When it came to the traditional spinning hard drive, everyone pretty much knew what you meant when you wanted to get rid of all the drive’s data and encrypt the drive’s contents so that no one can detect its contents.  However, when it comes to SSDs(solid-state drives), traditional methods of erasing a drive such as repeatedly using data location overwrites often does little to affect the drive.

And sometimes when you overwrite the data on SSDs, there’s a big possibility that a portion of the overwritten data may still be accessible on the drive, which poses a security threat.

So, how is it possible to erase SSDs safely without compromising the function of the drive? Is it possible to permanently erase data and make it no longer accessible?

Review how the Disk Utilityfunction is a possible solution for erasing and protecting information by reading the article Disk Utility for macOS Sierra: Erase a volume using Disk Utility.

Let’s look at how to securely erase an SSD without damaging the drive.

SSD Architecture
Like we already stated, most people are aware of how to erase the traditional hard drive. These drives store data in a linear format, which makes it easy to clean up and erase them (since it’s easier to access the data to read and write it).  In short, you are getting rid of the volume and partition maps, so you can overwrite each data location according to a data pattern.

Because of how many times the data is written and the pattern used for wiping the traditional hard drive, the sanitation procedure complies with most government agency regulations (including the DOD).

Unlike traditional hard drives that have a linear pattern, SSDs have various storage combinations that make it harder to map out the layout of the drive. The multiple layers—called flashtranslation layer (or FTL)—help determine how the data is managed on the drive.

SSDs have more flash memory than they need. So, the excess memory becomes empty data blocks that are used when you rewrite the drive (as out-of-band sections).

Thanks to the various mapping layers of the drive and how the flash controller handles the distribution of memory on the drive, it makes it very difficult (almost impossible) to get rid of traces of all data ever written on the drive.

For example, when editing a document you have created, you would think the changes made to the document would erase the data that was replaced. Instead of the data blocks with the original data being rewritten with the new data, the original data is left untouched, and the new data is stored in available empty data blocks. The physical map of the drive is changed because the new edits create an update that point to the newly-filled data blocks.  Therefore, the original data blocks no longer in use will read as free space but are still filled with the original data. Also, these data blocks will remain accessible until the SSD’s garbage collection system takes care of it.

Because of the FTL architecture, it is impossible for a traditional hard drive erasefunction to get rid of all the data on an SSD since some data locations will not be accessible.

SSD Secure Erase
The designers of the solid-state drive realized there needs to be a simple way to clean an SSD thoroughly. The ATA command is one solution to this problem. The NVMe command was also a proposed solution for cleaning SSDs effectively.  Also, the designers proposed a Secure Erase Unit to clean SATA-based SSDs, and the Format NVM to clean PCIe-based SSDs.

There are two primary ways SSDs securely erase their data. For SSDs that use the encryption function that’s in the controller, the crypto-erase format is used that will allow changes to the internal encryption key, which will render the data unreadable. Another way to erase data securely on an SSD is to use the block erase format that will allow you to do a full media erase (even the FTL memory and out-of-banddata). There are also SSDs that can combine the use of crypto-erase and full media erase.

Unfortunately, SSD designers did not create software utility apps to support Format NVM or Secure Erase Unit natively on Mac computers.   Most Mac users will have to employ the use of a Linux-based SSD utility program(hopefully created by the SSD manufacturer) or a bootable Windows partitioning and formatting utility that will allow the Mac to run the Secure Erase function.

Since some companies that create SSDs don’t have utility programs that allow you to run the secure erase feature, you may have to opt for using a third-party utility app such as GPartedor PartedMagic.

The Encryption Option
As already stated, some SSDs have simplified securely erasing their data using the crypto-erase function which renders the data inaccessible.  They are often referred to as Self-Encrypting Drives (or SEDs).   Also, please be reminded of the various utility programs out there that can change or remove the encryption key.

FileVault is an awesome disk encryption system or encryption function feature in APFS utilized by Mac computers that securely cleanthe drive. If you did not set up the FileVault feature when you first set up your Mac, you can do so using the steps explained in the article:Use FileVault to encrypt the startup disk on your Mac.

Once the encryption feature is available, you can clean your drive with the Mac’s Disk Utility Erase function and erase the 256-bit encryption key on the drive. When the encryption key is deleted, all information that used to be available on the drive will no longer be accessible.

If you still feel the need to take a further step (like to deter forensic recovery methods), you can do a flash memory reset.

One More Thing
If your SSD has built-in encryption features, you can physically destroy the drive’s controller to prevent the ability to recover the data. Since the flash memory chips encrypt data, the destruction of the controller renders them inoperable. However, if you want an extra layer of protection, you can destroy the flash memory chips also by drilling a few holes in them.

Wrap Up
As stated earlier, the problem with erasing SSDs comes from trying to treat them like traditional hard drives. You can’t just overwrite the data multiple times because it does not work on an SSD. Therefore, you have to do a little more than just overwrite the data. The best option is to use encryption features on your Mac when you first set it up.

You can’t go wrong using the encryption features with an SSD. Fortunately, most SSDs have their own encryption tools to make cleaning your drive a simple process. However, even users who have SSDs that are SEDs can benefit from the Mac’sencryption system because it gives them another layer of control over how their data is stored and removed.