How not to securely erase a NVME drive (2022)

And this is why you always encrypt the drive with software. All of these methods seem to put a lot of faith into the drive controller doing what it claim it does, which you can never be all that sure about. Even Microsoft-backed Bitlocker would help here.

Smash it with a hammer and move on. I'd never buy a used storage device anyway, no telling what malware it might contain.

It's very common for both NVMe and SATA drives that they'll be locked/frozen during boot and thus will not honor a secure erase command until the drive has been power-cycled, which can usually be accomplished with the system-level sleep/wake cycle. I'm not sure what useful purpose this is meant to serve other than possibly making it hard for malware to instantly and irretrievably wipe your storage.

As far as I know, there is NO way to securely erase a USB flash drive (barring some undocumented vendor specific commands that may exist).

To maximize device performance when wiping a drive to use for something else, I use nvme format with --ses=1.

Which in theory should free all of the blocks on the flash.

Really hard to find good documentation on this stuff. Doesn't help that 95% of internet articles just say "overwrite with zeroes" which is useless advice

Gotta love breaking EFI changes. I don't know how many times my work laptop would do that and I couldn't boot anymore, only to remember some stressful time later that Linux would only boot with some of the settings flipped from their defaults. At least I never had to reinstall anything.

That was way longer than I expected. Wow.

None of these methods are reliable nor should they be trusted.

Every organization with good security hygiene requires physical destruction of SSDs. Full stop, end of negotiation, into the shredder it goes.

Not that it matters much, with the prices of SSDs skyrocketing people are moving back to mechanical disks.

I had a drawn out conversation with a friend about erasing NVME drives in a way that met compliance needs. The procedure they were given was to install Windows, with Bitlocker, twice with no effort to retain the key.

But that doesn't even overwrite the visible drive space; you can do a simple PoC to demonstrate that Windows won't get to all the mapped blocks. And that still hasn't gotten to the overprovisioned blocks and wear leveling issues that the article references.

You could use the BIOS or whatever CLI tool to tell the drive to chuck its encryption key, but are you sure that tool meets whatever compliance requirements you're beholden to? Are you sure the drive firmware does?

So they went with paying a company to shred the drives. All of them. It's disgustingly wasteful.

sedutil-cli —yesIwantToEraseALLmydata $PSID /dev/sda1 or something like that.

Smash it with a hammer.

If you insist on erasing the data, overwrite the entire contents of the drive twice with random data.

Doing it twice will blow away any cached as well (probably).