Question: Is ShredOS good for securely erase data?

Hello everyone!

We are looking for your help regarding ShredOS !

So far the only software we new for erasing securely HDDs (Hard Disk Drive) was DBAN (Darik’s Boot and Nuke) which worked fine until we had our first SSD.

Because its nature, DBAN won’t work on SSDs and we were thinking if Shred OS could help us instead.

We need some feedback from who already has the chance to use it before moving forward and we hope you can help us!

If you have used already ShredOS:

  • How it works?
  • Is it reliable?
  • Does it work with both HDDs and SSDs?
  • Do you think it could be installed and used on USBs or PXE network?
  • Is it easy to use?

Thank you :smiley: !!

You say “by its nature” DBAN won’t work on SSDs. Can you explain please? DBAN, nwipe and ShredOS all use essentially the same code to do the wiping, with (as far as I can make out) pretty much identical user interface. I’ve used DBAN and nwipe a fair few times but ShredOS is new to me. But it should do the same job. Maybe DBAN no longer boots easily under UEFI. Apart from that I wouldn’t worry about lack of updates. It doesn’t connect to the Internet (or any network) so its attack surface is essentially zero.

It’s important to note, though, that it’s not possible to reliably wipe an SSD. If you write to every addressable sector, it’ll simply allocate new sectors for the zeros you’re writing - but the drive’s garbage collection will already have cleared them. Previous existing data will remain in sectors awaiting recycling, and if the drive has detected that any are giving soft errors above a certain threshold they will be permanently left in a pool of worn sectors. Multiple overwrites is completely pointless, except in as much as it may result in all viable sectors being recycled at least once. But even so, a specialist data recovery firm could probably unsolder the storage chips and recover some data, even if only from disused worn sectors, for a 3 or 4 figure sum.

It may be that DBAN is built on a Linux which doesn’t understand TRIM, but since you’re writing to every addressable sector, I can’t see that TRIM would make a difference. TRIM is explained in the wiki.

The TL;DR? Unless the intelligence services of a nation state might be interested in the data, DBAN, nwipe or ShredOS should all be fine. If you’re a drug barron, then yeah, go ahead and use it! (And with a bit of luck the Serious Crime Squad might still be able to get enough evidence to put you away.)

3 Likes

Thanks @philip .

I also had not head of ShredOS previously, and it does indeed to operate quite in the same way as DBAN.

I wanted to better understand your following statement though:

it’s not possible to reliably wipe an SSD

Is this 100% true? Because if true, then giving a second lease of life to SSDs is not possible in many cases? I’m thinking about the big scandal of many corporates which prefer to destroy storage media rather than passing them on. We’d like to avoid such practices in the future.

I’m not a fan of Blancco or any other proprietary software company - however they claims that their patented solution can be used to “securely erase sensitive data from HDDs and complex SSDs in desktop/laptop computers and servers. Through our patented SSD erasure process and technology, organizations now have a secure method to handle end-of-life storage devices safely”

(Blancco bought DBAN in 2012)

So, is the issue that no free and open source software solution provide a secure wiping of SSDs? It’d be useful to better understand. Especially as with the Fixing Factory project we’re looking at repurposing lots of laptops, and while we always prefer FLOSS options, we need to know what would be the relative advantages of a proprietary option (if any!)

We already know that for some devices, data deletion from SSD isn’t a problem: I’m thinking about Android devices or Chromebooks, whereby full data deletion is possible, via the deletion of the encryption key, which is considered sufficient in rendering the device secure to reuse for a new user [obviously you’d need to believe that the encryption key is indeed deleted!]

Finally, to your point that

Unless the intelligence services of a nation state might be interested in the data

I hear you - but many corporate players which when passing on laptops are insisting on removing and destroying storage before passing on their devices. If we want to reduce waste further, it’d be great to be able to ensure that SSDs as well as HDDs can be confidently reused, so any additional detail you or others can share will be very helpful. Thanks! :slight_smile:

One technique is to only ever write encrypted data to the drives. In that case, you erase them simply by ensuring the encryption keys are destroyed.

We used that inside corporate for reusing disks ourselves, but still they never left the premises without going through a mechanical disk shredder. It would be impossible to justify the risk of confidential data leaking for the sake of the value of a second-hand disk drive.


Shredded disks

First, replying to Ugo:

It’s all about risk assessment. In a corporate environment there may be heavy penalties for loss of personal data and serious consequences for loss of IP, hence you need to be sure the data is gone. Handing it to volunteers who say they’ll do their best but have no formal accreditations is not an option. In government, they tend to be paranoid about national security, and they require you to be absolutely sure. But if you’re simply recycling machines from consumer environments, well, there’s the possibility, if very faint, that residual data from an improperly wiped disk could be used to steal someone’s life savings or subject them to blackmail. But if that happened I’m sure you could argue that you took all reasonable measures and it was ultimately the original owner’s responsibility for his data…

So in an HMG environment they’d use Blancco if they really had to, but hard to see a situation where they wouldn’t just shred them and save a lot of time and trouble, though at an environmental cost. But in our situation I feel we can be perfectly happy using DBAN or ShredOS. To cover ourselves perhaps we should say to a donor that we will sanitise data to best commercial practice, but if you REALLY want to be sure it’s gone, take responsibility for it yourself.

To answer Andrew’s point, yes, best practice is to encrypt a disk before you write any user data to it. So long as you use a good password, you’ve completely bypassed the problem. But that advice is not much good retrospectively since residual unencrypted data may remain if you encrypt a disk already holding sensitive info.

1 Like

Thanks Philip!

This makes sense. If we were to process donations from businesses in the future, we would need to revisit this - unless they were corporates operating in the same way as described by Andrew

Regarding @Andrew_Gabriel’s useful reality check, while I understand the reasons, the impact is massive if you start counting thousands and thousands (millions!) of corporate laptops being replaced frequently, well ahead of their end of life. So destroying all these hard drives in some cases is far from sustainable. There has to be a better way - it’s not just the financial value, it’s the planetary impact

The problem with SSDs is that the control system on the SSD can map sectors and writing to a file or disk block does not mean that the data from that block is gone. Retrieving data orphaned in this way is very difficult, would require removing memory chips from the board and then dumping the contents, then being able to reconstruct the drive data, then the filesystem layer.

ShredOS uses an updated version of the program that DBAN uses. If you have a Linux system you can use these directly. shred is also a command line tool that will erase a file, disk partition or physical disk. But only as far as the controller allows this to happen.

The ATA command set also includes commands to erase data blocks, but these are not consistently implemented, and may not give any indication of success or failure.

As @Andrew_Gabriel mentions above that best option is to use full disk encryption from the start so erasing the key effectively erases the data, and you never need to worry about orphaned sectors.

As has been pointed out it really depends on the threat model.

If either the SSD is hardware encrypted or a software full disk encryption has been used then it can be securely wiped by deleting the encryption key.

Otherwise a non secure wipe can be done on most SSDs with the erase command available in their drivers. See for instance https://www.hp.com/us-en/shop/tech-takes/how-to-secure-erase-ssd

I had thought one could overwrite the SSD’s data apart for possibly a few spare sectors by creating a file as big as the capacity of the SSD and write/copy it to the SSD. However a little research shows that this idea is best avoided as both ineffective and risky for the SSD, unless things have changed since this comment and the original Sophos paper: https://security.stackexchange.com/questions/5662/is-it-enough-to-only-wipe-a-flash-drive-once#5665

There has been a well documented case of GCHQ ensuring data was not recoverable, but at that time the laptop, Snowden’s, had a hard disk. I haven’t seen a similar account of the destruction of an SSD to national security standard level.

1 Like

CCleaner has a free version that will erase data on any drive, as many times as you like.
Maybe this would be a better solution.

Yes, but not the system drive. This is good if you can connect the drive to be wiped to a spare SATA port on a desktop or as an external drive with a USB adapter (provided it’s USB 3), but if you can do that you might as well use DBAN or ShredOS and avoid any uncertainty about what the Widows disk driver might be doing to “optimise” it.

1 Like

Another data erasure option that unfortunately doesn’t allow for the reuse of the drive but feels very satisfactory:

1 Like