Software erasure is no good on modern hardware, it pulls too many tricks internally and the data could easily stick around in a region of NAND not accessible. There’s an easier way - use full disk encryption with a TPM. Data effectively erased upon destruction of TPM key.
From the nwipe (what this uses) page:<p>>In the current form nwipe does not sanitize solid state drives (hereinafter referred to as SSDs) of any form (SAS / Sata / NVME) and / or form factor (2.5" / 3.5" / PCI) fully due to their nature: ...<p><a href="https://github.com/martijnvanbrummelen/nwipe">https://github.com/martijnvanbrummelen/nwipe</a><p>The ShredOS page suggests the use of hdparm for SSDs but things are fairly complicated:<p>* <a href="https://github.com/martijnvanbrummelen/nwipe/blob/master/ssd-guide.md">https://github.com/martijnvanbrummelen/nwipe/blob/master/ssd...</a>
“In the current form nwipe does not sanitize solid state drives (hereinafter referred to as SSDs) of any form (SAS / Sata / NVME) and / or form factor (2.5" / 3.5" / PCI) fully due to their nature: SSDs, as the transistors contained in the memory modules are subject to wear, contain in most cases additional memory modules installed as failover for broken sectors outside of the host accessible space (frequently referred to as "overprovisioning") and for garbage collection.”<p>Interesting and that they don’t mention Enhanced Security Erasure; that SATA command would take care of the broken sectors and firmware reserved sectors. HDPARM is capable of issuing the command if the SSD/HDD supports it and HDPARM is the tool they seem to be using. Not sure what they are using for NVME though as they use PCIE…not SATA commands.
Maybe sedutil from OPAL?
Anywho, tor most drives whether SSD, HDD or NVME you can ‘erase’ it by simply setting and deleting my the KEK and UEK but to securely erase you want to do security enhanced erase data command that runs locally in the drive and is independent of the OS.
Pretty cool UX, however it seems to follow the approach to overwrite data once or multiple times.<p>As far as legends on the high magic of contemporary flash memory goes, you would want to simply tell your SSD/NVMe to secure erase the drive instead of writing data yourself. ShredOS doesn‘t seem to implement this.
> PRNG Stream - Fills the device with a stream from the PRNG.<p>How are you going to explain to the TSA officer that the disk does not contain encrypted data?
Barebones alternative for *nix people: just "dd" random data over the entire disk. A single pass suffices because there is no such thing as "gleanable history" on the sectors of magnetic storage - nor for flash storage, but the complexity of spare/reserved memory blocks on SSDs may result in data escaping the procedure.
Is this very different from using a bootable Linux distribution from a disc or USB drive to then wipe a disk drive? And as someone else pointed out here, with solid-state drives being more popular these days, these techniques are not sufficient.
how hard is it to just flip bits on every single available memory? Is it because you have to use the manufacturer's black box controllers and you don't really know if they actually do what you asked?
It's 2024, and you have:<p><pre><code> nvme format -s1 /dev/nvme0n1
</code></pre>
to use secure erase on your NVMe drives, with similar commands available under hdparm for SATA drives:<p><a href="https://grok.lsu.edu/Article.aspx?articleid=16716" rel="nofollow">https://grok.lsu.edu/Article.aspx?articleid=16716</a><p>The "DoD style" erase commands no longer provide adequate security for highly virtualized I/O devices like SSDs where blocks may be remapped as spares out of the directly accessible range and thus skipped by the pass. In fact, the DoD itself stipulates only physical destruction of hard drives is acceptable, and many bases have secure warehouses where old drives are stocked awaiting destruction.