Does the destruction of sensitive information limit the choice of hard drives to non-flash based devices?

Data destruction is a technique of last resort. If you are planning to use a new storage device, you should use full disk encryption. This allows you to either destroy the encrypted master key or simply forget the password, effectively rendering all data unrecoverable, despite no data actually being wiped. Encryption is a solution for both solid state and standard hard drives. Use a strong algorithm like AES.

If you absolutely need to use a hard drive without full disk encryption, you should get one which supports SED, which is transparent hardware encryption. SED transparently encrypts all data written to the drive, but keeps the encryption key stored in a special area. When you initiate secure erasure, this key is all that is destroyed. This feature is supported on most modern SSDs and HDDs. If you do not know if a drive supports it, you can often conclude that it is supported if the estimated ATA Secure Erase time is showing as only two minutes, regardless of how large the drive itself is.

There is nothing intrinsic to the data storage methods used by solid state media that makes it hard to perform data destruction, but their firmware makes it impossible for the operating system to overwrite specific sectors due to wear leveling, a feature that spreads writes around the drive to decrease the wear and tear on individual flash cells (each of which has a finite lifespan). This does mean that you cannot overwrite data on SSDs reliably. You can still use SED if the drive implements it, and you can use ATA Secure Erase as well, but if you need to manually overwrite a range of sectors, use an HDD.

Note that, if you do use an SSD and are using full disk encryption and you have TRIM enabled, the drive will leak a limited amount of metadata, as explained in this excellent blog post. You can usually disable TRIM at a small performance penalty, but you will avoid metadata leakage. Whether or not the exact metadata leaked is problematic depends on your specific threat model.


Tl;dr: Because you can never trust all storage drives to securely wipe themselves, you must plan as if none of your drives can be securely wiped.

Placing a dependency on the type of media is not the right way to approach the problem, because the technology is always evolving and changing, and you can never be in 100% control of all IT spend. Remember that disks were never designed for secrecy first - they are designed for the opposite: reliable access. (Some disk makers like to maximize profits by selling their products as “security solutions”, but that still doesn’t make them the best choice for the job.)

For example, Shadow IT (aka the boss’s kid) is good at buying consumer equipment like SSDs, and installing it in the department desktops without asking permission. Or a non-profit might have to accept a generous donation of a hundred drives from some corporate sponsor (for political or marketing reasons), but that don’t support Secure Erase. Decent corporate laptops don’t even offer spinny disks as an option anymore, while wear-leveling algorithms ensure that SSDs always risk leaking some data in the slack spaces of the drive.

Instead, look to something that is designed to solve this exact security problem, and is something that you can control enterprise-wide, such as installing encrypted file systems that can be wiped as quickly as deleting the key. For example, in a Windows shop enforcing BitLocker via Group Policy would protect all the drives, not just the special ones you ordered.