I like those portable SSD disks because you can carry them separate from your laptop. When you cross a border, airport etc, they may bother checking your laptop, so I don’t like to have things on the main disk. I also like being able to switch between computers with the portable disks.
Anyway, if you start from scratch with a fully encrypted LUKS drive with Debian, and you put all your documents there with a good password, in case you want to delete data, you just have to shred the entire disk with 1 pass and that’s about it?
I know about Security Erase, but those USB disks often do not have “purge tier” options. I like to use OpenSeaChest to see the features of each disk in a readable way. It appears disks with USB enclosures do not have purge level deletion?
But does this even matter if you encrypted the entire disk yourself? I mean only boot partition would remain, but no data should be there.
If you shred the disk, you can assume no relevant data will ever be recovered?
And if you want to delete an individual file, is it possible? These USB disks do not seem to have TRIM.
I know you should be using disks directly plugged with SATA or m.2 NVME, but I like the convenience of the portability of the USB disks. I also sometimes have seen some SATA HDD disks that did not have any “purge” tier deletion features, only the regular Security Erase, which according to OpenSeaChest is not “purge” tier, Enhanced is, as well as the other Block Erase and Crypto Erase are, but im not sure if all USB SSDs do not have these features. If anyone knows one I could buy one.
WARNING! Always double check of=. Mistake can kill system if you run this on system drive!
Then format back to ext4. But i think it is redundant. Plus SSDs have overprovisioning sectors (erasing SSD is more complex than flash stick usually).
But as i said, if data was encrypted, without you key recovered data will be rubbish + even some broken parts of data (like erased bits) will make even partially recovered data undecryptable and “broken”
Also, is there really no way to use Security Erase Enhanced, Block Erase or Cypher Erase features on any USB drive?
How do people deal with privacy and portability then? You just start from day 1 with a fully encrypted drive and if you want to discard it, sell it or whatever, you just shred it once and that’s about it?
I mean, it’s just so convenient, being able to store your disk elsewhere, not attached to your computer all the time, and plug it easily at any moment. But if you use USB drives, you don’t have the internal sanitization features, it’s so annoying, but I assume full disk encryption from the start + shredding it once is as safe as the built-in sanitization features then.
And about individual features, it is assumed it’s impossible to delete individual features in non-HDD drives? I mean you could easily run 35 iterations of shred in your HDD on a given document and that’s about it. If you are shredding small files it doesn’t take much time. With SSDs, there’s this whole can of worms of how you have to use TRIM, but it’s some complex thing. It runs automatically at some unknown amount of time, and so you would need to trigger it manually to target an individual file, which I don’t know how to do, neither if it’s possible. But supposedly also does not work if you use an USB disk.
Why haven’t they invented a technology that makes USB disk usable the same as if you plugged them into the SATA or m.2 slots? It would improve privacy a lot, but for now it is what it is I guess.
No, not same. Shred deletes file, not full empty space as i know.
On high-end external SSD (usually just NVME in usb4 adapter) there is such features. On generic ones - no. Use it as encrypted with LUKS and just format it. Or run command above.
Actually, that’s the best approach.
I have tons of usb sticks and external SSDs, and i use them encrypted from first run.
Use high end SSDs that supports sudo fstrim -av. You can run this command and it will issue TRIMing empty space on all SSDs. If your one supported, output will sow it with something like “X bytes trimmed” with patg to SSD.
This command completely safe to run on most cases. No used space will be erased.
They did. NVME to usb4 adapters. Put NVME there and enjoy. But you need high end adapters that fully support low-level commands
I was going to say, some encryption processes encrypt only the data in the space the data needs. Others also add random data throughout the whole drive before the encryption process begins ( I believe VeraCrypt does this).
For SSDs, dd might not be required?? I use the content here Data Erasure - Divested Computing and end up with the following main commands:
nvme sanitize -a 2 /dev/nvme0n1
# OR
nvme format /dev/nvme0 -s 2 -n 1
with sudo apt install nvme-cli for the application itself. Based on my personal testing, should look like the following when you run nvme sanitize-log /dev/nvme0:
This is not a reliable method of wiping free space on SSDs, as you have zero control over where the blocks of data are actually being written in flash and there is no guarantee that everything will be overwritten.
The only ways to securely erase an SSD without destroying it are via a sanitize/secure erase command supported by the controller or encrypting the data before writing it and then simply discarding the encryption key to make the plaintext data unrecoverable.
Some USB SSDs are just normal SSDs (nvme or SATA) in an enclosure with a controller converting to USB. If critical, disassembly might be an option.
You can, but most cheap ones (not Sata/nvme to usb adaptor, especially ones with solded usb and memory) doesn’t have TRIM or other advanced features support.
Yeah but not the other parts, which you contradicted with dangerous advice to use dd to secure erase an SSD. I don’t know why you’re focusing on the one thing we agree on when I didn’t say or even imply that was a point of disagreement?