How do I effectively destroy a SSD? [duplicate]

Solution 1:

So, some research has been done on this.

According to SSD researchers Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson, who presented the paper, "Reliably Erasing Data from Flash-Based Drives" (PDF warning), quote:

...our results lead to three conclusions:

First, built-in commands are effective, but manufacturers sometimes implement them incorrectly.

Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive.

Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs

The reason that simply erasing a flash drive doesn't work (or encrypting it and throwing away the key) is that the flash controller implements a "Flash Translation Layer" (FTL), which abstracts the physical location of the data on the flash chips from the Logical Block Addressing (LBA) that the computer uses to refer to data locations on disk.

The primary benefit that is derived from FTL is the ability to have more space on the chips than in the LBA - in other words, you can have a flash drive with 128GB of flash chips, but thanks to the FTL, it only reports 120GB. This is done to extend the lifetime of the drive, and to aid in wear leveling. It's common for this kind of under-provisioning to happen (if you look at most of the SSD drives on the market today, you'll see their capacity as being close to, but not at, a power of two - they contain the power-of-two amount of flash chips, but underreport it to increase lifetime).

The side effect of this is that if you have a 120GB drive and overwrite it with 120GB of zeroes, there are still 8GB of flash chips that hold old data, which can be recovered through electrically extracting them independent of the FTL. So it's necessary to erase twice (usually, though as it mentions in the article, even that doesn't always work on particularly odd controllers).

So that leaves physical destruction of the flash chips as being the only way presently to guarantee data inaccessibility.

Solution 2:

Just burn them - seriously, any old fire will do, even a barbecue.

Solution 3:

We have a pretty canonical answer on this on Security Stack Exchange. So much so that it led to one of our top blog posts of all time: http://security.blogoverflow.com/2012/02/qotw-18-how-can-we-destroy-data-on-a-hard-drive/

That post includes a range of actions including degaussing, destruction, manual disassembly, disintegration, incineration, pulverizing, shredding, melting, Electrical scrambling and my favourite:

Wanton Destruction

In reality though, the simplest option with an SSD is to have the entire device as an encrypted volume and when you want it wiped just lose the key. At that point it is effectively random data.

Solution 4:

A software-only approach may not be enough in some cases, depending on your requirements. (e.g. encryption algorithm can be broken at some point in the future)

You can shred the PCB inside of the SSD quite easily, though. That assumes that you do not intend to use the drive again.

The approach that we use is to send disks off for destruction using a media disintegrator. Really... :) There's an audit trail and we provide tracking information to customers. Maybe that's overkill for your situation, but it's an option.

Would this be a single SSD or is it a member of a RAID array? I think there are some other options that are dependent on the RAID technology in use, if you need to reuse a device that's a RAID member.