Secure erasure before full disk encryption?

jerm · March 3, 2024, 9:08pm

On my daily drive machine, I want to enable FDE (full disk encryption). Should I securely erase my SSD data before turning on FDE or turning on FDE then securely erase SSD data?

SkewedZeppelin · March 3, 2024, 9:11pm

You can’t securely erase an SSD if there is data on it.
So do it beforehand.

See also my Data Erasure - Divested Computing page

Valynor · March 3, 2024, 9:13pm

You technically can’t really “securely erase” a SSD at all except by physically destroying it.
Doing a manual FSTRIM on the empty drive and then enabling FDE should be enough for most people.

dngray · March 4, 2024, 5:39am

There is also SSD secure wipe, which uses firmware to flip all bits to zero, this is “secure enough” for most purposes.

jerm · April 17, 2024, 5:42pm

Found this guide

https://darknetlive.com/post/how-to-securely-erase-a-drive-0fbc2170

Valynor · April 17, 2024, 8:07pm

This still leaves the problem with reserve capacity on SSDs which is completely untouchable by the OS. If you are really unlucky incriminating data might be stored in this space or in blocks that the SSD controller deemed unreliable and remapped with spare blocks.

jonah · April 18, 2024, 6:24am

A lot of SSDs are self-encrypting though (even if you don’t have FDE enabled), and in that case a secure erase should be fine because it just wipes the internal key. The real answer to this question really depends on the drive model.

Valynor · April 18, 2024, 1:40pm

As mentioned above, for normal folks a simple delete everything+FSTRIM+reformat should be plenty good enough.
If your life/freedom depends on it you better shredder your SSD/HDD into fine dust.

Niek-de-Wilde · April 19, 2024, 7:03am

Honestly, looking at the history of self encrypting drives:

I would be very uneasy to trust encryption implementations made by drive OEM’s.

jerm · May 16, 2024, 10:58am

Found this interesting discussion in ShredOS repo:

github.com/PartialVolume/shredos.x86_64

Update NWipe's Wiping Methods

opened 10:49AM - 24 Oct 21 UTC

pogue

So, the documentation on your site says NWipe uses the following wiping techniqu…es to wipe HDDs. However, all of them are from the 1990s, before there was SSD & Flash Memory. So I think it's time to update and use more advanced and optimized shredding techniques. NWipe uses the following methods: - Quick erase - Fills the device with zeros, one round only. - RCMP TSSIT OPS-II - Royal Candian Mounted Police Technical Security Standard, OPS-II - DoD Short - The American Department of Defense 5220.22-M short 3 pass wipe. 1,2,& 7. - DoD 5220.22M - The American Department of Defense 5220.22-M full 7 pass wipe. 1-7 - Gutmann Wipe - Peter Gutmann's method. (Secure Deletion of Data from Magnetic and Solid-State Memory) - PRNG Stream - Fills the device with a stream from the PRNG. - Verify only - This method only reads the device and checks that it is all zero. - HMG IS5 enhanced - Secure Sanitisation of Protectively Marked Information or Sensitive Information Unfortunately, most of these are outdated and one (the Gutmann method) is a flat out waste of time. The RCMP level 3 wipe has been superseded by CSEC ITSG-06. > What Does CSEC ITSG-06 Do? All data sanitization methods are similar, but what sets them apart from each other are the small details. For example, Write Zero is a method that only uses one pass of zeros. Gutmann overwrites the storage device with random characters, possibly up to dozens of times. However, the CSEC ITSG-06 data sanitization method is a little different in that it uses a combination of zeros and random characters, plus ones. It's usually implemented in the following way: >Pass 1: Writes a one or zero Pass 2: Writes the complement of the previously written character (e.g. one if Pass 1 was zero) Pass 3: Writes a random character and verifies the write So, it's just a 3 wipe algorithm, but it's much more advanced. Here is what I believe is the white paper on it: [IT Media Sanitization (ITSP.40.006)](https://cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006) Next is DoD 5220.22M ECE (7 wipes) and DoD 5220.22M aka DoD Short (3 wipes). These also have been superseded by standards from NIST. The DoD 5220.22M was developed during a time when we were still using tape backup drives, optical memory, EEPROM, cathode ray tubes and the like. You can read an interesting history of it on [White Canyon's DoD 5220.22-M Relevancy & The Evolution Of Wipe Standards](https://www.whitecanyon.com/white-papers/dod-relevancy). Apparently, the DoD is working on a 5200.48 standard, which they leaked the white paper on here: [DoD Instruction 5200.48 "Controlled Unclassified Information CUI](https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF?ver=2020-03-06-100640-800) (PDF). However, it may be in alpha/beta stages and not fully ready for prime time. That's why they let NIST, a very capable agency (they picked AES aka Rijndael as the standard encryption scheme, as opposed to a host of others, and it has proven to be a very fast and versatile & fast encryption standard. [Advanced Encryption Standard Process & Competition](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process) [NIST Special Publication 800-88 Revision 1 Guidelines for Media Sanitization: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf](url) These are called _NIST 800-88 Clear_ and _NIST 800-88 Purge_. Both of these are described in the above document. Finally, we have the Gutmann Wipe, which it's inventor, Peter Gutmann, has said it is outdated and unnecessary. >Most of the patterns in the Gutmann method were designed for older MFM/RLL encoded disks. Gutmann himself has noted that more modern drives no longer use these older encoding techniques, making parts of the method irrelevant. He said "**In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques**" [Source](https://en.wikipedia.org/wiki/Gutmann_method) I searched and searched for an updated version of HMG IS5 enhanced aka "HMG Infosec Standard 5", which is what the British (apparently still even currently) use to scrub sensitive data. Either that, or they are keeping their secure wipe methods very close to their chest, which is what intelligence agencies usually do anyway. There is apparently a HMG IS6 but it's still either in development or classified by the UK government. In light of that, IS5 should be fine, as I found many currenct documentats saying something along the lines of the "The British Agent will use Infosec Standard 5 to wipe the file" So, the documentation on your site says NWipe uses the following wiping techniques to wipe HDDs. However, all of them are from the 1990s, before there was SSD & Flash Memory. So I think it's time to update and use more advanced and optimized shredding techniques. I searched and searched for an updated version of HMG IS5 enhanced aka "HMG Infosec Standard 5", which is what the British (apparently still even currently) use to scrub sensitive data. Either that, or they are keeping their secure wipe methods very close to their chest, which is what intelligence agencies usually do anyway. There is apparently a HMG IS6, and I was approached by two gentlemen in suites and manhandled a little bit about finding this document. But, they eventually gave up and left. The documents read like they're only at the [green or blue paper stage](https://en.wikipedia.org/wiki/White_paper#Variants), and not [full white paper](https://en.wikipedia.org/wiki/White_paper) stage. [Use of HMG Cryptography Policy](https://security-guidance.service.justice.gov.uk/use-of-hmg-cryptography-policy/#use-of-hmg-cryptography-policy-1) left. The documents read like they're only at the [green or blue paper stage](https://en.wikipedia.org/wiki/White_paper#Variants), and not [full white paper](https://en.wikipedia.org/wiki/White_paper) stage. [Use of HMG Cryptography Policy](https://security-guidance.service.justice.gov.uk/use-of-hmg-cryptography-policy/#use-of-hmg-cryptography-policy-1) Quick Erase would be good for SSD drives, as would PRNG Stream (although it doesn't specify the levels it does that at) they have a finite number of reads/writes they can do before they are completely destroyed. It's quit a lot, but if you're wiping your SSD HDD with the Gutmann method multiple times, running CCleaner with different level wipes, wiping free space, defragging often, you're more likely to encounter SSD failure (especially on how cheap or expensive the brand of the drive is). As far as the two PSRNGs, it appears Mersenne Twister is not out of date, as much as there are better PSRNGs available, not to mention they were created in the 90s. [Letting Go Of The Mersenne Twister?](https://medium.com/asecuritysite-when-bob-met-alice/letting-go-of-the-mersenne-twister-580121f29152) The author recommends instead, using CRNGs or Crypto Random Number Generators like [url=https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom]CryptGenRandom[/url] which was developed by Microsoft, but is now deprecated by Windows other CRNGs built into the OS, you couldn't use an API call from Windows to generate the random numbers in a bootable CD/USB environment. [CryptGenRandom - Wikipedia](https://en.wikipedia.org/wiki/CryptGenRandom) - Not to mention, the source code to wincrypt.h is available on the [Wine Project's GitHub - WinCrypt.H](https://github.com/wine-mirror/wine/blob/master/include/wincrypt.h). As well as one of MIcrosoft's alternatives, [BCrypt.H](https://github.com/tpn/winsdk-10/blob/master/Include/10.0.14393.0/shared/bcrypt.h), another CRNG. Bcrypt was developed using Blowfish, Blowfish is a cryptographic algorithm developed by the famous Bruce Schneier, who also went on to make it's successor, Twofish. > Blowfish General Designers Bruce Schneier First published 1993 Successors Twofish Cipher detail Key sizes 32–448 bits Block sizes 64 bits Structure Feistel network Rounds 16 Best public cryptanalysis Four rounds of Blowfish are susceptible to a second-order differential attack (Rijmen, 1997);[1] for a class of weak keys, 14 rounds of Blowfish can be distinguished from a pseudorandom permutation (Vaudenay, 1996). So, [Bcrypt](https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom) might not be the best option, but thee are two alternative Crypto Random Number Generators w/publicly available source codes. Lets see what else we can find... There's the [AES CRT DRBG (Deterministic Random Bit Generator)](https://elixir.bootlin.com/linux/latest/source/crypto/drbg.c) Then there's the [Linear_Feedback_Shift_Register](https://en.wikipedia.org/wiki/Linear-feedback shift register) made with NIST's test suites and has some actual studies posted on it. [Linear-feedback shift register source code ](https://github.com/Nikeshbajaj/Linear_Feedback_Shift_Register). We have [NIST's SP 800-90A Rev. 1](https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final), which has a bit of a negative history because one of its PRNGs had a backdoor installed into it by the NSA. There was the [_Dual_EC_DRBG_](https://en.wikipedia.org/wiki/NIST_SP_800-90A#Backdoor_in_Dual_EC_DRBG) which was based on an elliptical curve model that had some sort of backdoor from the NSA or RSA. But, NIST patched it out and opened it back up for public comment. ["NIST Released Special Publication (SP) 800-90A Revision 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators"](http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf) (PDF). So, you would be safe to use this one now, although I don't know why they didn't rename it Revision 2 or change any of the code numbers for the project, so it was so tainted by then. So, for individuals who still remember that, it might be a problem. Finally, there is a very promising one called [ChaCha20](https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant) that is used by NetBSD, OpenBSD, FreeBSD, and even Google when they were using their [SPDY](https://en.wikipedia.org/wiki/SPDY) protocol for faster web traffic. > ChaCha family of ciphers, which aim to increase the diffusion per round while achieving the same or slightly better performance. The Aumasson et al. paper also attacks ChaCha, achieving one round fewer: for 256 bits ChaCha6 with complexity 2139 and ChaCha7 with complexity 2248. 128 bits ChaCha6 within 2107, but claims that the attack fails to break 128 bits ChaCha7. ChaCha's initial state is similar to the initial state of Salsa20, however there are some differences. ChaCha's initial state includes a 128-bit constant, a 256-bit key, a 32-bit counter, and a 96-bit nonce, arranged as a 4×4 matrix of 32-bit words. ChaCha also re-arranges some of the words in the initial state. ChaCha is based off another algorithm called Salsa20, which uses [add–rotate–XOR ARX](https://en.wikipedia.org/wiki/Block_cipher#Operations) to generate PSRNs. The main thing is that it's fast, which is why Google choose it to help speed up web browsing. > Both ciphers are built on a pseudorandom function based on add-rotate-XOR (ARX) operations — 32-bit addition, bitwise addition (XOR) and rotation operations. The core function maps a 256-bit key, a 64-bit nonce, and a 64-bit counter to a 512-bit block of the key stream (a Salsa version with a 128-bit key also exists). This gives Salsa20 and ChaCha the unusual advantage that the user can efficiently seek to any position in the key stream in constant time. Salsa20 offers speeds of around 4–14 cycles per byte in software on modern x86 processors, and reasonable hardware performance. And since there are literally hundreds of thousands of PRNGs out there, I'm going to stop there and take a look at [ISAAC](https://en.wikipedia.org/wiki/ISAAC_(cipher)). Which looks like your standard run of the mill RNGs. Although, it is also a bit old and uses RC4, which has shown to be insecure. But that's really only if you were going to use it as algorithm to connect to a VPN or something, not really pretty much instantly generating random numbers - although security researchers have even abandoned it as a RNG and switched to other ones. [RC4-based random number generators](https://en.wikipedia.org/wiki/RC4#RC4-based_random_number_generators) > Several attacks on RC4 are able to distinguish its output from a random sequence. [Source](https://link.springer.com/content/pdf/10.1007%2F3-540-45473-X_13.pdf) Ain't that a bitch? So, I feel I've posted enough suggestions in this thread. I didn't want to make a new thread for a suggestable replacement for each algorithm (unless you really want me to) because I felt it would fill up the Issues forum with TONs of suggestions. Also, to the author(s) of this project, I think it's good and a good idea since DBAN stopped development in 2015 and has become commercial software, we need a HDD wiping tool that's good, free and open source. But, as I read through the documentation I saw the same algorithms for wiping that I've seen everywhere in the last ~15 years. So, I thought there has **GOT** to be some newer secure wiping algorithms out there that are drop in replacements for these old ones. And there are several good ones! _NIST 800-88 Clear_ and _NIST 800-88 Purge_ are much more secure than the current DoD 5220.22 one, and it works on SSDs, which DoD 5220.22 was never intended to, as it was invented before the idea of SSD and Flash memory was just a teardrop in it's father's eye. CSEC ITSG-06 also sounds very promising. I also wanted to mention you did an excellent job of porting this project to multiple operating systems and architectures. The thing is you don't need a dozen different secure wiping algorithms for the software to work good. You only need one to three good ones. People can pick for themselves. As far as RNGs, I think I would use ChaCha20 for one. Btw, I forgot to link the source code for it, which is here: [Simple C99 ChaCha20 Implementation](http://chacha20.insanecoding.org/) Then, I might give the user a second option to use a [Cryptographically-secure pseudorandom number generator](Cryptographically-secure pseudorandom number generator), of which there are many, which will slow down the overall process, but you know you'll be getting more secure entropy at the parts being wiped. Since I _believe_ this project is being written in Python, the Python library has it's on CSRNG called [Secrets](https://docs.python.org/3/library/secrets.html) although it might not be ideal for what you're using. If I'm correct that you're writing this in Python, I can dig around and try to find Python implementations of those new cryptographic algorithms to use. And just searching Google, I found a TON of people making their own Crypto RNGs just using the calls in Python's OS. Anyway, that was a long write up for me, but if you want me to break them into individual posts for each algorithm I can do so if you are actually interested in trying them. I hope that might give you a few ideas and it wasn't too boring or tedious to read. Thanks and keep up the good work! pogue

Recommend reading it if you are interested in wiping methods efficiency and shredding techniques.