Question: Is ShredOS good for securely erase data?

Hello everyone!

We are looking for your help regarding ShredOS !

So far the only software we new for erasing securely HDDs (Hard Disk Drive) was DBAN (Darik’s Boot and Nuke) which worked fine until we had our first SSD.

Because its nature, DBAN won’t work on SSDs and we were thinking if Shred OS could help us instead.

We need some feedback from who already has the chance to use it before moving forward and we hope you can help us!

If you have used already ShredOS:

• How it works?
• Is it reliable?
• Does it work with both HDDs and SSDs?
• Do you think it could be installed and used on USBs or PXE network?
• Is it easy to use?

Thank you !!

You say “by its nature” DBAN won’t work on SSDs. Can you explain please? DBAN, nwipe and ShredOS all use essentially the same code to do the wiping, with (as far as I can make out) pretty much identical user interface. I’ve used DBAN and nwipe a fair few times but ShredOS is new to me. But it should do the same job. Maybe DBAN no longer boots easily under UEFI. Apart from that I wouldn’t worry about lack of updates. It doesn’t connect to the Internet (or any network) so its attack surface is essentially zero.

It’s important to note, though, that it’s not possible to reliably wipe an SSD. If you write to every addressable sector, it’ll simply allocate new sectors for the zeros you’re writing - but the drive’s garbage collection will already have cleared them. Previous existing data will remain in sectors awaiting recycling, and if the drive has detected that any are giving soft errors above a certain threshold they will be permanently left in a pool of worn sectors. Multiple overwrites is completely pointless, except in as much as it may result in all viable sectors being recycled at least once. But even so, a specialist data recovery firm could probably unsolder the storage chips and recover some data, even if only from disused worn sectors, for a 3 or 4 figure sum.

It may be that DBAN is built on a Linux which doesn’t understand TRIM, but since you’re writing to every addressable sector, I can’t see that TRIM would make a difference. TRIM is explained in the wiki.

The TL;DR? Unless the intelligence services of a nation state might be interested in the data, DBAN, nwipe or ShredOS should all be fine. If you’re a drug barron, then yeah, go ahead and use it! (And with a bit of luck the Serious Crime Squad might still be able to get enough evidence to put you away.)

Thanks @philip .

I also had not head of ShredOS previously, and it does indeed to operate quite in the same way as DBAN.

I wanted to better understand your following statement though:

it’s not possible to reliably wipe an SSD

Is this 100% true? Because if true, then giving a second lease of life to SSDs is not possible in many cases? I’m thinking about the big scandal of many corporates which prefer to destroy storage media rather than passing them on. We’d like to avoid such practices in the future.

I’m not a fan of Blancco or any other proprietary software company - however they claims that their patented solution can be used to “securely erase sensitive data from HDDs and complex SSDs in desktop/laptop computers and servers. Through our patented SSD erasure process and technology, organizations now have a secure method to handle end-of-life storage devices safely”

(Blancco bought DBAN in 2012)

So, is the issue that no free and open source software solution provide a secure wiping of SSDs? It’d be useful to better understand. Especially as with the Fixing Factory project we’re looking at repurposing lots of laptops, and while we always prefer FLOSS options, we need to know what would be the relative advantages of a proprietary option (if any!)

We already know that for some devices, data deletion from SSD isn’t a problem: I’m thinking about Android devices or Chromebooks, whereby full data deletion is possible, via the deletion of the encryption key, which is considered sufficient in rendering the device secure to reuse for a new user [obviously you’d need to believe that the encryption key is indeed deleted!]

Finally, to your point that

Unless the intelligence services of a nation state might be interested in the data

I hear you - but many corporate players which when passing on laptops are insisting on removing and destroying storage before passing on their devices. If we want to reduce waste further, it’d be great to be able to ensure that SSDs as well as HDDs can be confidently reused, so any additional detail you or others can share will be very helpful. Thanks!

One technique is to only ever write encrypted data to the drives. In that case, you erase them simply by ensuring the encryption keys are destroyed.

We used that inside corporate for reusing disks ourselves, but still they never left the premises without going through a mechanical disk shredder. It would be impossible to justify the risk of confidential data leaking for the sake of the value of a second-hand disk drive.

P1000296-1720×960 61.7 KB

First, replying to Ugo:

It’s all about risk assessment. In a corporate environment there may be heavy penalties for loss of personal data and serious consequences for loss of IP, hence you need to be sure the data is gone. Handing it to volunteers who say they’ll do their best but have no formal accreditations is not an option. In government, they tend to be paranoid about national security, and they require you to be absolutely sure. But if you’re simply recycling machines from consumer environments, well, there’s the possibility, if very faint, that residual data from an improperly wiped disk could be used to steal someone’s life savings or subject them to blackmail. But if that happened I’m sure you could argue that you took all reasonable measures and it was ultimately the original owner’s responsibility for his data…

So in an HMG environment they’d use Blancco if they really had to, but hard to see a situation where they wouldn’t just shred them and save a lot of time and trouble, though at an environmental cost. But in our situation I feel we can be perfectly happy using DBAN or ShredOS. To cover ourselves perhaps we should say to a donor that we will sanitise data to best commercial practice, but if you REALLY want to be sure it’s gone, take responsibility for it yourself.

To answer Andrew’s point, yes, best practice is to encrypt a disk before you write any user data to it. So long as you use a good password, you’ve completely bypassed the problem. But that advice is not much good retrospectively since residual unencrypted data may remain if you encrypt a disk already holding sensitive info.

Thanks Philip!

This makes sense. If we were to process donations from businesses in the future, we would need to revisit this - unless they were corporates operating in the same way as described by Andrew

Regarding @Andrew_Gabriel’s useful reality check, while I understand the reasons, the impact is massive if you start counting thousands and thousands (millions!) of corporate laptops being replaced frequently, well ahead of their end of life. So destroying all these hard drives in some cases is far from sustainable. There has to be a better way - it’s not just the financial value, it’s the planetary impact

The problem with SSDs is that the control system on the SSD can map sectors and writing to a file or disk block does not mean that the data from that block is gone. Retrieving data orphaned in this way is very difficult, would require removing memory chips from the board and then dumping the contents, then being able to reconstruct the drive data, then the filesystem layer.

ShredOS uses an updated version of the program that DBAN uses. If you have a Linux system you can use these directly. shred is also a command line tool that will erase a file, disk partition or physical disk. But only as far as the controller allows this to happen.

The ATA command set also includes commands to erase data blocks, but these are not consistently implemented, and may not give any indication of success or failure.

As @Andrew_Gabriel mentions above that best option is to use full disk encryption from the start so erasing the key effectively erases the data, and you never need to worry about orphaned sectors.

As has been pointed out it really depends on the threat model.

If either the SSD is hardware encrypted or a software full disk encryption has been used then it can be securely wiped by deleting the encryption key.

Otherwise a non secure wipe can be done on most SSDs with the erase command available in their drivers. See for instance https://www.hp.com/us-en/shop/tech-takes/how-to-secure-erase-ssd

I had thought one could overwrite the SSD’s data apart for possibly a few spare sectors by creating a file as big as the capacity of the SSD and write/copy it to the SSD. However a little research shows that this idea is best avoided as both ineffective and risky for the SSD, unless things have changed since this comment and the original Sophos paper: https://security.stackexchange.com/questions/5662/is-it-enough-to-only-wipe-a-flash-drive-once#5665

There has been a well documented case of GCHQ ensuring data was not recoverable, but at that time the laptop, Snowden’s, had a hard disk. I haven’t seen a similar account of the destruction of an SSD to national security standard level.

CCleaner has a free version that will erase data on any drive, as many times as you like.
Maybe this would be a better solution.

Yes, but not the system drive. This is good if you can connect the drive to be wiped to a spare SATA port on a desktop or as an external drive with a USB adapter (provided it’s USB 3), but if you can do that you might as well use DBAN or ShredOS and avoid any uncertainty about what the Widows disk driver might be doing to “optimise” it.

Another data erasure option that unfortunately doesn’t allow for the reuse of the drive but feels very satisfactory:

Been following this thread with interest, and having been involved in data destruction on a commercial level. Data destruction methods need to taken seriously when dealing with sensitive data such as items donated from a school, college, nhs establishment etc and the ICO have strict guidelines. In the UK we are governed mainly by the ICO under GDPR to data destruct using HMG Information Assurance Standard No 5 It might also be worth reading Security Standard Secure Sanitisation and Destruction (SS-036) (publishing.service.gov.uk). I have found the most effective form of data destruction is the physical destruction of the drive using a crushing device, however this would mean the drive would have to be processed for scrap and couldn’t be used again, perfect if your upgrading machines to SSDs, but not handy if your planning on re-using the hard disk.

Wipe drive and other such tools can be quite costly, particular when you have to purchase a license to destruct each disk (only if successful), however we have found that Lsoft’s killdisk works just as well. A one off payment for purchase and it adheres to all the standards of data destruction, as far as we have seen and it will produce customised data destruction certificates perfect for commercial customers. One final solution maybe to purchase Standalone Eraser Dock from Startech, cost effective after the intial £227.00 investment and allows disks to be reused, if you need to produce data destruction certificates, attach the standalone device to an EPOS till printer to print certification / Data destruction record.

I suspect IS5 is pretty dated. I’d be glad if you could tell me whether there’s a later version than Iss 4 2011 (referred to by Wikipedia) that I had official access to as a CLAS Consultant back then. That and SS-036 apply to Official and Classified data, for which you have to be paranoid, but outside that sphere we’re ony required to take all reasonable precautions. For example, NCSC guidance for smatphones and tablets is simply to do a full factory reset, which might theoretically leave valid data in disused pages of flash memory. Hopefully, even so, it’d be encrypted with an erased key, but can you be sure? No, which is why in government and defence that wouldn’t be good enough. But for us, NCSC says that for devices donated for reuse, even though they might contain personal data, the tiny residual risk is acceptable.

Applying the same principle to hard disks, well known and reputable products like DBAN, Linux nwipe or ShredOS should be just fine. Even in government and defence you’d never use the expensive paid-for products except for reuse at the same classification level, for example to sanitise a laptop used for penetration testing between assignments.

But most of the time, since it can take over 24 hours to wipe a large disk it’s often just not economic. SS-036 recommends shredding but that’s not an option for most of us. Which is why I wrote 2 iFixit guides, one for hard disks and one for SSDs and memory sticks, which would even leave a major national intelligence agency struggling to recover so much as a few bytes here and a few bytes there.

All that said, I would strongly recommend keeping records of the origin and serial numbers of wiped or destroyed disks, so if an auditor were to ask you to account for the hard disk out of Brian’s laptop, you could say “Yep, we received it on such and such a date, and Steve has certified that he drove a nail through it in two places 3 days later”.

Contrarily to what I thought on most recent Apple hardware the SSD is always encrypted even if one doesn’t create a File Vault.

A comment on the Mac Admins Slack:

from some prior research I did years ago: iPhone 3GS and newer, iPod touch (3rd Generation) and newer, and all iPads have hardware encryption.

And from https://eclecticlight.co/2023/03/31/why-you-should-enable-filevault/

[For] Intel Macs with a T2 chip and Apple silicon Macs
The Data volume on the internal SSD is always encrypted, and can’t be run unencrypted. Although this might suggest that FileVault is superfluous, it adds valuable protection at absolutely no cost.

Default encryption with FileVault turned off uses two keys generated internally, to protect the key used to perform the encryption of the volume, known as the Volume Encryption Key or VEK. While these keys are protected in the Secure Enclave, they don’t rely on any external secret such as a password.

So it is fast and easy to securely delete the SSD, by destroying its encryption key, of iPhone 3GS and newer, iPod Touch 3rd Gen and newer, all iPads, Intel Macs with a T2 chip and Apple silicon Macs.