the hard drive, and here we can see it has two partitions. sdb is our SD card, and we can verify this by running
df -H and looking at the size of /dev/sdb1.
Now that we know what device file we want to erase, there’s one more file we need, and that file is also in the /dev directory. It’s /dev/zero. /dev/zero is a character special file that just spits out an endless stream of zero bytes when we read from it. This means that when we copy its contents to a file, it will zero out that file. But we can’t just use a regular copy like
cp. We’re trying to copy the data in the file, not the file itself. This doesn’t make much of a difference when we’re copying regular files, but it makes a huge difference when we’re doing I/O with special files. For this we need to use a binary copy, and to accomplish that there is a very nifty command called
$ dd if=/dev/zero of=/dev/sdb
There are quite a few options available for
dd, and you can find them all in the man page, but for now the only two you need to know about are
if designates the input file – the source of the data stream – while
of designates the output file – the destination for the data stream.
Once you have entered this command, it will take several minutes to a few hours to run, depending on the size of the SSD being sanitized. Afterward it will display a message that looks something like this:
8388608+0 records in 8388608+0 records out 34359738368 bytes transferred in 25.589 mins (23430926 bytes/sec $
You can now verify that the SSD was properly erased by typing the following command at the terminal:
$ hexdump /dev/sdb | less
If you see an output like this…
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 * 80000000 END
…That means all bits on the drive have been successfully cleared.
Just remember that because this drive is completely erased, you will have to rebuild the partition table and all the partitions from scratch, either with
fdisk or some other program.