Secure Erase and Release of Solid-State Drives
Overview
Solid-state drives (SSDs), otherwise known as “flash” storage, differ from hard-disk drives (HDDs) in the way that they store and handle data. It’s important to understand the differences between these two technologies in order for SSDs to be repurposed and/or disposed of securely. This KB article will consider these differences and explain the procedure involved to securely erase the contents of an SSD.
Solid-State Drive Differences
With traditional HDDs, disk removal utilities, such as DBAN, can be used to securely wipe a drive. This process involves overwriting the contents of a hard drive with random bits of data so that the original data cannot be easily recovered. When this process is repeated multiple times, the likelihood of recovering the data on the drive is reduced significantly.
Overwriting the contents of an SSD is neither secure nor efficient due to the following technologies:
Wear-level algorithms:
- Wear-leveling uses a series of techniques to extend the lifetime of an SSD. This is done using virtual mappings of physical sectors and shifting the location of data on the SSD over the course of its operation. When using a disk removal utility to overwrite a SSD, it’s probable that not all of the physical sectors will get overwritten with data. Additionally, unnecessary writes to the sectors decreases the functional lifetime of the SSD.
Overprovisioning:
- SSDs need to be overprovisioned in order to support extra write operations associated with wear-leveling. Due to this fact, the entirety of an SSD is not presented to a user within an operating system. A disk removal utility is not able to wipe the entire contents of the SSD if some of the data resides in the over provisioned space.
Methods to Securely Erase a Solid-State Drive
The following methods can be used to securely erase a solid state drive:
Sanitize:
- Also termed Block Erase, this firmware-based process performs a low-level overwrite of every physical sector on the SSD, including the over provisioned space. This operation requires vendor-provided software. Since this process is firmware-based, it will complete quickly. Below is a list of popular SSD vendors and their respective utility for SSD management:
- ** Please note that use of this method is acceptable only when repurposing an SSD, that only contains data classified as unrestricted, for another use on campus.
Encryption:
Also known as Cryptographic Erase (CE), disposal of an encrypted SSD’s encryption key effectively renders the contents of the SSD unreadable. UTS has developed a vendor-neutral utility, named Cryptoshred, that leverages Windows BitLocker to perform CE. Due to security flaws discovered with SSD firmware-based CE, Cryptoshred uses software-based encryption. This will ensure the entire drive is encrypted, but it will take more time to complete.
Deciding What Action to Take
Depending on the configuration, previous contents, and the final destination of the SSD, the technician handling the request must use proper judgement in deciding what series of actions to take. The below workflow can be used to aid in making a decision. Please refer to Oakland University policy 860 Data Management and Information Security for data classification definitions:
Instructions to Create and Operate Cryptoshred Tool
Create Cryptoshred Tool
- 1) Procure a USB 3.0 flash drive. A USB 3.0 flash drive with at least 16GB is required. A USB 2.0 flash drive will be too slow
- 2) Download a current Windows 10/11 image, such as SW_DVD5_WIN_EDU_10_1703_64BIT_English_MLF_X21-36554.ISO found at \\admnet.oakland.edu\shares\common\casoft\Windows
3) Use a media creation utility to create a bootable Windows To Go USB. Below are the configuration settings when creating the media using Rufus(https://rufus.ie/en/):
- Device: select the USB procured in step 1
- Boot selection: Disk or ISO image, then press SELECT and select ISO from step 2
- Image option: Windows To Go
- Partition scheme: MBR
- Target system: BIOS or UEFI.
- Advanced drive properties: List USB Hard Drives
- File system, Cluster size, and all other defaults can be left as is
Press START
- Select Version Selection: Education
- Select Windows User Experience: Disable data collection; Set a local account using the same name as this user's
- 4) Copy the Cryptoshred script onto the Windows To Go USB Drive
- The Cryptoshred script can be found at \\admnet.oakland.edu\shares\common\casoft\Cryptoshred
- Cryptoshred.ps1
- autoShred.bat
- The Cryptoshred script can be found at \\admnet.oakland.edu\shares\common\casoft\Cryptoshred
Operate Cryptoshred Tool
- 1) On the target device where you intend to encrypt the SSD, boot to the Windows To Go USB
- 2) It will go through an initial setup process
- Make sure to not be connected to the internet
- Make sure to disconnect ethernet cable if applicable
- Do a limited setup
- If it asks to create a password, leave it blank
- 3) Open UAC
- Set to lowest
4) Open Windows PowerShell ISE as an administrator
5) Within PowerShell ISE, open the cryptoshred.ps1 script from wherever it was copied to on the Windows To Go USB
6) In the bottom PowerShell shell window, allow remotely-signed scripts to be run
Type 'Set-ExecutionPolicy RemoteSigned' in the shell window and press 'Enter'
When the 'Execution Policy Change' prompt window pops up, select 'Yes to All'
- 7) Run the script. This can be accomplished by pressing the green triangle icon at the top of the window or by pressing the keyboard shortcut 'F5'
- After this is done, some Windows Explorer windows may pop up. You may close them
Windows that were opened within the PowerShell window should close by themselves
- 8) Check on the progress of the script
In the bottom PowerShell shell window, type 'Get-BitLockerVolume' and press 'Enter'
- The 'Encryption Percentage' column will identify the progress of the script
Repeat step 6 until the 'Encryption Percentage' is at '100'
9) After BitLocker has completed encrypting the SSD, power off the Windows To Go media and disconnect from the target device
10) Use a utility, such as GParted (https://gparted.org/) to ensure that the only partition on the SSD is an encrypted BitLocker volume
Best Practices
Use the following best practices when provisioning SSDs to members of the campus community:
- Do not rely on encryption provided by SSD firmware; it’s not secure
Use Microsoft BitLocker on Windows hosts and FileVault2 on Mac hosts to encrypt SSDs
- Incorporate encryption into every new workstation build
- Make sure the SSD is fully encrypted before providing to the end user
Additional Considerations
Many new laptops and desktops ship with SSDs installed, but all mobile devices (e.g. phones, tablets, etc.) leverage SSD storage. Before repurposing within the University or releasing to the public, please leverage the native tools within the mobile device OS to reset devices to its factory default configuration. Use the decision matrix in the previous section to determine if a mobile device should be released to the public or destroyed.
Multi-function devices (MFDs), such as printers and scanners, also leverage SSD technology and therefore must adhere to these guidelines. Any MFDs that are managed through a vendor agreement must be returned to UTS upon decommissioning. For all other MFDs, please ensure the device is securely destroyed.
Please contact [email protected] with any additional questions or concerns.
References
NIST Special Publication 800-88R1: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Microsoft Guidance for configuring BitLocker to enforce software encryption: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028