How to securely delete files stored on a SSD?
How about encrypting the volume itself? The deleted data will still be there but should be inaccessible to anyone without the appropriate key.
If the SSD drive supports the ATA security mode feature set, then it has secure erase functionality built in, which you should be able to access using something like Secure Erase, documented here and here.
Because of the nature of NAND flash memory, SSDs cannot directly overwrite data. Repeatedly overwriting a file before deleting it will not securely erase it on an SSD—the data would just be written elsewhere on the NAND.
To understand why this is the case, it is necessary to explain how SSDs work on the inside.
- NAND flash is divided into blocks, each consisting of a set of pages typically 4 KB in size (plus error-correcting codes). Most modern SSDs uses NAND with blocks of 128 pages for a block size of 512 KB, although some drives, especially older ones, may use 256 KB or smaller blocks. The following diagram assumes 256 KB blocks, but the concept is the same regardless of the block size.
Source – Courtesy Music Sorter at Wikipedia, CC BY-SA 3.0
Each page may be written to individually, but pages cannot be rewritten until erased, and erasing can only be done in whole blocks. This means that whenever data is rewritten, the SSD must mark the data in the affected pages invalid and rewrite it elsewhere, possibly in a different block. At a more appropriate time, ideally when the drive is idle and all pages in a block are marked invalid, the SSD can erase blocks that are no longer in use. This cleanup process is called garbage collection.
In order for the SSD to know which blocks can be erased, the operating system must tell it which blocks no longer contain valid data. This is done using the ATA TRIM command. The SSD is then free to garbage-collect those unused blocks.
SSDs try to spread writes evenly over the NAND to avoid premature failure, a process which relies on the free space available to the drive.
Each NAND block can only sustain a finite number of write/erase cycles. Many of today's consumer-grade SSDs use 19-21nm NAND where each block is good for about 3,000 cycles before becoming unusable, although enterprise SSDs and several high-end consumer SSDs that use more durable types of NAND are commercially available.
In all cases, however, SSDs must spread writes out over the entire drive to avoid placing undue wear on any single block in order to avoid premature failure of the drive, through a process called wear leveling. Efficient wear leveling can only be achieved if there is a certain amount of space (over-provisioning) that is reserved to allow for efficient garbage collection as required even if the drive is nearly full.
Under extreme conditions where the SSD is being asked to write data faster than it can erase old blocks (common in write-heavy datacenter workloads), it may be forced to rewrite the data in one block into another block, then erase the old block immediately to make way for new data, before it has had a chance to perform garbage collection.
Forced rewriting of a block is less than ideal because it degrades performance and contributes to write amplification, where more data is written to the underlying NAND than the actual amount the drive is instructed to write. Added over-provisioning helps mitigate write amplification by providing more spare space to rewrite data and erase old blocks. This is why high-end enterprise SSDs such as the Samsung SSD 845DC PRO come in sizes like 200 GB and 400 GB even though the drive actually contains closer to 256 or 512 GB of NAND inside, respectively. See also: Why do SSDs have weird sizes?
Samsung's SSD white paper series provides a thorough explanation of the inner workings of SSDs. Writing and erasing NAND pages and blocks and garbage collection is explained in white paper 04.
The only way to truly erase data on an SSD is to use the ATA Secure Erase commands.
Secure Erase instructs the drive to wipe all stored data, including data which may remain in the over-provisioned NAND regions. All blocks are erased when this is done, resulting in a pristine drive.
In drives with self-encrypting capability, Secure Erase can simply be implemented by wiping the encryption key. Since the data on the NAND of an encrypted drive is unreadable without the key, there is no need to erase all blocks as would be necessary on an unencrypted drive.