Encrypt and erase to delete data reliable on SSDs

Martin Brinkmann
Sep 13, 2012
Updated • Feb 23, 2014
Encryption, Security

The security of data on Solid State Drives (SSDs) is not only important for government agencies and enterprises, but also for end users. Even if you do not plan on selling or giving away the hard drive or computer at all, you may encounter situations where someone else gets access to the PC. Maybe it is stolen by a thief, taken from you by a police raid, or someone in your organization or home starts to look at the data it contains more closely.

Modern SSDs come with options to securely erase the data on the drive, and that is likely what some will use to delete the data (the majority likely will not delete data at all, or only use a quick format to delete the data). Research has shown that several manufacturer issued disk sanitizing tools do not erase all of the data on the disk.

The "Reliably erasing data from Flash-based Solid State Drives" research paper from 2011 is particularly interesting in this regard as it analyzes existing techniques that include overwriting, degaussing and encryption. The researchers found [pdf] that "none of of the available software techniques for sanitizing individual files were effective.

  • All single-file overwrite sanitization protocols failed: between 4% and 75% of the files’ contents remained on the SATA SSDs. USB drives performed no better: between 0.57% and 84.9% of the data remained
  • Encryption is only effective if the key store is properly sanitized.

secure erase ssds

Back then the researchers suggested a hybrid approach they called SAFE which combines encryption with secure erase.

Side note: I'm not aware of any recent studies that take into account the advancements made in drive technology in the past year. It would be interesting to see if improvements have been made in that time. Even if that is the case, the methodology is still important for older drives.

Scramble and Finally Erase (SAFE) combines the advantages of encrypting files or the full drive with secure erase to make data unrecoverable on the drive. You find the research paper here [pdf].

To summarize the algorithm:

  • You encrypt the whole drive using disk encryption software like True Crypt or DiskCryptor, create a secure container on the drive, or encrypt individual files. The latter can be done with programs such as 7-Zip or WinRar (commercial). This can and should be done immediately to protect the data from third parties right away
  • Before you give away the drive, throw it away, or re-purpose it in any way, you use a program to securely erase the data on the drive. Parted Magic can do that, as can Secure Erase.

The algorithm works for all drives, platter-based and Flash-based. (via Windows Secrets, thanks Ilev)


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Cave said on March 9, 2012 at 9:38 pm

    Well, considering that the NSA and various other US-Agencies don’t need your key, you should really use this…

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.