Encrypt and erase to delete data reliable on SSDs
The security of data on Solid State Drives (SSDs) is not only important for government agencies and enterprises, but also for end users. Even if you do not plan on selling or giving away the hard drive or computer at all, you may encounter situations where someone else gets access to the PC. Maybe it is stolen by a thief, taken from you by a police raid, or someone in your organization or home starts to look at the data it contains more closely.
Modern SSDs come with options to securely erase the data on the drive, and that is likely what some will use to delete the data (the majority likely will not delete data at all, or only use a quick format to delete the data). Research has shown that several manufacturer issued disk sanitizing tools do not erase all of the data on the disk.
The "Reliably erasing data from Flash-based Solid State Drives" research paper from 2011 is particularly interesting in this regard as it analyzes existing techniques that include overwriting, degaussing and encryption. The researchers found [pdf] that "none of of the available software techniques for sanitizing individual ﬁles were effective.
- All single-ﬁle overwrite sanitization protocols failed: between 4% and 75% of the ﬁles’ contents remained on the SATA SSDs. USB drives performed no better: between 0.57% and 84.9% of the data remained
- Encryption is only effective if the key store is properly sanitized.
Back then the researchers suggested a hybrid approach they called SAFE which combines encryption with secure erase.
Side note: I'm not aware of any recent studies that take into account the advancements made in drive technology in the past year. It would be interesting to see if improvements have been made in that time. Even if that is the case, the methodology is still important for older drives.
Scramble and Finally Erase (SAFE) combines the advantages of encrypting files or the full drive with secure erase to make data unrecoverable on the drive. You find the research paper here [pdf].
To summarize the algorithm:
- You encrypt the whole drive using disk encryption software like True Crypt or DiskCryptor, create a secure container on the drive, or encrypt individual files. The latter can be done with programs such as 7-Zip or WinRar (commercial). This can and should be done immediately to protect the data from third parties right away
- Before you give away the drive, throw it away, or re-purpose it in any way, you use a program to securely erase the data on the drive. Parted Magic can do that, as can Secure Erase.
The algorithm works for all drives, platter-based and Flash-based. (via Windows Secrets, thanks Ilev)Advertisement