How to securely wipe files from SSD drive?

Currently there's no way to securely erase files on SSD without erasing the content of the whole drive or access to the firmware of the SSD.

  • It's impossible to know where the SSD may store previous copies of a logical block.

  • To make matters worse, due to journalling and copy-on-write mechanisms of the file system it may be impossible to know which logical blocks may hold a previous copy of a particular file.

The only way to prevent the leakage of deleted files to someone with direct access to the drive is to encrypt them in the first place and keep the encryption key safe from prying eyes.

Addendum:

I did some research and found out that you can sort-of erase all previously deleted files if you manage to learn all the unoccupied sectors of a file system, which is generally possible and offered by some file system tools (e. g. for the ext* family), and then discard them (e. g. with blkdiscard(8) as outlined in this answer to the linked question), which returns the blocks for garbage collection until they're used again and overwritten in the process.

This is secure against everyone who cannot access the flash cells directly, so everyone who

  • doesn't have a suitable flash cell reading device and
  • cannot talk the drive firmware into revealing the content of unassigned blocks (which would require a meaningful modification of the firmware in most cases and custom ATA commands since there's no standardised way).

Warning: In case it's not already clear, securely erasing the drive will eliminate all data on the drive and should make it impossible to recover. You should backup all critical information.

The easiest way to determine whether your drive supports secure erase is to ask it: I've used /dev/sdX in the examples below. You'll need to carefully change it to match the device you are working with:

Sources:

https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

https://superuser.com/questions/1161531/how-to-un-freeze-drive-in-linux

$ sudo hdparm -I /dev/sdX | grep -i erase

On my SSD this results in:

supported: enhanced erase
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

If secure erase is supported by your device, triggering it is a 2 or 3 step process.

  1. If the device reports that it's frozen as indicated by output from sudo hdparm -I /dev/sdX similar to this:
not   enabled
not   locked
      frozen
not   expired: security count
supported: enhanced erase

Unfreeze it by suspending and resuming your system. I did this with the command sudo systemctl suspend moving the pointer until the system resumed.

  1. You must set a password to use secure erase in this case I'm using foobar as the password, you can use whatever non-blank password you like as it's temporary.

    sudo hdparm --user-master u --security-set-pass foobar /dev/sdX

  2. With the password set you can now use it to securely erase the drive:

sudo hdparm --user-master u --security-erase foobar /dev/sdX

If your drive supports it and you so desire you can opt to use the enhanced security erase instead with:

sudo hdparm --user-master u --security-erase-enhanced foobar /dev/sdX