On my daily drive machine, I want to enable FDE (full disk encryption). Should I securely erase my SSD data before turning on FDE or turning on FDE then securely erase SSD data?
You can’t securely erase an SSD if there is data on it.
So do it beforehand.
See also my Data Erasure - Divested Computing page
7 Likes
You technically can’t really “securely erase” a SSD at all except by physically destroying it.
Doing a manual FSTRIM on the empty drive and then enabling FDE should be enough for most people.
4 Likes
There is also SSD secure wipe, which uses firmware to flip all bits to zero, this is “secure enough” for most purposes.
6 Likes
Found this guide
This still leaves the problem with reserve capacity on SSDs which is completely untouchable by the OS. If you are really unlucky incriminating data might be stored in this space or in blocks that the SSD controller deemed unreliable and remapped with spare blocks.
1 Like
A lot of SSDs are self-encrypting though (even if you don’t have FDE enabled), and in that case a secure erase should be fine because it just wipes the internal key. The real answer to this question really depends on the drive model.
1 Like
As mentioned above, for normal folks a simple delete everything+FSTRIM+reformat should be plenty good enough.
If your life/freedom depends on it you better shredder your SSD/HDD into fine dust.
2 Likes
Honestly, looking at the history of self encrypting drives:
I would be very uneasy to trust encryption implementations made by drive OEM’s.
3 Likes