Q: Zero Out Data on a SSD drive: Are my findings correct?

The SSD controller encrypts the data it writes to NAND memory with a random key stored internally. When you reformat the drive, the key is erased.

Linc,

Is that documented anywhere?

Yes, but I don't have a link. Remote Wipe on iOS devices works the same way.

Secure erase is not removed from the CLI version of Disk Utility (see below).

diskutil secureErase -help

Usage:  diskutil secureErase [freespace] level MountPoint|DiskIdentifier|DeviceNode

Securely erases either a whole disk or a volume's freespace.

Level should be one of the following:

        0 - Single-pass zeros.

        1 - Single-pass random numbers.

        2 - US DoD 7-pass secure erase.

        3 - Gutmann algorithm 35-pass secure erase.

        4 - US DoE 3-pass secure erase.

Ownership of the affected disk is required.

Note: Level 2, 3, or 4 secure erases can take an extremely long time.

ex: diskutil secureErase 4 disk5

Secure erase will not do anything to an SSD except wear it out sooner.

New writes are made to areas of the SSD that have not been previously used.  This is part of the wear leveling process.

Retired Engineer, do you have any references?  What I have read says otherwise. 

Drive Wear & Tear

What is your estimation of wear and tear on the flash by writing to 0's.  What percentage of the drives total usage has been "wasted"?  I thought even consumer drives where capable of 1000 - 10000 rewrites per cell, whereas enterprise SSDs are capable of over 100,000: http://www.computerworld.com/s/article/9112065/Solid_state_disk_lackluster_for_l aptops_PCs?taxonomyId=19&pageNumber=1&taxonomyName=Storage.

"For one thing, it matters whether the SSD drive uses SLC or MLC memory. SLC generally endures up to 100,000 write cycles or writes per cell, while MLC can endure anywhere from 1,000 to 10,000 writes before it begins to fail, according to Fujitsu's Hagberg. For its part, Western Digital's laptop hard-disk drive boasts up to 600,000 write cycles."

That's an old artcile too.  Slightly newer, in late 2008 Micron/Sun achieved SLC NAND chips capable of over 1,000,000 write cycles: http://investors.micron.com/releasedetail.cfm?ReleaseID=440650 .  I imagine things have gotten slightly better in the last 4 years.

Data Wiping

This paper (http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf) states, "In most cases, overwriting the entire disk twice was sufficient to sanitize the disk, regardless of the previous state of the drive."

Going on however, "Overall, the results for overwriting are poor: while overwriting appears to be effective in some cases across a wide range of drives, it is clearly not universally reliable. It seems unlikely that an individual or organization expending the effort to sanitize a device would be satisfied with this level of performance."

The best method I have found for wiping an SSD on a Mac is the (SAFE) Scramble and Finally Erase process as described in this UC San Diego research paper: http://cseweb.ucsd.edu/users/swanson/papers/TR-cs2011-0963-Safe.pdf.

According to their paper, the effectiveness of the procedure is equiavlent to degaussing a magentic drive. Another tidbit, the SAFE technique is replicated by Sandforce controller when someone reformats the drive (as mentioned by Linc Davis above, however, I believe this is specific only to Sandforce controllers).

References:

http://www.schneier.com/blog/archives/2011/03/erasing_data_fr.html

http://www.computerworld.com/s/article/9211519/Can_data_stored_on_an_SSD_be_secu red_

http://arstechnica.com/security/2011/03/ask-ars-how-can-i-safely-erase-the-data- from-my-ssd-drive/

http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf

http://cseweb.ucsd.edu/users/swanson/papers/TR-cs2011-0963-Safe.pdf

Does anyone have confirmation of Linc's original answer (that a basic reformat is sufficient for secure erasure because it erases the internal random key that the controller uses to write to the memory)? I need to wipe some data from my old MBP before I pass it on to somebody, and every suggestion that I've seen for sanitising the drive seems horribly complex -- except for Linc's.

One suggestion (made elsewhere) that made sense was to turn on Filevault to encrypt the drive's data, THEN reformat -- anything retrievable after the reformat would then be encrypted and useless. But for some reason my MBP won't let me turn on Filevault (claiming something about the drive having the wrong formatting system or something and suggesting that I reformat the drive in order to use filevault. That seems pointless to me since I'm only turning on Filevault so that I can reformat the drive *afterward*).

So if somebody have confirm or verify Linc's assertion that reformatting the drive will make data effectively unrecoverable, then that's the route for me. I've done some googling but haven't been able to turn up anything to confirm the statement.

I should add that this is a retro-fitted third party (Samsung) SSD, not one supplied by Apple.

Can anyone confirm Linc's claim?

Linc's answer is partially true, however it is presented as if it applies to all SSDs ever made, which it does not. A good discussion on wiping SSDs is over here on ServerFault http://serverfault.com/questions/282555/zeroing-ssd-drives

Linc,

An entry in the Apple knowledge base reads:

     Note: With an SSD drive, Secure Erase and Erasing Free Space are not available in Disk Utility. These options are not needed for an SSD drive because a standard erase makes it difficult to recover data from an SSD. For more security, consider turning on FileVault encryption when you start using your SSD drive.

When I contacted Apple (both through the genius bar and by calling technical support), they also assured me that a simple erase was sufficient with SSD's. However, most of the literature on SSD's suggests that this isn't really the case, since SSD's can leave behind many copies of blocks, and since there are free space areas of the SSD that are inaccessible to anything above the SSD controller.

Your answer (that Macs always encrypt the drive with a random key and then simply throw the key out on an erase) seems to reconcile these two views of SSD security. However, the SSD I want to clear is very old (it came with my 2010 MacBook Pro), so I would like to find out more about whether this has always been the case. Do you have any more details about whether this applies only to particular drives? Is there a name for this feature that I could google for more information?

Thanks!