Solved

SSD secure erase - sometimes failing, why?

Posted on 2013-01-30
12
1,977 Views
Last Modified: 2013-02-09
Hi experts!

I'd like to clarify what "secure erase" I am talking about, it's the function built into some ssd drives' firmware that allows you to erase the whole drive in seconds.
I have used the OCZ tool on 4 of their drives, 3 succeeded, one (identical model) failed ("drive is security locked"). I used the intel ssd tool on 1 intel ssd drive and it erased alright. I used the Samsung tool on one of their drives, it failed ("secure erase could not be completed").

I wonder what makes some of them fail. I really would like to have that function working because it's so much quicker than a normal wipe. [Actually, it's even the only method there is to securely erase an SSD, at least our government says that.]

I read that power cycling the drives would help but that changed nothing: unplugged, waited a minute, replugged, same result. So I resorted to normal wipe and after a full wipe of the OCZ, I was able to do the secure erase, too. Left me puzzled but I tried the same on the Samsung one: no, this time no luck, same error. Tried different buses: SATA3, SATA2, USB.

Anyone experienced here?
Environment: 64 Bit Vista, as well as win8 x64. SSDs: intel 520 series 180 GB, Samsung 840 non-pro 120 GB, OCZ Vertex2 120 GB. Latest versions of their tools.
0
Comment
Question by:McKnife
12 Comments
 
LVL 6

Expert Comment

by:insidetech
Comment Utility
SSD drives - which you probably know have no moving parts. The conventional "security" erase algorithms apply multiple re-writes because on conventional magnetic media it is possible to detect a faint remanence of the original magnetic state. In SSD there is no such retention.
In fact... likely you are damaging or at least shortening the drives life by doing this. FYI for same reason, SSD drives should not be defragmented.
Why it does not work on some drives? From my experience because the drive you are experiencing this issue with already have "exhausted" memory cells in certain areas.
I found that about the only tool to talk to these drives are the factory firware flashing utilities, and if you are realy concerned about whiping the drives clean, re-flashing the drive will do the trick.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
I know about this, yes.
The drives were fairly new, the Samsung for example was brand new.
Reflashing often does not even harm the data - I did a lot of firmware updates on SSDs.
0
 
LVL 1

Expert Comment

by:tyson-edwards
Comment Utility
For newer drives, secure erase can simply mean changing the encryption key for the drive, at which point the cryptographic keys to encrypt and decrypt the data is no longer valid, so all of  the data becomes instantly unreadable.

Firmware updates are typically designed not to modify the encryption keys, if they even exist at all, and as a byproduct will retain data.

Manufacturers who offer encryption supporting SSDs will have a utility available to rekey the drive.

Another noteworthy thing to consider is that unlike a conventional spinning hard disk, recovering data from Flash is quite difficult in non-encrypted scenarios. Wear leveling makes this process a little easier as you can't technically address all of the data at any one point in time due to over provisioning, making it possible to recover data that one would believe would be overwritten. Utilizing TRIM on a drive makes data recovery even more difficult as it will simultaneously zero out data and transition data from cell to cell via wear leveling as well as increasing cell utilization as any read or write must re-write the entire 256KB cell, hence the reason why you would always make sure that your cluster sizes for a SSD is 256KB and that your drive is aligned appropriately.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Fine. But what about the question? ;)
0
 
LVL 46

Expert Comment

by:noxcho
Comment Utility
Could be the drive itself has problems. Try to erase it with Parted Magic as shown here: http://howto.cnet.com/8301-11310_39-20115106-285/how-to-securely-erase-an-ssd-drive/
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Sorry, missed to report that I did that already: failed as well.
Today I tried the DOS version of Samsung's tool: it ran alright.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 46

Expert Comment

by:noxcho
Comment Utility
Yes from any dos version it would run ok. Seems the problem s in drive detection in linux and Windows. Dos Has better detection.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Hi noxcho.

"DOS has better detection" - the problem is not, that it does not get detected, but that it either starts erase but does not finish or that it thinks the drive is security locked. Ok, maybe you mean these issues are because of maldetection of what state the drive is in. Anyway, I will stop to rely on the online-tools and use offline-tools.

Ok, this will lead to another question: is there a tool apart from parted magic that will allow different/all brands of SSDs to be erased using their "secure erase" function?
0
 
LVL 46

Expert Comment

by:noxcho
Comment Utility
As far as I know - no such tool was sent to the market. The SSD market seems t be still young and thus the software development is not in rush for it.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
saw this paper and like what you did using the vendor tool to erase, most probably using some sort of ATA Secure command. That may not be foolproof as shared in the paper.  Most of the failed case, maybe the buggy tool. Thought the other possible approach is to use full disk encryption: make sure the entire filesystem on the drive is encrypted from the start (e.g., Bitlocker, Truecrypt). When you want to sanitize the drive, forget all the crypto keys and securely erase them, and then erase the drive as best as possible. Maybe  combine it with ATA Secure Erase for (higher) confidence. Few cents worth

http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf

Excerpt:

Our results lead to three conclusions:
First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, suf¿cient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual ¿le sanitization are effective on SSDs.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 0 total points
Comment Utility
Ok, I will close this as non-solved, if you don't mind.
[I was keen to get an answer to why these online tools (and sometimes the offline ones as well) work so unreliable, and if we can do something about it]

That there are ways to be relatively sure that the data remnants are next to zero and that you can combine those methods is accepted, yes, but was not part of the question.

Thanks for your comments.
0
 
LVL 53

Author Closing Comment

by:McKnife
Comment Utility
See comment.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now