Secure Erase SSDs

I have upgraded most of my machines to SSDs, but some of the drives have been through several different machines (as I get new, larger drives, I move the old drives to a smaller machine. The smallest and oldest drives fall out the end, to be used for random testing and temporary partition swapping.)

Anyway, some of the drives in my frequently-used machines have been around the block, with multiple formats, wipes, re-installs and so forth, and I wondered whether the SSD wear-leveling was really keeping up. After looking into it a bit, I ran across the “Secure Erase” command, which appears to do a complete-chip erase and refresh. I assume this is like a microcontroller Flash bank erase — faster and better than a byte-by-byte erase, and puts the memory cells in a reliable state into which data can be written. But how to accomplish it?

Turns out, there’s a low-level Linux utility, hdparm, that knows how to send various unusual commands to devices like SSDs. And one of the commands is security-erase. There’s only one tricky bit: you have get the drive into “Not Frozen” mode before it will accept the security-erase command. Apparently, BIOSes usually “Freeze” the drive as part of detecting it (or something; I didn’t have to look into this very much, so I don’t know the details). The easiest way to unfreeze it is to power-cycle it in a way that doesn’t confuse the BIOS or the operating system, and also doesn’t trigger a Freeze event. And the easiest way to do that is to enter Suspend mode briefly.

So, if you have a spare machine with a spare SATA port, and Linux is reliably able to suspend and resume, here’s what you do:

  2. Boot Linux from some disk besides the SSD you want to erase, but with the SSD on a SATA port.
  3. Use hdparm -I /dev/YOUR_DISK to check that the disk has a security-erase command
  4. If the disk is frozen (which is likely), use pm-suspend (from the pm-utils package) to suspend the machine. After it suspends, hit a key or the power button to wake it up again.
  5. Use hdparm -I /dev/YOUR_DISK again to check that the disk is no longer frozen
  6. Set a password using hdparm. This might as well be a simple one, since the next step will clear it. Or, if the next step fails, you will want to be able to remember and unset the password!
  7. Issue the security-erase command. This will take a few seconds to a few minutes to complete.
  8. Make a final hdparm -I check to see that the disk is happy and no longer password-protected. The entire thing should be zeroed; you can check a few sectors, or even try cmp /dev/zero /dev/YOUR_DISK to make sure the whole thing reads 0.
  9. Enjoy your refreshed SSD — partition it, make filesystems and restore your data.
  10. No, wait! Your SSD is full of zeros, so anything you add can easily be identified. Even if you’re using an encrypted filesystem (which you should be doing!) an adversary can see where you’ve stored stuff, and where you haven’t. So:
  11. Fill the newly-erased SSD with random data. dd if=/dev/urandom of=/dev/YOUR_DISK bs=128M (WARNING: This command will overwrite your disk and delete any data on it, although if you’ve followed the previous steps, there shouldn’t be anything there.)

I learned most of this information from Thomas Krenn’s Wiki.

My first few attempts were done using a Gigabyte GB-BXBT-1900 mini PC — a solid little machine that I bought to replace an older, underpowered Foxconn i1250-T that had stopped booting reliably after power outages. The Gigabyte turned out to have BIOS booting problems itself, but after a day’s adventure with GRUB2, it seems to be working OK. And it handled the SSD erasing without issue. The Foxconn seems to have hardware problems, which no amount of learning will do much for.

“But what if I have a Mac?” you ask. Well, it turns out that you can do exactly the same thing on (some?) Intel Macs. At least, I was able to do it with a 2012 13″ non-Retina MacBook — I erased its SSD without even opening the case. Here’s how:

  1. Make a USB Flash drive with a Debian-8 install CD or DVD.
  2. Boot the Debian installer on the Mac (Try it! It works!)
  3. Install Debian onto an external USB drive attached to the Mac
  4. Figure out how to boot that external USB drive (this was the trickiest part, but fortunately I’d just spent a day learning more than I ever wanted to know about GRUB2 while trying to get around the Gigabyte BIOS booting problems.)
  5. Install hdparm and pm-utils on the newly-installed Debian system.
  6. Now just do the same steps as before, and make sure you point at the internal SSD that you want to erase. Piece o’ cake!

Now I can refresh all my Mac SSDs in-place, even if I’m not upgrading the disks. This’ll come in handy for my iMac, which is a PITA to get inside.