Do I need to secure erase SSDs before selling?

[SkyLinx]

I wasn't sure where to post this. I just bought a new iMac and am about to sell my previous computer which I have used as a Hackintosh (I wanted to use macOS but needed to save money to buy a real Mac). Of course I want to make sure the buyer cannot recover my data from the SSD in it.

Apple says that a secure erase should not be necessary with an SSD, and in fact the secure erase options aren't even available in Disk Utility for SSDs. But I have also read somewhere that this is instead because it's not possible to guarantee a secure erase is actually "secure" with SSDs....

I am confused. What is your opinion regarding this? Is there anyone here with a background in security who can give more details?

I've also read that encrypting the SSD with FileVault and then doing a normal erase would be secure, however.... getting FileVault to work on the Hackintosh is quite challenging it seems.

Because the SSD is of NVMe / M.2 type, I would need to buy some adapter in order to plug it as an external drive with the real Mac and encrypting it there with FileVault etc.

So, the question is... will I be safe if I just do a normal erase of the SSD as Apple seems to suggest, or not?

Thanks!

 

[Lunder89]

In short, just make sure you delete the partition completely and create new one and format it. Then if anyone wants to recover anything, they will need some serious tools to even attempt it.

I would like to ease your mind with the long version. Now I am not a security expert, but I do know on a basic principal how data storage works. So a simplified explanation here:

On a classic harddrive when you store files on it, a little piece of information about the files is being stored in the partition table, which is a little bit like a map of where all the files on HD is stored. The files physical location is on the spinning discs inside the HD. You can google for video or photos of what that looks like.

When you then delete a file, only the information in the partition table is being deleted, and the physical location of the data on the harddrive is registered as free space. The actual deletion happens when other files writes new data in that physical location.

A SSD drive is a lot of little power storage units. If they do not store data they are 0, and if the do they store data (meaning a tiny electric charge) they are 1. These 1's and 0's make up your data. And the SSD measures the storage units to see if they contain a charge. As I understand the partition table is directly linked to the storage units, and therefore when deleting and formating the partition, the entire SSD is written as 0's. Which means no data left.

For the real techies out there, I know this is simplified. And may not be 100% technically accurate.

But to return to the short answer. I havn't heard of anyone where they needed to do a secure deletion, and I don't think you need to either.

 

[Kingcr]

The answer to this depends on your security requirements.

If you enabled TRIM on your device from new (i.e. using "trimforce" since you have a hackintosh), then simply deleting files or doing a standard erase is probably sufficient. This is because with TRIM enabled, any file deletes trigger a command to the SSD controller notifying it that the space occupied by the file is no longer in use, and *most* controllers then report the relevant locations as zeroed out when read again rendering the files unrecoverable to anyone but the most sophisticated attackers.

If you want to increase security a bit more, consider doing a full-device trim from an external environment, e.g. using "blkdiscard" across the entire device from Linux live cd or creating a partition from a Windows installer disk that spans the entire device (Windows trims partitions when formatting). This just ensures that *all* the files on the device are gone which isn't possible when trying to clean up a drive that you're currently running your operating system on. This is what i would do.

Beyond that, you can consider a device-level secure erase command (e.g. via "hdparm"), also issued from something like a Linux live cd. In theory, this causes the controller to actually zero the physical chips on the SSD (as opposed to the controller simply reporting the contents as empty), but the implementation would depend on the disk manufacturer.

Anything beyond this is only for the uber-paranoid.

 

[SkyLinx]

In short, just make sure you delete the partition completely and create new one and format it. Then if anyone wants to recover anything, they will need some serious tools to even attempt it.

I would like to ease your mind with the long version. Now I am not a security expert, but I do know on a basic principal how data storage works. So a simplified explanation here:

On a classic harddrive when you store files on it, a little piece of information about the files is being stored in the partition table, which is a little bit like a map of where all the files on HD is stored. The files physical location is on the spinning discs inside the HD. You can google for video or photos of what that looks like.

When you then delete a file, only the information in the partition table is being deleted, and the physical location of the data on the harddrive is registered as free space. The actual deletion happens when other files writes new data in that physical location.

A SSD drive is a lot of little power storage units. If they do not store data they are 0, and if the do they store data (meaning a tiny electric charge) they are 1. These 1's and 0's make up your data. And the SSD measures the storage units to see if they contain a charge. As I understand the partition table is directly linked to the storage units, and therefore when deleting and formating the partition, the entire SSD is written as 0's. Which means no data left.

For the real techies out there, I know this is simplified. And may not be 100% technically accurate.

But to return to the short answer. I havn't heard of anyone where they needed to do a secure deletion, and I don't think you need to either.

Thanks for the clarification on this difference hdd vs sdd

The answer to this depends on your security requirements.

If you enabled TRIM on your device from new (i.e. using "trimforce" since you have a hackintosh), then simply deleting files or doing a standard erase is probably sufficient. This is because with TRIM enabled, any file deletes trigger a command to the SSD controller notifying it that the space occupied by the file is no longer in use, and *most* controllers then report the relevant locations as zeroed out when read again rendering the files unrecoverable to anyone but the most sophisticated attackers.

If you want to increase security a bit more, consider doing a full-device trim from an external environment, e.g. using "blkdiscard" across the entire device from Linux live cd or creating a partition from a Windows installer disk that spans the entire device (Windows trims partitions when formatting). This just ensures that *all* the files on the device are gone which isn't possible when trying to clean up a drive that you're currently running your operating system on. This is what i would do.

Beyond that, you can consider a device-level secure erase command (e.g. via "hdparm"), also issued from something like a Linux live cd. In theory, this causes the controller to actually zero the physical chips on the SSD (as opposed to the controller simply reporting the contents as empty), but the implementation would depend on the disk manufacturer.

Anything beyond this is only for the uber-paranoid.

Thanks a lot, TRIM was enabled on the NVMe SSD but not on the SATA one, so I have used blkdiscard on both just to be sure. The operation was just a few seconds on each drive though, is it normal?

 

[Kingcr]

Yes it’s normal. It just tells the controller to free up the space, it doesn’t actually write to the drive NAND.

 

[SkyLinx]

Yes it’s normal. It just tells the controller to free up the space, it doesn’t actually write to the drive NAND.

Cool! Thanks again

 

[MacBH928]

I don't want to scare you...but,

I heard with the right tools, you can always recover data from an SSD. Since you have a hackintosh its even worse because maybe there is software/hardware incompatibility to perform the delete process properly.

My personal recommendation is that buy new or used HDD, install it in your computer and sell it that way. As for your SSD, best would be to delete everything, fill with different data, encrypt the SSD, then physically destroy it by sending it to an HDD shredding service or you can drill or break wholes in each of the SSD chips. Then throw the broken parts in different places not together so it won't be reassembled.

This might sound like an overkill or paranoid, but after some research myself, this is about the only sure way to be safe. Better safe than sorry. It depends on the data on the device, if there is something that someone might find out and will be usd against you in the future(or illegal), I would be very careful. If its just loaded with game files(remember everything you have ever put on that SSD even if you deleted it long ago), then no harm can be done and you don't have to be so worried.

Only a security expert can answer this question as I have been looking for that answer myself and this is the only conclusion I have come to where you can be safest.

Its much easier with a regular HDD where you just have to secure erase the HDD about 3 times(fully write the HDD with garbage data) then breaking the platters into pieces, then trash in different places.

 

[Fishrrman]

If you REALLY want to be "secure", do this:
- take the existing SSD OUT OF the hackintosh
- put a brand-new SSD into it.
- install the basic hackintosh OS install onto it
- sell it that way

You can then either re-use the old SSD yourself, or destroy it.

 

[SkyLinx]

I don't want to scare you...but,

I heard with the right tools, you can always recover data from an SSD. Since you have a hackintosh its even worse because maybe there is software/hardware incompatibility to perform the delete process properly.

I used blkdiscard with a Linux live disc as suggested earlier rather than doing it from macOS (also because I had to erase the drive where macOS was installed).

Its much easier with a regular HDD where you just have to secure erase the HDD about 3 times(fully write the HDD with garbage data) then breaking the platters into pieces, then trash in different places.

Yep that's what I've done with the HDD.

If you REALLY want to be "secure", do this:
- take the existing SSD OUT OF the hackintosh
- put a brand-new SSD into it.
- install the basic hackintosh OS install onto it
- sell it that way

You can then either re-use the old SSD yourself, or destroy it.

Problem is that the SSDs I have (NVMe of 512 GB and SATA of 1 TB) are expensive so if I have to destroy them and replace them it would cost quite a bit. I am trying to sell ASAP this computer to recover money I spent for the iMac.

Any particular reason why either of you think the procedure with blkdiscard suggested by Kingcr would not be enough?

 

[KALLT]

Any particular reason why either of you think the procedure with blkdiscard suggested by Kingcr would not be enough?

The problem is that it depends upon the firmware of the SSD and what the controller does when it receives a ATA Secure Erase command, if the command is implemented at all. SSDs differ in that way from HDDs.

 

[rpmurray]

If you REALLY want to be "secure", do this:
- take the existing SSD OUT OF the hackintosh
- put a brand-new SSD into it.
- install the basic hackintosh OS install onto it
- sell it that way

You can then either re-use the old SSD yourself, or destroy it.

Or to make absolutely sure you can nuke it from orbit.

 

[MacBH928]

Any particular reason why either of you think the procedure with blkdiscard suggested by Kingcr would not be enough?

I am not saying its not enough... I am saying I am not sure if it is enough. I know the SSD is expensive, but are you willing to risk if any of your data was leaked? Better safe than sorry is my motto. You really don't want to regret it down the line, at least now you are in control. It really depends whats on that SSD. No need to be paranoid if the data is not sensitive, then again, there are many hackers and data miners out there.

Maybe I am paranoid, but I rather keep or destroy my data instead of being blackmailed by stranger in the future.

 

[Kingcr]

Recovering data from an SSD depends almost entirely on the controller. This is because data stored on the underlying NAND (at least on a fairly well-used drive) can only be made sense of by the controller after all the wear-levelling, GC, page-mapping and so on that it does continuously. SSD firmware is incredibly complex these days. So, when the controller discards the known state of some or all of the data (e.g. via a TRIM command), the effort involved in recovering it is huge. As long as the controller does indeed report trimmed space as empty. To the OP: you can verify your SSD's behaviour in Linux using something like:
dd if=/dev/<disk> bs=10M count=<some reasonable number of blocks> | hexdump -C
This will read a number of 10 meg blocks from the device and present them in hex, without repeating. So if you just see all zero's coming back, then your drive controller is just reporting trimmed space as empty.

For secure erase (as opposed to TRIM), the implementation depends on the manufacturer. Conceivably, the controller could write zero's to each NAND cell or it could just mark them as empty - much like a full device trim. In either case, getting data back is going to be near impossible.

So, the thing to ask yourself is, who is your adversary in all this? If you think that someone might try to run some data recovery or forensic tools, I wouldn't be worried at all. If you think someone might be able to attack the firmware or NAND to recover your data, then (a) you've got bigger problems and probably shouldn't be asking for advice on a forum and (b) you should physically destroy the drive rather than ever considering selling it.

 

[SkyLinx]

So, the thing to ask yourself is, who is your adversary in all this? If you think that someone might try to run some data recovery or forensic tools, I wouldn't be worried at all. If you think someone might be able to attack the firmware or NAND to recover your data, then (a) you've got bigger problems and probably shouldn't be asking for advice on a forum and (b) you should physically destroy the drive rather than ever considering selling it.

What kind of forensic tools could be used to attempt a data recovery from an SSD? Can this be done with just some software? Are these tools expensive? My adversary is some random guy who's going to buy the PC.... so who knows

 

[Kingcr]

The tools I’m referring to are generic, not specific to SSD’s. And that’s the point. A random buyer if nefarious may try some of them (there are free and expensive tools) but they won’t be effective if your SSD has been properly erased.

Anyway, this thread has progressed from a fairly simple question to a whole lot of FUD. I stand by my initial comment. Cheers.

 

[kschendel]

If you are concerned about someone cleverly abstracting the data out from under the controller, the best thing that I can think of is to format the SSD as one giant partition and write one giant file of zeros into it, filling it up. Do it a few times and you have a pretty good chance of zeroing everything including filesystem metadata, at least once.

Or, you could place it carefully on a firm concrete surface, and drive your car back and forth over it a few times. That will likely erase it safely as well (without the environmental issues involved in pouring gasoline over it and lighting it.) If there was ever anything on the SSD that might potentially expose you to ruin, I think that's what I would recommend.

 

[Fishrrman]

Another course of action for the OP (requires a DVD/CD drive).

1. Download the "Parted Magic" iso (DVD image).
2. Burn this to DVD/CD (don't remember which is required, I -think- it's just a CD)
3. BOOT FROM the Parted Magic CD.
4. Go to the disk tools and choose to do an "ATA Secure Erase" (or is it "ATA reset", can't remember) on the internal drive.
5. This will literally reset it to a factory-fresh state. I don't think there's any better way to get rid of the data.

 

[SkyLinx]

Another course of action for the OP (requires a DVD/CD drive).

1. Download the "Parted Magic" iso (DVD image).
2. Burn this to DVD/CD (don't remember which is required, I -think- it's just a CD)
3. BOOT FROM the Parted Magic CD.
4. Go to the disk tools and choose to do an "ATA Secure Erase" (or is it "ATA reset", can't remember) on the internal drive.
5. This will literally reset it to a factory-fresh state. I don't think there's any better way to get rid of the data.

I read that this can damage some drives though?

 

[Fishrrman]

Again --

If you're THAT WORRIED about the data on the SSD, take it out and PHYSICALLY DESTROY IT.

Then, put ANOTHER drive into the hackintosh and set it up for the buyer...

 

[MacBH928]

What kind of forensic tools could be used to attempt a data recovery from an SSD? Can this be done with just some software? Are these tools expensive? My adversary is some random guy who's going to buy the PC.... so who knows

Remember, you will never know what will the buyer do to the SSD. He can give it away, donate it, do tests on it, use it, use it for sometime then sell it for someone else which you have no idea what they wil do with it.

 

[davidmartindale]

I am not sure if anyone else mentioned this as there is a lot here. But it should be noted that an SSD has a finite amount of read/write cycles. If you were to do say a 7 pass erase on an SSD that is going to substantially reduce the life of the SSD. They are not designed to be erased that way.

 

[kschendel]

Actually it shouldn't make much of a difference unless the SSD is on its last legs anyway. Most SSD's released in the last few years should have an endurance of at least a large fraction of 1 DWPD for the warranty period, if not better. So doing say 10 full write cycles might lop off a few weeks from the drive lifetime, but it shouldn't have a huge effect.

One thing I wrote was wrong, though: some controllers compress the data to be stored, so rather than writing zeros, it would be better to write a random bit stream, ideally generated by a noise junction or something. I'm sure that a good pseudo-random generator would be OK as well.

Theorizing is fun, but to get back to serious practicalities: if there's something on the drive that could potentially seriously impact your life, like true blackmail fodder, or various illegalities, don't sell the drive! Destroy it. If you're an average or even above average Joe with no vendettas against you, an ordinary erase or full-device trim will do just fine.

 

[theluggage]

Actually it shouldn't make much of a difference unless the SSD is on its last legs anyway.

...but on the other hand, because SSDs work in totally different ways to HDs there's no guarantee that a secure erase routine designed for HDs will actually do the job - so you're potentially wearing out the SSD for no good reason.

Sending a "secure erase" command to a SSD that supports it is the only way to be sure, and (as you say) be proportionate - if you've got the nuclear launch codes stored on there, the whole MacBook is going in the industrial shredder afterwards anyway, right?

Because the SSD is of NVMe / M.2 type,

...that makes it simple. If in doubt, just pull the drive and keep it. If its a good size, get a USB3 enclosure for it and you've got a nice fast external drive. If necessary, stick some cheap'n'cheerful spinning rust in the old Hackintosh so you can sell it in working condition.

Now, when the SSD is soldered in to a MacBook, that's a problem.