On 2/26/20, [email protected] <[email protected]> wrote: > I discovered there is no program to clear an SSD.
If you are using an Opal 2 compliant SSD and had created an encrypted range before formatting your partition then all that data disappears instantly when you reset the SSD. The one requirement is the SSD drive must be functional in oder to reset it, and it won't matter much if there are unuseable blocks or file corruption as all the bits on the drive, good or bad, get flipped all at once. Any used, free space, or damaged memory blocks get reset right along with the user data. The entropy values stored internally on that drive get reset so even someone having the prior password can still not regenerate the same encryption key to unlock the drive. All memory blocks that ever had your data will be meaningless 1's and 0's. On the label of the Opal 2 SSD drive there would be a long hex PSID number printed on it, and if you supply that # to the sedutil-cli command: # sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID MYPSID /dev/sdc then everything previously stored on that drive becomes unrecoverable in an instant. If you think you need a non-recoverable "panic-button" then the above command will do nicely. Nobody, not even you, is ever going to see that data again. If you also used software based encryption on top of that partition then you can be doublly sure that your personal information can never be recovered. If you install the "Pre-Boot Authentication" (PBA) to unlock the encrypted drive during the initial boot cycle then you have the additional advantage that the boot partition locking range can even be made read-only while the data is at rest. When doing this even an Evil-Maid system admin won't be messing with your system. Just remember to make it writable again before trying to apply any updates to your boot partition. Note: With enabling these SED capabilities on your primary drive you will likely be giving up laptop "suspend" capability. If you absolutely need to protect your data then this is a fair trade-off since the suspended memory image would be far too dangerous to leave laying around anyway. A hot-plug attack is the achillies heel to an Opal drive, so powering down is important anyway. https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive https://github.com/Drive-Trust-Alliance/sedutil/tree/master/LinuxPBA http://chrisarges.net/2018/02/16/using-sed-encryption-on-disks.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ5FDnj0v3gJFwoaw816PN%2BFkv5nSVF5mmyK4%3D2pS_vYz0r1yw%40mail.gmail.com.
