Apple - How to securely erase an SSD drive?

It depends on your paranoia level. Because of the way SSDs handle writing data, doing a zero-once on an SSD is not as good as doing so on a hard drive.

When you write a particular data page on an HD, the new data is simply written over the old data, replacing it. Write zeros over the whole disk and all the old data will be gone. SSDs, on the other hand, cannot simply overwrite individual pages. In order to replace the data on a page, the old data must first be erased, and SSDs cannot erase individual pages; they have to erase entire blocks consisting of many pages.

So what happens when you ask an SSD to overwrite, say, page #5, is that the SSD leaves the data on page #5 alone, but marks it as invalid, allocates another currently-blank page (say, #2305), writes the new data to page #2305, and makes a note that next time the OS asks for page #5 it should get #2305 instead. The original page #5 data sits there until some later time, when the drive needs more space, moves any remaining valid pages away from the block, and erases it. SSDs have more physical memory capacity than they expose to the computer, so they can juggle blocks like this for a while before actually having to erase anything (and when they do actually erase something, there's no good way to predict which blocks of leftover data will be chosen for erasure). See this AnandTech review for way more details (warning: it's fairly long, and the relevant stuff is spread around).

Net result: if you write zeros over the "whole" drive, you haven't actually overwritten all the old data. You have updated the controller's translation table so it'll never return any of the old data to the OS (those pages are all invalid). But if someone's hardcore enough to bypass the controller, they could get some of your data back.

Overwriting twice will probably work, but it depends on the controller's allocation strategy. Overwriting twice with random data (diskutil randomDisk 2 /dev/diskN) is a little more likely to work, but still not guaranteed. Both of these also have some bad side-effects: they uses some of the lifetime of the drive, and also increase the logical fragmentation on the SSD, decreasing its write performance.

Note that recent versions of OS X's graphical Disk Utility disable the secure erasure options on SSDs (for the reasons discussed above), but the command-line version still allows them. BTW, I have also seen several recommendations to securely erase SSDs by converting them to encrypted format, but this is (if anything) slightly less secure than overwriting with random data.

The best way to secure-erase an SSD is to invoke the controller's built-in secure-erase feature. This should (if the controller designers did their jobs) truly erase all blocks, and also have the side-effect of resetting the logical page map, essentially defragmenting it and restoring its original performance. Unfortunately, most of the utilities I've seen for doing this (e.g. CMRR's HDDErase) run under DOS, which won't boot on a Mac. I did find a posting on macrumors with (rather complex) instructions for doing a secure erase from a GParted boot CD. It might also be possible to use Parted Magic from a bootable flash drive, but I have not tried this.

Researchers at the Non-Volatile Systems Lab at UCSD have tested various ways of sanitizing SSDs by "erasing" the drive, then disassembling it to bypass the controller, and checking for remnant data (summary, full paper). Their results mostly agree with what I said above (and also show that the built-in secure-erase command isn't always implemented properly):

Our results lead to three conclusions: First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs.


Open a terminal and type the following command:

df -k

Note the first column corresponding to the partition of the SSD you would like to irreversibly erase. Let's say it is /dev/disk1s2.

Type the following command:

dd if=/dev/zero of=/dev/rdisk1s2 bs=100k

where /dev/rdisk1s2 is the raw device associated with your partition on SSD. This command will completely write this partition from 1st block available to the last one. This command will last long (~1/2 h for 100 Gbytes) with no nice scroll bar of progress.

Once this command return you the prompt of your shell the disk has been completly and irreversibly erased. Start Disk Utility and check this partition. It will tell you it is dammaged beyond any form of repair. And it is right.

Just format this partition as you like.

Here is what is happening at the physical blocks level:film of dd & DU erasing an SSD


The "Security Options..." button in Disk Utility is currently grayed out for SSDs. According to http://support.apple.com/kb/HT3680, erasing an SSD normally might be secure enough:

Note: With OS X Lion and an SSD drive, Secure Erase and Erasing Free Space are not available in Disk Utility. These options are not needed for an SSD drive because a standard erase makes it difficult to recover data from an SSD. For more security, consider turning on FileVault 2 encryption when you start using the SSD drive.

It is still possible to run something like diskutil secureErase freespace 4 disk0s2 from Terminal on the recovery partition.

Simply turning on FileVault 2 before erasing the drive is probably a better option though. According to this answer, performing a remote wipe also just erases the encryption key if FileVault 2 is enabled:

Yes, when you remotely wipe the computer it does a secure wipe. Apple even warns you that it could take as long as a day. However, if your drive was encrypted with FileVault 2, then it is not necessary to erase the disk. It is sufficient to securely erase the encryption key(s) stored on the disk, so that's what they do. It's very quick and as secure as the underlying encryption system is, which for now is very secure.

http://training.apple.com/pdf/wp_osx_security.pdf:

FileVault 2 provides IT departments with the ability to erase the encryption key from a given Mac at any time to ensure that encrypted data cannot be accessed by either user login or data recovery tools. This process is referred to as a remote wipe.

Tags:

Security

Ssd