What's new

Secure Erase SSD

GreyFox7

Super Moderator
Staff member
Thanks for the replies guys. For a home user, yes, you can hit the restore button and I'm sure you're okay. Business on the other hand....

Typically when I'm done with a PC I run DBAN and I'm done with it. DBAN won't run, and due to the UEFI requirement a lot of other utilities won't run as well.

Right now, the easiest solution appears to be: reset SP3 via restore partition --> encrypt with bitlocker (and wait for it to finish) --> restore again so it's clean when you turn it in. But does this make everything unrecoverable?
I'd think so for all practical purposes. You'd need state of the art lab equipment to extract 2nd or 3rd layer raw encrypted data from the SSD and supercomputing decryption power to crack the AES 128 bit encryption.

It also would seem likely the encryption keys are tossed when you reset. there's an option to do that in the TPM management console which makes all data unrecoverable to mere mortals. So the supercomputer decryption would have its work cut out for it. the estimate to do that is somewhere in the vicinity of half a million times the age of the universe but its likely to end before then.
 

GreyFox7

Super Moderator
Staff member
Update: There is an option during the Reset to scrub the drive before restoring the partition.


Ok, that's not me... just some guy that made a video:)
 
Last edited:
OP
J

jalpert

New Member
Wow. Great catch! The verbiage they are using is "fully clean the drive" as apposed to just deleting the files. I have to assume it uses the built in firmware features of the SSD to securely erase the drive and actually doesn't write random data.

I'm more curious than anything, but how would we found out exactly what this does? Maybe I'll call telephone tech support.

Update: There is an option during the Reset to scrub the drive before restoring the partition.


Ok, that's no me... just some guy that made a video:)
 

GreyFox7

Super Moderator
Staff member
Wow. Great catch! The verbiage they are using is "fully clean the drive" as apposed to just deleting the files. I have to assume it uses the built in firmware features of the SSD to securely erase the drive and actually doesn't write random data.

I'm more curious than anything, but how would we found out exactly what this does? Maybe I'll call telephone tech support.
I'd start something on a security research focused site ... it will get dug out. :) I'd be surprised if much detail is known outside of the devs that implemented it.

I can imagine this conversation with the tech writer... how does it work... it calls secure erase. What does that do? ... writes over the drive securely. does it work the same for all vendors drives? No, they supply drives according to spec but with different features and we use the available options. ... ... How about DOD standards? takes to long for the average consumer and DOD will use their own method anyway... :)
 

luckybob

New Member
Have learned a lot about secure erase, thanks.

By the way, I'm curious about how many seconds it will take to finish secure erase?

Meanwhile, just happen to know a wonderful activity for Renice portable native USB 3.0 SSD. Maybe useful to you as well.

they are giving away 256GB SSD drives to celebrate National Day of the PRC, see the link http://goo.gl/o9we1A

Wish we all lucky.

Thank you,

Robert
 

Mullick

New Member
Hello, Sory to dredge up an old thread. But not sure if anyone has gone through with this.

The option in reset does clear the TPM and reset the encryption keys. At least they say it is. I was presented with the following prompt at the end of my reset where i selected to remove all my data

12fc0ceb5e.png
 

Rob Cohen

New Member
Since we've dredged this up again, I have a question and comments.

Isn't any drive that is Bitlocker encrypted impossible to decrypt without the key stored on the MS server or elsewhere? So, while it's not a bad idea to use the option in reset to clear the drive and re-encrypt with a new key, if someone were to just accidentally pass on their Surface with Bitlocker actually activated, aren't the chances of recovery by another party almost zero unless they break into the Microsoft Account and get the key from there?

Not suggesting this as a best practice, even for non-business users, but wondering if they aren't pretty safe anyway as long as the drive is encrypted.

Furthermore, if you are recycling old external drives and reformat them then Bitlocker encrypt data and free space using your existing key, can't you assume they're also almost impossible to recover without the key as well?

If so, then it seems like a good practice that MS ships all (?) Surface products so that Bitlocker is engaged automatically as part of the OOBE. That way, even if a customer can't follow the instructions to reset it's unlikely the machine could be de-encrypted without the MS account being compromised.
 
Top