Solved

SSD secure erase - sometimes failing, why?

Posted on 2013-01-30
12
2,066 Views
Last Modified: 2013-02-09
Hi experts!

I'd like to clarify what "secure erase" I am talking about, it's the function built into some ssd drives' firmware that allows you to erase the whole drive in seconds.
I have used the OCZ tool on 4 of their drives, 3 succeeded, one (identical model) failed ("drive is security locked"). I used the intel ssd tool on 1 intel ssd drive and it erased alright. I used the Samsung tool on one of their drives, it failed ("secure erase could not be completed").

I wonder what makes some of them fail. I really would like to have that function working because it's so much quicker than a normal wipe. [Actually, it's even the only method there is to securely erase an SSD, at least our government says that.]

I read that power cycling the drives would help but that changed nothing: unplugged, waited a minute, replugged, same result. So I resorted to normal wipe and after a full wipe of the OCZ, I was able to do the secure erase, too. Left me puzzled but I tried the same on the Samsung one: no, this time no luck, same error. Tried different buses: SATA3, SATA2, USB.

Anyone experienced here?
Environment: 64 Bit Vista, as well as win8 x64. SSDs: intel 520 series 180 GB, Samsung 840 non-pro 120 GB, OCZ Vertex2 120 GB. Latest versions of their tools.
0
Comment
Question by:McKnife
12 Comments
 
LVL 6

Expert Comment

by:insidetech
ID: 38837691
SSD drives - which you probably know have no moving parts. The conventional "security" erase algorithms apply multiple re-writes because on conventional magnetic media it is possible to detect a faint remanence of the original magnetic state. In SSD there is no such retention.
In fact... likely you are damaging or at least shortening the drives life by doing this. FYI for same reason, SSD drives should not be defragmented.
Why it does not work on some drives? From my experience because the drive you are experiencing this issue with already have "exhausted" memory cells in certain areas.
I found that about the only tool to talk to these drives are the factory firware flashing utilities, and if you are realy concerned about whiping the drives clean, re-flashing the drive will do the trick.
0
 
LVL 54

Author Comment

by:McKnife
ID: 38837936
I know about this, yes.
The drives were fairly new, the Samsung for example was brand new.
Reflashing often does not even harm the data - I did a lot of firmware updates on SSDs.
0
 
LVL 1

Expert Comment

by:tyson-edwards
ID: 38838159
For newer drives, secure erase can simply mean changing the encryption key for the drive, at which point the cryptographic keys to encrypt and decrypt the data is no longer valid, so all of  the data becomes instantly unreadable.

Firmware updates are typically designed not to modify the encryption keys, if they even exist at all, and as a byproduct will retain data.

Manufacturers who offer encryption supporting SSDs will have a utility available to rekey the drive.

Another noteworthy thing to consider is that unlike a conventional spinning hard disk, recovering data from Flash is quite difficult in non-encrypted scenarios. Wear leveling makes this process a little easier as you can't technically address all of the data at any one point in time due to over provisioning, making it possible to recover data that one would believe would be overwritten. Utilizing TRIM on a drive makes data recovery even more difficult as it will simultaneously zero out data and transition data from cell to cell via wear leveling as well as increasing cell utilization as any read or write must re-write the entire 256KB cell, hence the reason why you would always make sure that your cluster sizes for a SSD is 256KB and that your drive is aligned appropriately.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 54

Author Comment

by:McKnife
ID: 38838652
Fine. But what about the question? ;)
0
 
LVL 46

Expert Comment

by:noxcho
ID: 38841860
Could be the drive itself has problems. Try to erase it with Parted Magic as shown here: http://howto.cnet.com/8301-11310_39-20115106-285/how-to-securely-erase-an-ssd-drive/
0
 
LVL 54

Author Comment

by:McKnife
ID: 38842694
Sorry, missed to report that I did that already: failed as well.
Today I tried the DOS version of Samsung's tool: it ran alright.
0
 
LVL 46

Expert Comment

by:noxcho
ID: 38843179
Yes from any dos version it would run ok. Seems the problem s in drive detection in linux and Windows. Dos Has better detection.
0
 
LVL 54

Author Comment

by:McKnife
ID: 38843315
Hi noxcho.

"DOS has better detection" - the problem is not, that it does not get detected, but that it either starts erase but does not finish or that it thinks the drive is security locked. Ok, maybe you mean these issues are because of maldetection of what state the drive is in. Anyway, I will stop to rely on the online-tools and use offline-tools.

Ok, this will lead to another question: is there a tool apart from parted magic that will allow different/all brands of SSDs to be erased using their "secure erase" function?
0
 
LVL 46

Expert Comment

by:noxcho
ID: 38843493
As far as I know - no such tool was sent to the market. The SSD market seems t be still young and thus the software development is not in rush for it.
0
 
LVL 63

Expert Comment

by:btan
ID: 38846102
saw this paper and like what you did using the vendor tool to erase, most probably using some sort of ATA Secure command. That may not be foolproof as shared in the paper.  Most of the failed case, maybe the buggy tool. Thought the other possible approach is to use full disk encryption: make sure the entire filesystem on the drive is encrypted from the start (e.g., Bitlocker, Truecrypt). When you want to sanitize the drive, forget all the crypto keys and securely erase them, and then erase the drive as best as possible. Maybe  combine it with ATA Secure Erase for (higher) confidence. Few cents worth

http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf

Excerpt:

Our results lead to three conclusions:
First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, suf¿cient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual ¿le sanitization are effective on SSDs.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 0 total points
ID: 38851920
Ok, I will close this as non-solved, if you don't mind.
[I was keen to get an answer to why these online tools (and sometimes the offline ones as well) work so unreliable, and if we can do something about it]

That there are ways to be relatively sure that the data remnants are next to zero and that you can combine those methods is accepted, yes, but was not part of the question.

Thanks for your comments.
0
 
LVL 54

Author Closing Comment

by:McKnife
ID: 38870820
See comment.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question