Secure erasure before full disk encryption?

On my daily drive machine, I want to enable FDE (full disk encryption). Should I securely erase my SSD data before turning on FDE or turning on FDE then securely erase SSD data?

You can’t securely erase an SSD if there is data on it.
So do it beforehand.

See also my Data Erasure - Divested Computing page

7 Likes

You technically can’t really “securely erase” a SSD at all except by physically destroying it.
Doing a manual FSTRIM on the empty drive and then enabling FDE should be enough for most people.

4 Likes

There is also SSD secure wipe, which uses firmware to flip all bits to zero, this is “secure enough” for most purposes.

6 Likes

Found this guide

This still leaves the problem with reserve capacity on SSDs which is completely untouchable by the OS. If you are really unlucky incriminating data might be stored in this space or in blocks that the SSD controller deemed unreliable and remapped with spare blocks.

1 Like

A lot of SSDs are self-encrypting though (even if you don’t have FDE enabled), and in that case a secure erase should be fine because it just wipes the internal key. The real answer to this question really depends on the drive model.

1 Like

As mentioned above, for normal folks a simple delete everything+FSTRIM+reformat should be plenty good enough.
If your life/freedom depends on it you better shredder your SSD/HDD into fine dust.

2 Likes

Honestly, looking at the history of self encrypting drives:

I would be very uneasy to trust encryption implementations made by drive OEM’s.

3 Likes

Found this interesting discussion in ShredOS repo:

Recommend reading it if you are interested in wiping methods efficiency and shredding techniques.