Skip to main content wiping a ssd where to begin? : r/sysadmin
r/sysadmin icon
Go to sysadmin

wiping a ssd where to begin?

I need to wipe a laptop with a 7 pass, will dban be OK? Or is there some procedure that I need to follow.

Archived post. New comments cannot be posted and votes cannot be cast.
Hackers Love Unsecured Servers—Here’s How to Stop Them 🛑 Sign up for the Free Webinar Here!
Learn More
threatlocker.com
Thumbnail image: Hackers Love Unsecured Servers—Here’s How to Stop Them 🛑 Sign up for the Free Webinar Here!
Sort by:
Best
Open comment sort options

If it's an SSD, there will likely be a manufacturer tool for performing a secure erase. SSDs have a specific "Secure Erase" function that applies voltage and clears the drive in one go. That save's writing 7 passes over the drive, reducing wear on it. But as ever, check that meets your requirements for secure wiping!

I'll have to check with Dell then!

More replies More replies
[deleted]

Comment deleted by user

Agreed, with wear leveling you are also not guaranteed to wipe the drive even with multiple passes with the old zeroing methods like dban.

Secure erase is the way to go with SSDs and parted magic's utility does a good job simplifying that processes.

  • Use "SATA Sanitize" (newest) or "SATA Secure Erase" on any device that supports them. This has the major benefit of being very fast, because of the way it works.

  • 7 passes is for people reading DoD standards from the late 1980s. We do one zeroing pass with badblocks and you're not getting any data from that hardware. If you need more than this, then one random pass and one zeroing pass, but it's really overkill.

Ya, for SSD I tend to go with the devices supported erase and then at least one full pass of writes just in case the vendor doesn't do their implementation properly(ya it might not get all the blocks but it's better than nothing). Also, I'm not really worried abut the lifetime of the drive if I'm at the point of wiping a drive so full writes aren't a concern.

More replies
[deleted]

Always wipe front to back

Like with a cloth or something?

https://www.bleachbit.org/cloth-or-something

More replies

This the procedure we use to partially meet NIST SP 800-88 Level 2 (required for media storing information classified up to the secret level, they're not exactly clear on that).

First get a computer running your favorite flavor of Debian, you can use an installer usb to run it "live" without installing it.

for NVMe drives:

  1. apt install nvme-cli

  2. nvme list

  3. nvme format -s1 /dev/{device identifier}

For sata drives:

  1. hdparm -I /dev/[device identifier]

  2. hdparm --user-master u --security-set-pass temptemp /dev/[device identifier]

  3. time hdparm --user-master u --security-erase temptemp /dev/[device identifier]

Note: NIST sp800-88 requires a validation pass, and specifies a methodology. We use this procedure for drives that are going to be reused, so we didn't develop a validation method.

More replies

There's a secure erase tool in the BIOS of basically all modern laptops. You mentioned Dell, it'll definitely have one in my experience. It's a little tricky tho, you basically have to confirm like 5 times and the last confirmation basically says "Do you wish to cancel" meaning you have to click no instead of yes.

DBAN is for HDDs.

More replies