Wandering Thoughts archives

2023-03-04

How secure is merely discarding (TRIMing) all of a SSD's blocks?

Suppose hypothetically that you have some SSDs to securely dispose of, and that for one reason or another you can't use built-in SSD secure erase on them, for example (apparently) because your BIOS automatically locks out that option when it boots. You might wonder how well protected you are if you simply tell the SSD to discard all of its data. Unsurprisingly, the answer is that it depends.

First off, any SSD you want to use today will support what's called 'Deterministic Read After TRIM (DRAT)' (sort of cf), where the SSD will always return a fixed result when you read data after a TRIM operation. Some SSDs also promise to always return zeros in this situation; this is 'Deterministic read ZEROs after TRIM', variously abbreviated as 'DZAT', 'RZAT', or 'DRZAT'. These are the (S)ATA versions, but NVMe has a similar system. All of these mean that once you TRIM the entire drive, the previous data on the drive can't be read through normal means, so someone who gets your drive and puts it in a computer will get garbage (or possibly errors on NVMe drives).

(My impression is that vendors initially supported DZAT only on higher end (or at least more expensive) SSDs they sold for use in RAID arrays, although support for this seems to have trickled down to at least some modern consumer SSDs. Supporting DRAT but not DZAT strikes me as mostly a market segmentation thing; if you're going to be deterministic, making it always zero seems as easy as anything else.)

If the drive then goes on to actually erase all of the flash blocks with any copies of what you've TRIM'd, then as far as I know the data is completely unrecoverable. Flash storage, unlike traditional hard drives, can really be completely and irrecoverably erased, with no lingering magnetic ghosts that a sufficiently determined person could in theory reconstruct. However, SSDs don't particularly promise to actually erase all of your blocks after you've TRIM'd them. Erasing blocks is a time and power consuming activity, so while a SSD probably wants to keep a pool of already erased blocks for new writes, it might not keep going on at full pace once it thinks it has a big enough pool. SSDs make no promises here and as far as I know there is no reliable, normal way to tell how many erased blocks they have or if they've erased all your blocks. Letting a TRIM'd SSD sit powered on but idle for minutes or hours likely increases your chances that everything gets TRIM'd, but doesn't guarantee it. There's also no certainty that a SSD will erase a block that it's decided is too unreliable to reuse.

The lack of certainty on erasure matters because SSDs can be put into a special factory mode that generally allows raw access to the flash storage and allows you to stop the SSD from doing any further block erasure. If you can put a drive into this state you can read out TRIM'd but not yet erased blocks, although you may not know what logical blocks they were. Serious data recovery companies can probably put pretty much any SSD from any mainline maker into this recovery mode, which means that anyone who wants to spend enough money can probably pull out any not yet erased data from a TRIM'd drive. If they can't get the pre-TRIM mapping of logical blocks to flash storage, making sense of the result may take a lot of work but it's probably not impossible.

So on my taxonomy of who you're trying to stop when securely erasing disks, simply TRIM'ing your SSDs definitely stops the basic threat of 'someone plugs it into a computer and tries', but probably doesn't entirely stop the threat of 'someone is willing to spend a bunch of money to send it to a data recovery firm'. Letting your drives sit so that they erase as many blocks as possible will make the life of the second sort of person harder, but not impossible.

(TRIM'ing your SSD and then filling it up with new junk data will probably help here, because it will push the drive to erase almost everything. Randomly rewriting scattered bits afterward with more junk will probably push the drive into erasing its overprovisioned blocks too. But all of that is a speculative guess, because SSDs are black boxes. If this matters a lot to you, you want to use SSDs that have good implementations of secure erase. How you find out what those SSDs are, I don't know.)

(Under Linux, you can use 'hdparm -I' to see what SATA SSDs support (or claim to), and see this stackexchange question and answer for how to do it on NVMe drives.)

tech/SSDBlockDiscardHowSecure written at 22:48:35; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.